Cardboard Iguana Security
spells
Abusing wildcard expansion in Bash
Access the Windows Registry using PowerShell
Add Windows users at the command line
Aircrack-NG
ARP scanning
ARP
AS-REP roasting with Impacket
AS-REP roasting With Rubeus
AS-REP roasting
Automate Netlify builds with IFTTT
Automatically stabilize a reverse shell with socat
Avoid dropping privileges with SUID Bash
awk
Backdoor Visual Basic Scripts
basenc
Bash reverse shell
Bash scripting
Bulk edit Windows permissions
Burp Suite
Bypass the PowerShell execution policy
Bypass Windows antivirus with C Sharp
Calculate a file hash on Windows with CertUtil
Call Mimikatz from a meterpreter shell
cat
cewl
Change a branch name in Git
Change an RSA key passphrase with OpenSSL
Cisco IOS
Common Windows user types
Compact VM disk images
Confirm the existence of a Gmail address
crackmapexec
Create a GPG key with SSH support
Create a zip bomb
CUPP
Day One to Obsidian conversion script
DCERPC
Debugging Bash scripts
Default CIFS shares
dig
dir
Disable AMSI
DRSUAPI
Easy reverse DNS lookups
enum4linux
Enumerate AD CS templates with CertUtil
Equivalent Windows and UNIX commands
Evil-WinRM
Exploit LD_LIBRARY_PATH
Exploit LD_PRELOAD
Exploit local Windows services
Exploit local Windows tasks
Exploit remote Windows services
Exploit remote Windows tasks
Exploit the Bash PS4 prompt
Exploit the Windows DLL search order
Exploit the Windows FoDHelper
Exploit the WinLogon initialization sequence
Exploit VBA scripts with msfvenom
Exploit weak etc-passwd permissions
Exploit weak etc-shadow permissions
Exploit Windows file associations
Exploit Windows HTML applications with msfvenom
Exploit Windows services
Exploit Windows shortcut files
Exploit Windows tasks
Export highlights and annotations from Kobo eReaders
Extract the webpage title from a URL
ffmpeg
Find and replace a single line in a large text file
Find executables with SUID capabilities
find
findstr
finger
Fix EXIF data on Google Photos exports
FTP
FTPS
fuff
gdb
Gemini compatible markdown
Get a shell from ViM
Get an SSL certificate
Get-FileHash
Get-WinEvent
Git on Windows
gobuster
Golden and silver ticket attacks
grep
Hashcat
HTML applications
HTTP
Hydra
icacls
ICMP
iftop
IIS configuration data
IMAP
Impacket
Invoke-Mimikatz
Invoke-WebRequest
iOS quirks
ipconfig
IPSec
IPv4
Java
John the Ripper
JSON Web Tokens
Kerberoasting with Impacket
Kerberoasting with Rubeus
Kerberoasting
Kerberos
Kerbrute
less
Load a shell with a simple executable
Local file inclusion attacks
Look up unicode symbols and emojis
MAC address
Magic numbers
man
Match files to packages in Debian-based operating systems
Match files to packages in Red Hat-based operating systems
Metasploit MS SQL modules
meterpreter
Mimikatz
MITRE ATTaCK emulation plans
more
MS SQL
msfconsole
msfvenom
MySQL
nano
nbtscan
net
netcat
netsh
netstat
NFS
Nikto
Nmap
Node.js
nslookup
NTLM hashes
Oracle SQL Server
OSI model
OWASP ZAP
Perl
PHP local file inclusion attacks
PHP
ping
Poison null byte attack
Poison null byte in PHP
Polkit
Pop a SYSTEM shell on the Windows login screen using sticky keys
Pop a SYSTEM shell on the Windows login screen using Utilman
POP3
Port scanning with Bash
POSIX process signals
Powercat
PowerShell reverse shell
PowerView
ps
Pull SSL certificates from an external server
Python
Quick-n-dirty Python web server
Quickly bypass ssh-agent
Quickly find the canonical path of a file
RCE via XXE in PHP
Read a file beginning with a dash
reg
RegEx metacharacters
Remotely install a Windows package with PowerShell
Remove duplicate lines in Bash
Retrieve AIX fileset information
Retrieve AIX system information
Rubeus
Ruby
Run a remote Windows command using PowerShell
Run commands directly with PowerShell
RunAs
Send a command using OpenSSL
Set the PATH in a session on UNIX-like operating systems
Set the PATH in a session on Windows
Set up WMI in PowerShell
Shell stabilization
SIP
smbclient
smbget
smbmap
SMTP
socat
SQL injection attacks
SQLMap
ss
SSH
sudo
systemctl
systeminfo
tar
TCP header flags
TCP headers
TCP window size
TCP
tcpdump
Telnet
The Harvester
tmux
Transfer files over FTP using netcat
UDP
unbuffer
Uniform resource locators
UNIX file descriptors
UNIX password hashes
UNIX permissions
Unquoted path handling in Windows
Upgrade PostgreSQL
Use a Raspberry Pi 4B as hacking accessory
Use an alternate SSH key with Git
Use Bash functions to backdoor executables
Use Burp Suite with Firefox
Use Burp Suite with mobile apps
Use curl and jq with web APIs
Use OpenSSL to encrypt and decrypt files
Use the Windows Firewall to relay ports
Use unsupported display resolutions with Samsung DeX
Use WinRM with PowerShell
Useful built-in commands for Linux reconnaissance
Useful built-in commands for Windows reconnaissance
Useful Linux reconnaissance scripts
Useful scripts for Windows reconnaissance
ViM
Visual Basic for Applications
wfuzz
whoami
Wi-Fi
Windows DLL search order
Windows event IDs
Windows event logs
Windows local service accounts
Windows logon scripts
Windows permissions
Windows reconnaissance with PowerShell
Windows Remote Management
Windows Run and RunOnce Registry keys
Windows Scripting Host
Windows SeBackup and SeRestore permissions
Windows SeImpersonate and SeAssignPrimaryToken permissions
Windows service ACLs
Windows services
Windows SeTakeOwnership permission
Windows Startup folder
Windows unattended installation data
winrs
Wireshark
wmic
Work with base64 encoding using PowerShell
Work with remote services using WMI and PowerShell
Work with remote tasks using WMI and PowerShell
Working with services in PowerShell
XFreeRDP
XSS attacks
Xterm
xxd
XXE attacks
youtube-dl
Cardboard Iguana Security
Cardboard Iguana Security

