Chapter 4 – Meterpreter Shell
Learn about Meterpreter shell.
Introduction
After a successful exploit a Meterpreter shell allows you to perform many different functions along with a full remote shell.
Meterpreter is great for manipulating a system once you get a remote connection, so depending on what your goals are; a Meterpreter shell is usually preferred to a straight remote terminal shell.
Meterpreter gives us a set of commands and utilities that can be run to greatly aid in security testing. For example, there are commands to pull the password hashes and gather data & settings from the system.
There are also some fun tools included in Meterpreter, for example, you can turn on the user’s webcam and grab still shots, you can turn on the remote microphone and even grab desktop screenshots of what the user is working on.
In this section we will quickly cover the Meterpreter shell and some of its features.
Basic Meterpreter Commands
Let’s start with a machine that we tricked into running a backdoored program (To see how to create an Anti-Virus evading backdoor see the chapter on “Veil”.) Once executed the backdoor program connected out to our Kali system and a session was created. We were then automatically dropped into the active session as seen below:
Once connected to the session we are given a Meterpreter prompt:
Okay, let’s see what Meterpreter can do, let’s start by using the help command to see what is available.
When we do so, we see that the commands are broken out into sections.
● Core Commands● File System Commands● Networking Commands● System Commands● User Interface Commands● Webcam Commands● And three Priv Commands
We will not cover all of the commands but will look at a couple in a little more depth. It is a good idea to read through them all to get a basic understanding of what they can do.
Core Commands
As a beginner level user, you will probably only use background, help, load, migrate, run and exit from this list.
● Background - Background allows you to background a session so that you can get back to the MSF prompt or access other sessions.
You can return to your session by just using the “session -i <session #>” command.
● Load and Run – These commands allow you to use additional modules and commands inside Meterpreter.
● Exit – Exits out of Meterpreter
File System Commands
When you have a Meterpreter shell, you basically are dealing with two file systems, the local and remote. File system commands allow you to interact with both.
Basically, you can use standard Linux commands to get around and use the file system. But how do you differentiate between the local system and the remote system that you are attached to?
All the commands are assumed to be used on the remote system. So, for example to get a directory listing of the remote system, just use the “ls” command:
If we create a directory called “test” on the remote machine we can navigate to it, and then list the contents:
When you need to move around your local (Kali) file system there are a couple commands you can use.
● Getlwd & lpwd – Get (display) Local Working Directory● Lcd – Change Local Directory
So, if we needed to check our local working directory and then change into our Desktop directory on our Kali system, we can do the following:
Download allows you to download files from the target system, and conversely, upload allows you to send files to the remote system.
So, if we wanted to upload a file, just connect to the local and remote directories that you desire and execute the upload command with the file name you want to send, as shown below:
We connected to the Desktop on the Kali machine where we had our tools file. We then connected to the “test” directory on our target, and simply used the “upload” command to transfer the file.
Download works the same way, just use download and the file name to pull the file off the remote system and store it on your local Kali machine:
Now let’s take a look at the network commands.
Network Commands
These commands allow you to display and manipulate some basic networking features.
● Arp – Displays a list of remote MAC addresses to actual IP addresses.
● Ifconfig & ipconfig both display any network interfaces on the remote system.
● Netstat – Displays a list of active network connections.
● Portfwd and route allow you to do some advanced routing attacks. Though we will not be covering it in this blog, using these two commands allow you to use the machine you have exploited to pivot or use it to attack other machines in the target network or networks.
System Commands
Below is a list of system commands. We won’t cover them all, but again, it is good to read through the list to get familiarized with them:
CLEAREV – This useful little command will attempt to clear the logs on the remote computer. We may want to erase our tracks and clear the system logs on the target machine. If we look at the logs on the Windows 7 system side, we can see that it is full of events:
Some of those events may include things that we did. So, we can clear the logs remotely from the Kali system by typing, “clearev”:
The Application, System and Security logs are wiped. If we look at the security log again it just shows one record, “Log Clear”:
Now obviously this will stick out like a sore thumb to anyone analyzing the logs. But if there are events you want removed, you can clear the log.
GETPID & PS COMMANDS – As you use Meterpreter, two of the commands that you will use somewhat frequently are getpid and ps.
● Getpid – tells you what process ID your shell is running on
● Ps – lists all processes running on the remote system
So, if I type, “getpid” I see this:
This is the process ID number that our shell is using. If I type “ps” I can see all the processes:
If we go further down the list, looking for our pid number of 3824 we see this:
3824 3796 powershell.exe x86 1 WIN-LOANLOTDQLU\FredC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
This shows our process ID of 3824. It also shows that we are running under a powershell.exe process as the user “Fred”.
This information comes in handy when we want to “migrate” out of this low-level process and into a process with a higher-level access. We can move our shell off of this PID to a process that has higher level access.
Migrating also allows us to merge and hide our shell into another more common process, in essence hiding our connection. Explorer.exe is one of the more common processes to migrate to.
Simply find the PID# of the process you want to use (1736 on our system) and type, “migrate<PID#>”.
We will talk about migrating and some of the other Meterpreter commands more in later sections. For now, let’s talk about screenshots and using the remote webcam!
Capturing Webcam Video, Screenshots and Sound
When I was listening to the news a while back, I remember them going on and on about a brand new “advanced persistent threat” that could actually allow attackers to turn on your webcam and even record sound. I thought this was completely ridiculous as you have been able to do this with Metasploit for years.
WEBCAM VIDEO
From the Metasploit shell, typing “run webcam -h” displays the help menu.
Then just type “run webcam” and add any options that you want. This will remotely display the webcam from the target system.
If you use the “-l” option, it will continuously grab webcam snaps until you hit “CNTRL-C”.
The only hint you get on the target machine that something is wrong is that your webcam recording light (if yours has one) comes on. Other than that, you cannot tell that someone is remotely viewing your webcam.
The webcam screenshot above is an actual image I got one day of my cat. Not sure why cats must sleep on laptop keyboards, but I do know now who has been ordering all that Tuna fish online…
SCREENSHOTS
You can grab a snapshot of whatever is currently being displayed on your target’s monitor using the “screenshot” command:
If we open the file, we see this:
Well, along with getting his system infected with a backdoor exploit, it seems that our star employee also spends his valuable time at work playing video games online.
Nice…
SOUND RECORDING
Recording sound is very similar, just type, “run sound_recorder -h” for options, or if you want to grab a 30 second sound clip, run the command without any options:
You can then open the saved file on your Kali system to listen to it:
Capturing webcam and audio is the best part. Except the layout of the note section is worst it is totally moving to right side🤔.maybe padding is not responsive. Please check that bro🤨🤨
ReplyDeleteThis chapter is so good. I didn't find the layout issue they mentioned. Maybe it is in smaller devices
ReplyDelete