An example of the download command is shown below:. Depending on the exploit you used, you may find that your Meterpreter session only has limited user rights.
This can severely limit the actions you can perform on the target system. Manipulating the registry, installing backdoors and dumping passwords will require elevated user rights.
It's a good thing Meterpreter has a getsystem -command that will attempt a number of different techniques and exploits to gain local system privileges on the target system:. The getuid -command retrieves the user that Meterpreter is running as. The hashdump post module will dump the local users accounts from the SAM database.
Note that post modules and scripts are executed via the run -command. Note that the LM hash aad3bbeeaad3bbee corresponds to an empty password as well as the NTLM hash 31d6cfe0d16aeb73c59d7e0cc0. This leaves us with the hash of user Coen: fc5db7ddebefa4b0dae7ee8c50aea. To crack this password, we could use a tool like John the Ripper for example. However, sometimes a simple Google search reveals fc5db7ddebefa4b0dae7ee8c50aea as being the NTLM hash for the bad password: trustno1. It is possible to execute an application on the target machine by running the execute -command.
Regarding the last option -s , we can find out the available sessions by using the enumdesktops -command. The following example does that and then executes calc. Create a screenshot from the victim's desktop and store it to our system by using the screenshot command.
In the following example calc. In the screen capture it's clearly visible that the calc. A more convenient way to enumerate the entire Windows instance, is by running the winenum -script. This runs commands like net , netsh and wmic -commands on the target machine and stores the results on our local system. An example output of the winenum -script:.
An interesting output is that of the netstat -vb command. Netstat is a net work stat istics tool in windows that displays network connections, routing tables, protocol statistics etc. The -vb parameter displays the sequence of components involved in creating the connection or listening port for all executables. As we can clearly see, spoolsv.
A lot less stealthy is the creation of a new user account on the target machine. This newly created user will be given administrator-rights and added to the group 'Remote Desktop Users'.
Adding a new account is done by calling the getgui -script and providing the user and password with respectively the -u and -p options:. Note the last line of the output.
Many scripts will create a revert-script and store it somewhere on your system. In order to revert any changes made by the script on the target machine, you simply call this revert-script. According to the output in the execution-log, the script also attempts to hide the user from the Windows Login screen.
A snapshot from the target machine shows that this failed as the new 'Hacker' account can be clearly seen:. As soon as we have a new user with remote desktop rights installed, we can use these credentials to start a remote desktop session.
First, we need to make sure the Windows instance has the Remote Desktop feature enabled. This is done by starting a few specific services.
No worries, the getgui -script has you covered here as well. By providing the -e parameter it will make sure the target has Remote Desktop enabled and will remain enabled when the machine is restarted:.
Note in the last line that this script also made a revert-script to undo all changes made on the target machine.
Before starting the Remote Desktop session, we may want to check how long the remote user has been idle by calling the idletime -command:. This reduced the risk of being discovered when a user is logged-in as he will be serviced with the following message:. The image below shows the result of a successful Remote Desktop connection with the newly created 'Hacker' account:.
Please refer to the vim editor documentation for more advance use. The execute command runs a command on the target. Running getuid will display the user that the Meterpreter server is running as on the host.
The hashdump post module will dump the contents of the SAM database. Running idletime will display the number of seconds that the user at the remote machine has been idle. The ipconfig command displays the network interfaces and addresses on the remote machine.
The lpwd and lcd commands are used to display and change the local working directory respectively. When receiving a Meterpreter shell, the local working directory is the location where one started the Metasploit console. Changing the working directory will give your Meterpreter session access to files located in this folder. As in Linux, the ls command will list the files in the current remote directory. Using the migrate post module, you can migrate to another process on the victim. The ps command displays a list of running processes on the target.
Pick a name for your extension, make sure it's something meaningful and short. For the sake of example, we'll create a new extension called splat. Once you have a cool an meaningful name, you can get your project going by doing the following:. Skip to content. Star Branches Tags. Could not load branches. Could not load tags. Latest commit. Git stats commits. Failed to load latest commit information. View code. Building - Windows As of commit ab1bc9aae81bf46d8c92dc , Meterpreter is built with Visual Studio Express for Desktop or any paid version of Visual Studio Meterpreter's submodule dependencies can't be found.
View license. Nov 21,
0コメント