meterpreter

The meterpreter reverse shell requires a connection back to msfconsole using multi/handler.

Commands

  • background - background the current session and return to the Metasploit console
  • clearenv - clears the (Windows) event logs (kinda obvious)
  • creds_all - dump all user credentials in memory (requires the kiwi module)
  • download - transfer a file from the target to the attacker
  • edit - edit a file
  • getpid - get current process ID
  • getprivs - display current user privileges
  • getsystem - attempt to elevate to SYSTEM/root
  • getuid - get current process user
  • golden_ticket_create - create a golden ticket (requires the kiwi module)
  • guid - get session ID
  • hashdump - dump NLTM hashes from the SAM (Windows-only, requires system privileges); fields are username, RID (the last four digits of the Windows SID, with leading zeros dropped), LM password hash, NTLM password hash
  • ifconfig - display host network interface information
  • info - get information about a meterpreter extension
  • load - load meterpreter extension
  • load kiwi - load Mimikatz extension
  • migrate - migrate meterpreter to another process
  • netstat - display host network connections
  • portfwd - forward a port on the host
  • route - mess with the host routing tables
  • run - run a meterpreter extension
  • search - search for files
  • sessions - switch to another (Metasploit) session
  • shell - drop to system shell (return to meterpreter using CTRL + Z)
  • sysinfo - pull remote system information
  • upload - transfer a file from the attacker to the target

meterpreter sessions can be backgrounded using the background command, and all sessions can be backgrounded using CTRL + Z. List sessions using the sessions command, and foreground a session using session -i #, where # is the session number.

The sessions command is also used to connect to meterpreter sessions that have been caught after a successfully executed exploit.

Extensions

Loading PowerShell 

load powershell
powershell_shell

Don't try to exit PowerShell - trying to do this produces consistent hangs for me. Instead, background the process with ^Z.

Using Mimikatz

Call Mimikatz from a meterpreter shell

Call Mimikatz from a meterpreter shell

Use load kiwi to load up Mimikatz. Sub-commands:

kerberos         # Attempt to retrieve kerberos creds
livessp          # Attempt to retrieve livessp creds
mimikatz_command # Run a custom commannd
msv              # Attempt to retrieve msv creds (hashes)
ssp              # Attempt to retrieve ssp creds
tspkg            # Attempt to retrieve tspkg creds
wdigest          # Attempt to retrieve wdigest creds

User impersonation 

load incognito
list_tokens -u
impersonate_token $DOMAIN\\$USER

Not 100% sure where the "tokens" come from here... Mimikatz, maybe?

Process migration

I think that meterpreter is being run directly from memory, and what migrate is doing is basically creating a new process using the memory of a different application, hopping to that process, and then shutting down the old process.

Reasons to migrate the meterpreter process:

  • For persistence (pick a long-running process)
  • To make sure that the meterpreter process has system privileges
  • To hide (pick a process less likely to be examined)
  • To stabilize the shell (initial exploits often produce somewhat unstable sessions)
  • To move laterally or escalate privileges within a system (if you're lucky)
  • To gain additional capabilities

In particular, harvesting credentials from LSASS requires that meterpreter be living in a process with the same permissions (NT AUTHORITY/SYSTEM) and architecture as LSASS; migrating meterpreter can help us realize this. The print spooler service (spoolsv.exe) is often a good choice, as it runs with elevated permissions, has the same architecture as the system itself, and will restart itself automatically. You can also use lsass.exe directly if you feel like living dangerously.

Another example is that dumping keystrokes will only work when meterpreter is attached to a word processor or text editor.

Note that meterpreter will happily let you migrate from a privileged to an unprivileged process - which may cause you to loose control of the target system! Additionally, migrating meterpreter will change its current working directory to that of the process it's attaching to.

Executing run post/windows/manage/migrate will cause meterpreter to try to migrate to another process in an automated fashion. I'm not sure how "smart" this is in practice.

Links to this page
2021-12-07
2021-12-08
2022-01-30
Exploit VBA scripts with msfvenom
msfconsole
SQLMap
Useful scripts for Windows reconnaissance
meterpreter
Interactive graph
On this page
meterpreter
Commands
Extensions
Loading PowerShell
Using Mimikatz
User impersonation
Process migration
Powered by Obsidian Publish