The meterpreter reverse shell requires a connection back to msfconsole using multi/handler.
Commands
background
— background the current session and return to the Metasploit consoleclearenv
— clears the (Windows) event logs (kinda obvious)creds_all
— dump all user credentials in memory (requires thekiwi
module)download
— transfer a file from the target to the attackeredit
— edit a filegetpid
— get current process IDgetprivs
— display current user privilegesgetsystem
— attempt to elevate to SYSTEM/rootgetuid
— get current process usergolden_ticket_create
— create a golden ticket (requires thekiwi
module)guid
— get session IDhashdump
— dump NLTM hashes from the SAM (Windows-only, requires system privileges); fields are username, RID (the last four digits of the Windows SID, with leading zeros dropped), LM password hash, NTLM password hashifconfig
— display host network interface informationinfo
— get information about a meterpreter extensionload
— load meterpreter extensionload kiwi
— load Mimikatz extensionmigrate
— migrate meterpreter to another processnetstat
— display host network connectionsportfwd
— forward a port on the hostroute
— mess with the host routing tablesrun
— run a meterpreter extensionsearch
— search for filessessions
— switch to another (Metasploit) sessionshell
— drop to system shell (return to meterpreter usingCTRL + Z
)sysinfo
— pull remote system informationupload
— transfer a file from the attacker to the target
meterpreter sessions can be backgrounded using the background
command, and all sessions can be backgrounded using CTRL + Z
. List sessions using the sessions
command, and foreground a session using session -i #
, where #
is the session number.
The sessions
command is also used to connect to meterpreter sessions that have been caught after a successfully executed exploit.
Extensions
Loading PowerShell
Don’t try to exit PowerShell — trying to do this produces consistent hangs for me. Instead, background the process with ^Z
.
Using Mimikatz
Call Mimikatz from a meterpreter shell
Use
Link to originalload kiwi
to load up Mimikatz. Sub-commands:
User impersonation
Not 100% sure where the “tokens” come from here… Mimikatz, maybe?
Process migration
I think that meterpreter is being run directly from memory, and what migrate
is doing is basically creating a new process using the memory of a different application, hopping to that process, and then shutting down the old process.
Reasons to migrate the meterpreter process:
- For persistence (pick a long-running process)
- To make sure that the meterpreter process has system privileges
- To hide (pick a process less likely to be examined)
- To stabilize the shell (initial exploits often produce somewhat unstable sessions)
- To move laterally or escalate privileges within a system (if you’re lucky)
- To gain additional capabilities
In particular, harvesting credentials from LSASS requires that meterpreter be living in a process with the same permissions (NT AUTHORITY/SYSTEM) and architecture as LSASS; migrating meterpreter can help us realize this. The print spooler service (spoolsv.exe) is often a good choice, as it runs with elevated permissions, has the same architecture as the system itself, and will restart itself automatically. You can also use lsass.exe directly if you feel like living dangerously.
Another example is that dumping keystrokes will only work when meterpreter is attached to a word processor or text editor.
Note that meterpreter will happily let you migrate from a privileged to an unprivileged process — which may cause you to loose control of the target system! Additionally, migrating meterpreter will change its current working directory to that of the process it’s attaching to.
Executing run post/windows/manage/migrate
will cause meterpreter to try to migrate to another process in an automated fashion. I’m not sure how “smart” this is in practice.