Meterpreter - the power of Metasploit

Meterpreter can significantly improve your post exploitation experience, it's also called the “hacker’s Swiss army knife”. Meterpreter is an extension of the Metasploit Framework that allows us to leverage Metasploit’s functionality and further compromise our target. Some of this functionality includes ways to cover your tracks, reside purely in memory, dump hashes, access operating systems, pivot, and much more.

Meterpreter will allow us to perform additional attacks after we have compromise the system.

Compromising a Target Machine:

Before we dive into the specifics of Meterpreter, first, we need to compromise a system and get a Meterpreter shell. So let’s start, at the beginning you should scan the target for identifying the services and running ports, you will find a port by conducting the Nmap scan.

Meterpreter the power of Metasploit

So , as you can see evidenced by this example, there is many open ports. You can use any exploit according to your target vulnerability. From here we get an information that our target is Windows XP SP2 machine. As we know, Windows XP SP2 is vulnerable for ms08_067_netapi. It’s remote code execution vulnerability.

We are goint to use exploit/windows/smb/ms08_067_netapi and check options using show options command.

Exploit Windows

Now set RHOST, PAYLOAD, and LHOST. After configure out exploit, we need to exploit your target machine using exploit command.

screen 3

After exploiting our target machine, we can see session 1 opened. This means that we are successfully exploit our target machine and we get Meterpreter session as shown on screenshot above.

Once the Meterpreter shell is presented, we know that the exploit was successful and we can continue with post exploitation on this system.

 Article by. Bhargav Tandel

Basic Meterpreter Commands

Having successfully compromised the target and gained a Meterpreter console on the system, we can glean more information with some basic Meterpreter commands. Use the help command at any point for more information about: how to use Meterpreter.

screen 4

meterpreter > screenshot

Meterpreter’s screenshot command will export an image of the active user’s desktop and save it to root directory.

screen 5

meterpreter > sysinfo

sysinfo command is shows you system information as show bellow.

screen 5

As you can see, this system is running Windows XP Service Pack 2, which is really defective and we can assume that we can find a lot of holes on this system.

Capturing Keystrokes

Now, we will grab the password hash values from this system, which can either be cracked or used in other pentest process. Also, we will start keystroke logging (recording keystrokes) on the remote system. But first, let’s list the running processes on the target system with the ps command.

screen 6

As we can see, it provides a list of running processes, including explorer.exe. We issue the migratecommand to move our session into the explorer.exe process space. Once that move is complete, we start the keylog_recorder module as shown bellow.

screen 7

Main thing is to stop keylog_recorder use Ctrl+c button.

Now, finally our keylog is recorded and we need to dump keylogs. Next, use new terminal and cat command to do that.

screen 8

Dumping the User and Password Hash:

We’ll leverage the hashdump post exploitation module in Meterpreter to extract the username and password hashes from the system. Microsoft typically stores hashes on LAN Manager (LM), NT LAN Manager (NTLM), and NT LAN Manager v2 (NTLMv2).To dump the usernames and passwords we use hashdump command, as shown bello

screen 9

Migrating a Process

When we are attacking a system by exploiting a service such as Internet Explorer, and the target user closes the browser, then the Meterpreter session will be also closed and we'll lose our connection to the target. To avoid this problem, we can use the migrate post exploitation module.

screen 10

Killing Antivirus Software

Antivirus software can block certain tasks. During penetration tests, we have seen “AVG” antivirus or host-based intrusion prevention products block our ability to run certain attack vectors. In such cases, we can run the killavscript to stop the processes preventing our tasks from running.

screen 11

Viewing All Traffic on a Target Machine

To see all traffic on a target, we can run a packet recorder. Everything captured by packetrecorder is saved in the .pcap file format to be parsed with a tool such as Wireshark. In this listing, we run the packetrecorder script with the -i 1 option, which specifies which interface we want to use to perform the packet captures.

screen 12

Scraping a System

The scraper script enumerates just about everything you could ever want from a system. It will grab the usernames and passwords, download the entire registry, dump password hashes, gather system information, and export the HKEY_CURRENT_USE

screen 13

Persistence

Meterpreter’s persistence script allows you to inject a Meterpreter agent to ensure that Meterpreter is running even after the target system reboots. If this is a reverse connection, you can set intervals for the target to connect back to the attacker machine.

screen 14

 

We are successfully install persistence, now you can use handler for connect back to target machine.

You can also type help command inside Meterpreter for help. There are list of commands that you can use against target.

 

September 2, 2014

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013