Cardboard Iguana Security

Search

SearchSearch

meterpreter

July 31, 20241 min read

The meterpreter reverse shell requires a connection back to msfconsole using multi/handler.

Commands

Common meterpreter commands

  • background — background the current session and return to the Metasploit console
  • clearenv — clears the (Windows) event logs (kinda obvious)
  • creds_all — dump all user credentials in memory (requires the kiwi module)
  • download — transfer a file from the target to the attacker
  • edit — edit a file
  • getpid — get current process ID
  • getprivs — display current user privileges
  • getsystem — attempt to elevate to SYSTEM/root
  • getuid — get current process user
  • golden_ticket_create — create a golden ticket (requires the kiwi module)
  • guid — get session ID
  • hashdump — dump NLTM hashes from the SAM (Windows-only, requires system privileges); fields are username, RID (the last four digits of the Windows SID, with leading zeros dropped), LM password hash, NTLM password hash
  • ifconfig — display host network interface information
  • info — get information about a meterpreter extension
  • load — load meterpreter extension
  • load kiwi — load Mimikatz extension
  • migrate — migrate meterpreter to another process
  • netstat — display host network connections
  • portfwd — forward a port on the host
  • route — mess with the host routing tables
  • run — run a meterpreter extension
  • search — search for files
  • sessions — switch to another (Metasploit) session
  • shell — drop to system shell (return to meterpreter using CTRL + Z)
  • sysinfo — pull remote system information
  • upload — transfer a file from the attacker to the target

meterpreter sessions can be backgrounded using the background command, and all sessions can be backgrounded using CTRL + Z. List sessions using the sessions command, and foreground a session using session -i #, where # is the session number.

The sessions command is also used to connect to meterpreter sessions that have been caught after a successfully executed exploit.

Link to original

Extensions

Loading PowerShell

How to start PowerShell from a meterpreter session

load powershell
powershell_shell

Don’t try to exit PowerShell — trying to do this produces consistent hangs for me. Instead, background the process with ^Z.

Link to original

Using Mimikatz

How to call Mimikatz from a meterpreter shell

Use load kiwi to load up Mimikatz. Sub-commands:

kerberos         # Attempt to retrieve kerberos creds
livessp          # Attempt to retrieve livessp creds
mimikatz_command # Run a custom commannd
msv              # Attempt to retrieve msv creds (hashes)
ssp              # Attempt to retrieve ssp creds
tspkg            # Attempt to retrieve tspkg creds
wdigest          # Attempt to retrieve wdigest creds
Link to original

User impersonation

How to impersonate a user with meterpreter

load incognito
list_tokens -u
impersonate_token $DOMAIN\\$USER

Not 100% sure where the “tokens” come from here… Mimikatz, maybe?

Link to original

Process migration

Process migration in meterpreter

I think that meterpreter is being run directly from memory, and what migrate is doing is basically creating a new process using the memory of a different application, hopping to that process, and then shutting down the old process.

Reasons to migrate the meterpreter process:

  • For persistence (pick a long-running process)
  • To make sure that the meterpreter process has system privileges
  • To hide (pick a process less likely to be examined)
  • To stabilize the shell (initial exploits often produce somewhat unstable sessions)
  • To move laterally or escalate privileges within a system (if you’re lucky)
  • To gain additional capabilities

In particular, harvesting credentials from LSASS requires that meterpreter be living in a process with the same permissions (NT AUTHORITY/SYSTEM) and architecture as LSASS; migrating meterpreter can help us realize this. The print spooler service (spoolsv.exe) is often a good choice, as it runs with elevated permissions, has the same architecture as the system itself, and will restart itself automatically. You can also use lsass.exe directly if you feel like living dangerously.

Another example is that dumping keystrokes will only work when meterpreter is attached to a word processor or text editor.

Note that meterpreter will happily let you migrate from a privileged to an unprivileged process — which may cause you to loose control of the target system! Additionally, migrating meterpreter will change its current working directory to that of the process it’s attaching to.

Executing run post/windows/manage/migrate will cause meterpreter to try to migrate to another process in an automated fashion. I’m not sure how “smart” this is in practice.

Link to original

Graph View

Backlinks