An SEOs Guide To W3C Log Files
Most network activity monitoring tools don’t store actual packets, but rather just log metadata about those packets (minimally: source, destination, protocol).
Protocol Analyzer = Packet Sniffer
Now we’re talking about actual packet capture!
A.k.a. “NetFlow” (originally a Cisco thing, but since genericized). Basically, this is packet capture and analysis on router interfaces. NetFlow (and related tools like sFlow) are oriented towards understanding network usage rather than the behavior of individual machines/connections.
NetFlow data is exported using the IPFIX (Internet Protocol Flow Information Export) format.
SIEM = You 10,000 ft view
The SIEM correlation engine is just a (user defined?) list of event sequences of interest.
IPFIX is an IETF standard.
Wireshark has some statistical packet-analysis capabilities.
General log analysis flow: Filtered down to warnings/errors, locate an event of interest, and then expand your search around that timeframe to include lower-level/priority events.
Call out to WinDbg Preview, which is a free Windows dump file analyzer in the Microsoft Store. Windows typically stores dump files in C:\Windows
, so you’ll need to copy it out to view it.
Meterpreter is fileless, and attempts to mask itself using other process names. It only communicates back to Metasploit on an encrypted channel.
However, most modern antivirus will still recognize it.
Meterpreter supports a wide range of operating systems; there are even variants designed to live inside of common server-side interpreters (Java, Python, and PHP). Most payload versions are singletons, though there are a few staged variants.
Most variants support communication over HTTP (unencrypted), HTTPS, or raw TCP (encrypted). IPv6 (which is often poorly monitored if allowed) is also an option.
As always, be aware that some exploits may limit the available Meterpreter payloads.
Meterpreter’s commands vary depending on host OS. Some notable commands:
background
- Background the current sessionclearenv
- Clears the (Windows) event logs (kinda obvious)download
- Transfer a file from the target to the attackeredit
- Edit a fileexecute
- Execute a command on the hostgetpid
- Get current process IDgetsystem
- Attempt to elevate to SYSTEM/rootgetuid
- Get current process userguid
- Get session IDhashdump
- Dump NTLM hashes (on Windows)ifconfig
- Display host network interface informationinfo
- Get information about a Meterpreter extensionload
- Load Meterpreter extensionmigrate
- Migrate Meterpreter to another processnetstat
- Display host network connectionsportfwd
- Forward a port on the hostroute
- Mess with the host routing tablesrun
- Run a meterpreter extensionsearch
- Search for filessessions
- Switch to another (Metasploit) sessionshell
- Drop to system shellsysinfo
- Pull remote system informationupload
- Transfer a file from the attacker to the targetMigrating Meterpreter to another process sometimes makes new commands become available; for example, migrating to a text editor will allow you to capture keystrokes.
Note that Meterpreter will happily let you migrate from a privileged to an unprivileged process - which may cause you to loose control of the target system!
You can background system shells launched from Meterpreter with Ctrl + Z
to return to the parent (Meterpreter) process.
It’s always good to look at help
in Meterpreter after loading a new module.
Remember that load kiwi
will pull in a Meterpreter-specific version of Mimikatz!
Use net share
on Windows to list all current shares. The Metasploit post/windows/gather/enum_shares
module provides cleaner output (requires backgrounding Meterpreter).
To execute hashdump
you will need to be connected to the lsass.exe
process.
Note that migrating Meterpreter will change its current working directory to that of the process it’s attaching to.