Spencer McIntyre zeroSteiner

## 2025 Metasploit Demo Notes.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              1 star
            
          
                zeroSteiner
                / 2025 Metasploit Demo Notes.md
            
            
              Last active
              August 9, 2025 22:43
            
          
    Section 1

SCCM Relay Exploit Workflow

Use the auxiliary/admin/dcerpc/samr_account module to create a new computer account for testing the relay
Use the auxiliary/gather/ldap_query to enumerate SCCM target information
Use the new auxiliary/server/relay/relay_get_naa_credentials module to attack SCCM
For demonstration or testing purposes, use net use to trigger an authentication attempt to Metasploit

Section 2

SMB to LDAP Relaying Workflow followed by ESC15 exploitation

  
## meterpreter_command_scanner.rb
#!/usr/bin/env ruby
#  meterpreter_command_scanner.rb
#
# This script is used for analyzing Metasploit Framework library and module source code files to identify references to
# the Meterpreter API. Originally implemented in support of https://github.com/rapid7/metasploit-framework/pull/15079.
#

require 'find'

# These are ignored because they do not invoke a Meterpreter command.

## zpycompletion.py
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#  zpycompletion
#
#  Copyright 2015 Spencer McIntyre <zeroSteiner@gmail.com>
#
#  Redistribution and use in source and binary forms, with or without
#  modification, are permitted provided that the following conditions are
#  met:

## pyenv-each
#!/usr/bin/env bash

set -e

py_stdout_fd=1
py_stderr_fd=2
delay=0
timeout=10
params=()
show_help () {

## Proxy Shim
if __name__ == "__main__":
    env = dict(os.environ)
    if 'LD_PRELOAD' in env:
        module.run(metadata, run)
    else:
        env['LD_PRELOAD'] = 'libproxychains4.so'
        os.execve(os.path.realpath(__file__), sys.argv, env)

## request_redirect.yml
# originally from Jason Lang (@curi0usJack)
# https://gist.github.com/curi0usJack/971385e8334e189d93a6cb4671238b10
# version 1.1
rules:
  # TrendMicro
  - source: 150.70.0.0/22
    target: https://www.google.com/
  - source: 150.70.104.0/22
    target: https://www.google.com/
  - source: 150.70.110.0/24

## log_handler.py
import logging
import metasploit.module as module

class MetasploitLogHandler(logging.Handler):
    def emit(self, record):
        log_entry = self.format(record)
        level = 'debug'
        if record.levelno >= logging.ERROR:
            level = 'error'
        elif record.levelno >= logging.WARNING:

## net_ssh_tests.rb
$LOAD_PATH.unshift(File.dirname(__FILE__) + '/net-ssh/lib')
require 'net/ssh'
require 'socket'

if ARGV.length > 1
  server = TCPServer.new 2000

  loop do
    client = server.accept
    puts 'client connected'

## crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command

## bt_shell.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
#  bt_shell.py
#
#  This program is free software; you can redistribute it and/or modify
#  it under the terms of the GNU General Public License as published by
#  the Free Software Foundation; either version 2 of the License, or
#  (at your option) any later version.
#
	#!/usr/bin/env ruby
	# meterpreter_command_scanner.rb
	#
	# This script is used for analyzing Metasploit Framework library and module source code files to identify references to
	# the Meterpreter API. Originally implemented in support of https://github.com/rapid7/metasploit-framework/pull/15079.
	#

	require 'find'

	# These are ignored because they do not invoke a Meterpreter command.
	#!/usr/bin/env python3
	# -- coding: utf-8 --
	#
	# zpycompletion
	#
	# Copyright 2015 Spencer McIntyre <zeroSteiner@gmail.com>
	#
	# Redistribution and use in source and binary forms, with or without
	# modification, are permitted provided that the following conditions are
	# met:
	#!/usr/bin/env bash

	set -e

	py_stdout_fd=1
	py_stderr_fd=2
	delay=0
	timeout=10
	params=()
	show_help () {
	if __name__ == "__main__":
	env = dict(os.environ)
	if 'LD_PRELOAD' in env:
	module.run(metadata, run)
	else:
	env['LD_PRELOAD'] = 'libproxychains4.so'
	os.execve(os.path.realpath(__file__), sys.argv, env)
	# originally from Jason Lang (@curi0usJack)
	# https://gist.github.com/curi0usJack/971385e8334e189d93a6cb4671238b10
	# version 1.1
	rules:
	# TrendMicro
	- source: 150.70.0.0/22
	target: https://www.google.com/
	- source: 150.70.104.0/22
	target: https://www.google.com/
	- source: 150.70.110.0/24
	import logging
	import metasploit.module as module

	class MetasploitLogHandler(logging.Handler):
	def emit(self, record):
	log_entry = self.format(record)
	level = 'debug'
	if record.levelno >= logging.ERROR:
	level = 'error'
	elif record.levelno >= logging.WARNING:
	$LOAD_PATH.unshift(File.dirname(__FILE__) + '/net-ssh/lib')
	require 'net/ssh'
	require 'socket'

	if ARGV.length > 1
	server = TCPServer.new 2000

	loop do
	client = server.accept
	puts 'client connected'
	# /etc/crontab: system-wide crontab
	# Unlike any other crontab you don't have to run the `crontab'
	# command to install the new version when you edit this file
	# and files in /etc/cron.d. These files also have username fields,
	# that none of the other crontabs do.

	SHELL=/bin/sh
	PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

	# m h dom mon dow user command
	#!/usr/bin/env python
	# -- coding: utf-8 --
	#
	# bt_shell.py
	#
	# This program is free software; you can redistribute it and/or modify
	# it under the terms of the GNU General Public License as published by
	# the Free Software Foundation; either version 2 of the License, or
	# (at your option) any later version.
	#