To run a search for all jpeg files on the computer, simply run the search command with the -f switch and tell it what filetype to look for.
Searching an entire computer can take a great deal of time and there is a chance that an observant user might notice their hard drive thrashing constantly. We can reduce the search time by pointing it at a starting directory and letting it run. The lpwd and lcd commands are used to display and change the local working directory respectively. When receiving a Meterpreter shell, the local working directory is the location where one started the Metasploit console.
Changing the working directory will give your Meterpreter session access to files located in this folder. As in Linux, the ls command will list the files in the current remote directory.
Using the migrate post module, you can migrate to another process on the victim. The ps command displays a list of running processes on the target. The resource command will execute Meterpreter instructions located inside a text file. Containing one entry per line, resource will execute each line in sequence. This can help automate repetitive actions performed by a user. By default, the commands will run in the current working directory on target machine and resource file in the local working directory the attacking machine.
The search commands provides a way of locating specific files on the target host. The command is capable of searching through the whole system or specific folders. Netstat is a net work stat istics tool in windows that displays network connections, routing tables, protocol statistics etc. The -vb parameter displays the sequence of components involved in creating the connection or listening port for all executables. As we can clearly see, spoolsv.
A lot less stealthy is the creation of a new user account on the target machine. This newly created user will be given administrator-rights and added to the group 'Remote Desktop Users'.
Adding a new account is done by calling the getgui -script and providing the user and password with respectively the -u and -p options:. Note the last line of the output. Many scripts will create a revert-script and store it somewhere on your system. In order to revert any changes made by the script on the target machine, you simply call this revert-script. According to the output in the execution-log, the script also attempts to hide the user from the Windows Login screen.
A snapshot from the target machine shows that this failed as the new 'Hacker' account can be clearly seen:. As soon as we have a new user with remote desktop rights installed, we can use these credentials to start a remote desktop session. First, we need to make sure the Windows instance has the Remote Desktop feature enabled. This is done by starting a few specific services.
No worries, the getgui -script has you covered here as well. By providing the -e parameter it will make sure the target has Remote Desktop enabled and will remain enabled when the machine is restarted:.
Note in the last line that this script also made a revert-script to undo all changes made on the target machine. Before starting the Remote Desktop session, we may want to check how long the remote user has been idle by calling the idletime -command:. This reduced the risk of being discovered when a user is logged-in as he will be serviced with the following message:.
The image below shows the result of a successful Remote Desktop connection with the newly created 'Hacker' account:. Meterpreter can also be used to log keystrokes on the target machine. Three commands are involved with keylogging:. After the capture process has started, we wait a bit and after a while dump the keystrokes.
Dumping the keystrokes also clears the buffer and can be done multiple times. Note that keylogging often requires the Meterpreter to be attached to the specific process for which it's logging keystrokes. Migrating Meterpreter to another process will be explained in the next chapter in which we use it to log passwords captured during the login-process. Meterpreter can be attached to an existing process or started as a separate, new process. It can be migrated to another process when the original process has a high risk of getting killed like notepad, Microsoft Office, etc and thus closing our session.
Migrating Meterpreter to a process like explorer. As the previous chapter described, Meterpreter can be used for logging keystrokes generated by a certain process. In the following example we migrate Meterpreter to winlogon.
First we want to know which processes are running on the target machine by using the ps -command:. In order to find out which process we're currently attached to, run the getpid -command. A simple migrate -command followed by the pid of the process we want to migrate to, will migrate Meterpreter to its new host. In this example, we're attached to spoolsv. Now we're attached to winlogon. Waiting a while and dumping the logged keystrokes is an option.
If he appears, we know he has logged on:. As we can see, he has used the password trustno1 ; the same we found in the harvest credentials chapter.
There are many more commands, scripts and modules supported by Meterpreter, far more than we can cover in one blog post. What's left to do is wrap up. One way to wrap up nicely is already covered in the previous chapters.
0コメント