Hands-On Red Team Tactics
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Meterpreter

Meterpreter can be considered an advanced dynamic payload that uses in-memory.

The Dynamic Linked Library (DLL) injection stages at runtime. It also provides a client-side Ruby API that makes it extremely powerful. There are various advantages of using Meterpreter as a payload. Some of these are as follows:

  • It resides in the memory and nothing is written to the disk.
  • No new process is created as it can easily be injected into any other running processes of the system. However, there's a limitation to it. We can't inject multiple Meterpreter payloads in the same process.
  • By default, all communication done by Meterpreter is encrypted.
  • New features can be added by uploading the DLL via a client that is loaded in-memory and initialized.

In this section, we will cover the basics of Meterpreter. Once we get Meterpreter on a system, the first command to look at is the help command:

To get the current working directory, we can use the pwd command:

To list all the files in the directory, we use the ls command:

If we want to exploit another system or perform any other action on msfconsole without killing the current Meterpreter session, we can use the background command to put the session in the background:

To see a list of all the Meterpreter sessions we have, we can use the sessions command:

To interact with a Meterpreter session, we can use sessions -i <id>.

To kill all sessions, we can use sessions -K.

Similarly, we can use sessions -C <command> to execute a command across all sessions:

To list all the running processes on the system, we can use the ps command:

Now we can view only x86 (32-bit) processes by typing the following command:

ps -A x86

To view only 64-bit processes, we can use this:

ps -A x64

Using Meterpreter, we can also migrate it to another process using the migrate command. When this command is run, Meterpreter first gets the PID from the user to which it has to migrate, and then it checks the architecture of the process and SeDebugPrivilege (used to get a handle of the process). Next, it fetches the payload that will be injected to the process and calls various windows APIs, such as OpenProcess(), VirtualAllocEx(), WriteProcessMemory() and CreateRemoteThread(). Once migration is complete, Meterpreter shuts down the previous thread that had the initial Meterpreter running. Although it sounds complicated, Meterpreter can do all of this with the following simple command:

migrate <Pid>

Meterpreter also introduced transport control with the transport command, which allows us to change the transport mechanism of a payload without killing the existing session.

Let's look at how to set up and change the transport of an existing Meterpreter. To view the options, we can simply type the transport or transport -h command:

We add transport by using the following command:

To list the available transports, we can use the following command:

transport list:

Then we start our exploit handler to whichever transport we want to switch to:

Now we simply use the transport next command:

And we will see we received a connection on our handler:

For more information, visit the following link:

https://github.com/rapid7/metasploit-framework/wiki/Meterpreter-Transport-Control

上一章目录下一章