Metasploit framework helps each exploitation and put up-exploitation. After compromising the pc system subsequent step of an moral hacker is to conduct an instantaneous reconnaissance/collect details about community and the compromised system. Preliminary meterpreter shell is breakable and susceptible to failure over an prolonged time frame. Due to this fact, as soon as a system is exploited, we have to migrate the shell and bind it with a extra steady course of for instance explorer.exe. This additionally makes detecting the exploit harder. On the meterpreter immediate, enter ps to acquire a listing of working processes, as proven within the following screenshot:
ps command additionally returns the total pathname for every course of. This was omitted from the earlier screenshot. That listing identifies that c:\home windows\explorer.exe is operating. On this specific case, it's recognized with the method ID of 1460, as proven within the following screenshot. Often, it is a secure course of that's the reason we have to migrate the shell to that course of.
style="display:block; text-align:center;"
data-ad-layout="in-article"
data-ad-format="fluid"
data-ad-client="ca-pub-6851151556093185"
data-ad-slot="4254333841">
Now that we have now a steady shell connection to the compromised system, we'll use the meterpreter scripts that help put up-exploitation actions. Very first thing we have to ask our self which might be we on a digital machine or not? We are able to establish this by coming into the command in meterpreter run checkvm. The command run checkvm is issued, as proven within the following screenshot. The returned information signifies that it is a VMware Digital Machine.
Put up-Exploitation Instructions with Descriptions
run checkvm: Concludes if a digital machine is current.
run getcountermeasure: Establish safety configuration on the exploited system for instance antivirus, firewalls and so forth.
run killav: This script is often outdated which disables a lot of the antivirus providers working on the compromised system.
run hostsedit: Permit us so as to add entries to the Home windows HOSTS file. This may divert visitors to a distinct website (a pretend website), which can obtain extra instruments.
run winenum: begins a command-line and WMIC characterization of the exploited system. It dumps the necessary keys from the registry and LM hashes.
run scraper: Gathers complete info that has not been gathered by different scripts, reminiscent of the whole Window registry.
run add and run obtain: Permits the attacker to add and obtain information on the goal system.
run getprivs: Makes an attempt to allow the entire privileges accessible to the present course of. It is very helpful for privilege escalation.
run getsystem: Makes an attempt to raise privileges to the Home windows SYSTEM degree; grants the fullest doable escalation of a consumer's privileges.
Run hashdump: Dumps the contents of the SAM database on the attacker's system.
run getgui: Permits the person to allow RDP (getgui -e) and set the username and password (getgui -u). The gettelnet script might be run in the identical method.
run vnc: Provides the attacker a distant GUI (VNC) to the compromised system.
Probably the most efficient meterpreter scripts is the Home windows enumerator (winenum). As seen within the following screenshot, it makes use of each command-line and WMIC calls to completely characterize the goal system:
style="display:block; text-align:center;"
data-ad-layout="in-article"
data-ad-format="fluid"
data-ad-client="ca-pub-6851151556093185"
data-ad-slot="4254333841">
Along with the enumeration, the winenum script additionally dumps the registry and collects the system hashes for decryption as proven within the following screenshot:
Meterpreter comes with a number of helpful libraries that help complicated capabilities. For instance, the espia library helps screenshots of the compromised system through use espia command.
The stdapi library permits a distant attacker to govern a webcam by gathering audio and video from the compromised system and relaying that knowledge again to the attacker.
ps command additionally returns the total pathname for every course of. This was omitted from the earlier screenshot. That listing identifies that c:\home windows\explorer.exe is operating. On this specific case, it's recognized with the method ID of 1460, as proven within the following screenshot. Often, it is a secure course of that's the reason we have to migrate the shell to that course of.
style="display:block; text-align:center;"
data-ad-layout="in-article"
data-ad-format="fluid"
data-ad-client="ca-pub-6851151556093185"
data-ad-slot="4254333841">
Now that we have now a steady shell connection to the compromised system, we'll use the meterpreter scripts that help put up-exploitation actions. Very first thing we have to ask our self which might be we on a digital machine or not? We are able to establish this by coming into the command in meterpreter run checkvm. The command run checkvm is issued, as proven within the following screenshot. The returned information signifies that it is a VMware Digital Machine.
Put up-Exploitation Instructions with Descriptions
run checkvm: Concludes if a digital machine is current.
run getcountermeasure: Establish safety configuration on the exploited system for instance antivirus, firewalls and so forth.
run killav: This script is often outdated which disables a lot of the antivirus providers working on the compromised system.
run hostsedit: Permit us so as to add entries to the Home windows HOSTS file. This may divert visitors to a distinct website (a pretend website), which can obtain extra instruments.
run winenum: begins a command-line and WMIC characterization of the exploited system. It dumps the necessary keys from the registry and LM hashes.
run scraper: Gathers complete info that has not been gathered by different scripts, reminiscent of the whole Window registry.
run add and run obtain: Permits the attacker to add and obtain information on the goal system.
run getprivs: Makes an attempt to allow the entire privileges accessible to the present course of. It is very helpful for privilege escalation.
run getsystem: Makes an attempt to raise privileges to the Home windows SYSTEM degree; grants the fullest doable escalation of a consumer's privileges.
Run hashdump: Dumps the contents of the SAM database on the attacker's system.
run getgui: Permits the person to allow RDP (getgui -e) and set the username and password (getgui -u). The gettelnet script might be run in the identical method.
run vnc: Provides the attacker a distant GUI (VNC) to the compromised system.
Extra Scritps
Probably the most efficient meterpreter scripts is the Home windows enumerator (winenum). As seen within the following screenshot, it makes use of each command-line and WMIC calls to completely characterize the goal system:
style="display:block; text-align:center;"
data-ad-layout="in-article"
data-ad-format="fluid"
data-ad-client="ca-pub-6851151556093185"
data-ad-slot="4254333841">
Along with the enumeration, the winenum script additionally dumps the registry and collects the system hashes for decryption as proven within the following screenshot:
Meterpreter comes with a number of helpful libraries that help complicated capabilities. For instance, the espia library helps screenshots of the compromised system through use espia command.
The stdapi library permits a distant attacker to govern a webcam by gathering audio and video from the compromised system and relaying that knowledge again to the attacker.
COMMENTS