Meterpreter is a Metasploit payload that supports the penetration testing process, as we use it to interact with the target OS.
Let’s start our daily #FromZeroToHacker challenge.
| Table of contents |
| Introduction |
| What have I learnt today? |
| Stats |
| Resources |
Introduction to Metasploit Meterpreter
Meterpreter is a Metasploit payload that supports the penetration testing process, as we use it to interact with the target OS. Let’s deeply dive into Meterpreter to see how in-memory payloads can be used for post-exploitation.
What have I learnt today?
Introduction to Meterpreter
First, let’s learn how Meterpreter work.
Meterpreter runs on the target system, by using its memory (instead of being installed it). By doing this, we can avoid (or try to) antivirus scans, as they usually check new files on the disk.
Meterpreter avoids using a file system by running in memory (RAM), so for the OS Meterpreter is seen as a process, not using a file that may raise red flags.
To avoid detection by network-based IPS (Intrusion Prevention System) and IDS (Intrusion Detection System), Meterpreter uses encrypted communication with the server (your attacking machine). Unless the target decrypts and inspects encrypted traffic (HTTPS), IPS and IDS won’t be able to detect us.
We can check what process ID Meterpreter is running with getpid:
We can list processes running on the target system with the ps command. Remember that Meterpreter has the PID 1304?
Here is hidden as the spoolsv.exe process (related to printers).
Yes, there are techniques and tools that can be used to detect Meterpreter, but we won’t learn them today. But you can see how stealthy Meterpreter is.
Meterpreter Flavours
As we learnt in previous lessons, Metasploit payloads can be inline or single and staged.
Here is a quick refresher, in case you missed them:
Staged payloads are sent in two steps to the target: An initial and small part is installed (the stager) and requests the rest of the payload. This allows for a smaller initial payload size that may fly under the antivirus and firewalls radar.
On the other side, inline payloads are sent in a single step.
Meterpreter payloads are divided into stagged and inline versions.
We can list them using msfvenom, and filter them with a pipe and grep. For example, msfvenom --list payloads | grep meterpreter:
The list is too long to replicate here, but it will show Meterpreter versions for Android, Java, PHP, Python, Windows, and more.
We have to pick which version of Meterpreter based on three factors: Target operating system, components available (Do they have Python installed? It is a PHP website?), and network connection types we could have with the target system (Do they allow raw TCP connections? Can we create an HTTPS reverse connection?)
If we are not using Meterpreter as a standalone payload generated by msfvenom (for example, with Metasploit), we may notice that some exploits have a default Meterpreter payload:
Meterpreter Commands
Typing help on a Meterpreter session will list all the available commands:
Every version of Meterpreter has different command options, so running help is always a good idea.
As they are built-in, these commands will always run on the target system without loading any additional script or executable files.
We have three types of tools:
- Built-in commands.
- Meterpreter tools.
- Meterpreter scripting.
Running the help command, we will see that Meterpreter commands are listed under different categories:
- Core commands.
- File system commands.
- Networking commands.
- System commands.
- User interface commands.
- Webcam commands.
- Audio output commands.
- Elevate commands.
- Password database commands.
- Timestomp commands.
Meterpreter commands
Let’s list all the available commands in each category:
Core Commands
Command Description ? Help menu background Backgrounds the current session bg Alias for background bgkill Kills a background meterpreter script bglist Lists running background scripts bgrun Executes a meterpreter script as a background thread channel Displays information or control active channels close Closes a channel disable_unicode_encoding Disables encoding of unicode strings enable_unicode_encoding Enables encoding of unicode strings exit Terminate the meterpreter session get_timeouts Get the current session timeout values guid Get the session GUID help Help menu info Displays information about a Post module irb Open an interactive Ruby shell on the current session load Load one or more meterpreter extensions machine_id Get the MSF ID of the machine attached to the session migrate Migrate the server to another process pivot Manage pivot listeners pry Open the Pry debugger on the current session quit Terminate the meterpreter session read Reads data from a channel resource Run the commands stored in a file run Executes a meterpreter script or Post module secure (Re)Negotiate TLV packet encryption on the session sessions Quickly switch to another session set_timeouts Set the current session timeout values sleep Force Meterpreter to go quiet, then re-establish session. transport Change the current transport mechanism use Deprecated alias for "load" uuid Get the UUID for the current session write Writes data to a channel
File system Commands
Command Description cat Read the contents of a file to the screen cd Change directory checksum Retrieve the checksum of a file cp Copy source to destination dir List files (alias for ls) download Download a file or directory edit Edit a file getlwd Print local working directory getwd Print working directory lcd Change local working directory lls List local files lpwd Print local working directory ls List files mkdir Make directory mv Move source to destination pwd Print working directory rm Delete the specified file rmdir Remove directory search Search for files show_mount List all mount points/logical drives upload Upload a file or directory
Networking Commands
Command Description arp Display the host ARP cache getproxy Display the current proxy configuration ifconfig Display interfaces ipconfig Display interfaces netstat Display the network connections portfwd Forward a local port to a remote service resolve Resolve a set of host names on the target route View and modify the routing table
System Commands
Command Description clearev Clear the event log drop_token Relinquishes any active impersonation token. execute Execute a command getenv Get one or more environment variable values getpid Get the current process identifier getprivs Attempt to enable all privileges available to the current process getsid Get the SID of the user that the server is running as getuid Get the user that the server is running as kill Terminate a process localtime Displays the target system's local date and time pgrep Filter processes by name pkill Terminate processes by name ps List running processes reboot Reboots the remote computer reg Modify and interact with the remote registry rev2self Calls RevertToSelf() on the remote machine shell Drop into a system command shell shutdown Shuts down the remote computer steal_token Attempts to steal an impersonation token from the target process suspend Suspends or resumes a list of processes sysinfo Gets information about the remote system, such as OS
User interface Commands
Command Description enumdesktops List all accessible desktops and window stations getdesktop Get the current meterpreter desktop idletime Returns the number of seconds the remote user has been idle keyboard_send Send keystrokes keyevent Send key events keyscan_dump Dump the keystroke buffer keyscan_start Start capturing keystrokes keyscan_stop Stop capturing keystrokes mouse Send mouse events screenshare Watch the remote user's desktop in real time screenshot Grab a screenshot of the interactive desktop setdesktop Change the meterpreters current desktop uictl Control some of the user interface components
Webcam Commands
Command Description record_mic Record audio from the default microphone for X seconds webcam_chat Start a video chat webcam_list List webcams webcam_snap Take a snapshot from the specified webcam webcam_stream Play a video stream from the specified webcam
Audio Output Commands
Command Description play play an audio file on target system, nothing written on disk
Elevate Commands
Command Description getsystem Attempt to elevate your privilege to that of local system.
Password database Commands
Command Description hashdump Dumps the contents of the SAM database
Timestomp Commands
Command Description timestomp Manipulate file MACE attributes
Even if all these commands are available, doesn’t mean that they work. If the target has no webcam, hardly we can take a snapshot.
Post-Exploitation with Meterpreter
Meterpreter has loads of useful commands for the post-exploitation phase, such as:
Help
As we saw, help command gives you a list of all available commands in Meterpreter.
Meterpreter commands
The getuid command will display the user with which Meterpreter is currently running, giving us an idea of what kind of privilege the actual user has.
The ps command lists running processes. This is quite useful, as each process has a PID (Process ID) that we can use to migrate Meterpreter to another process.
Migrate
Migrating to another process will help Meterpreter interact with it. For example, after listing the running programs with ps we noticed the user is using a word processor. We can migrate to it and start capturing keystrokes sent by the user to this process (with commands such as keyscan_start, keyscan_stop, keyscan_dump, etc).
To migrate to any process, we need to type the migrate command followed by the PID:
Beware: You may lose your user privileges if you migrate from a higher-privileged user to a process started by a less-privileged user.
Hashdump
The hashdump command will list the content of the SAM (Security Account Manager) database on Windows systems. These passwords are stored in the NTLM (New Technology LAN Manager) format:
While it is impossible to crack these hashes, sometimes we may find cleartext passwords or a rainbow table attack (A password hacking technique that uses a precomputed table of reversed password hashes to crack passwords).
Search
The search command is useful to locate files with potentially juicy information.
Shell
The shell command spawns a regular command-line shell on the target system.
Summary
Things we learned today:
- How Meterpreter works.
- What payloads do Meterpreter has.
- Different Meterpreter commands.
- How to do post-exploitation with Meterpreter.
Stats
From 77.283th to 76.355th.
Here is also the Skill Matrix:
Resources
Path: Jr Penetration tester
Metasploit
TryHackMe: Metasploit Meterpreter
Other resources
Metasploit Introduction
Metasploit Exploitation
Rainbow table attack
