Meterpreter API and Extensions
Meterpreter extensions are located in metasploit-framework/lib/rex/post/meterpreter
. It's highly recommended to browse and open the files to understand the code and it's style.
Extension ClientCore : core
Path
metasploit-framework/lib/rex/post/meterpreter/client_core.rb
>> client.core
=> #<Rex::Post::Meterpreter::ClientCore:0x00000005f83388 @client=#<Session:meterpreter 192.168.0.18:55861 (192.168.242.128) "win7-64-victim\Workshop @ WIN7-64-VICTIM">, @name="core">
use method is used to load meterpreter extensions which is used in the meterpreter console (ex. use sniffer
, use mimikatz
, etc )
Note: to list all loadable extensions in meterpreter console use
use -l
command.
From IRB console of the meterpreter, let's try to use sniffer extension
>> client.sniffer
=> nil
As you can see, it returns a nil
because the sniffer extension hasn't yet loaded.
Let's try to load the extension
>> client.use "sniffer"
=> nil
As you can see it returns a nil
because the method use is available in the core
extension not in the meterpreter client
instance.
- To load extension:
load sniffer
>> client.core.use "sniffer"
=> true
>> client.sniffer
=> #<Rex::Post::Meterpreter::Extensions::Sniffer::Sniffer:0x000000142cc108 @client=#<Session:meterpreter 192.168.0.18:55861 (192.168.242.128) "win7-64-victim\Workshop @ WIN7-64-VICTIM">, @name="sniffer">
To check all sniffer extension methods, go to metasploit-framework/lib/rex/post/meterpreter/extensions/sniffer/sniffer.rb
also, from IRB, get all methods as we know
client.sniffer.methods
which returns an array of all available methods
>> client.sniffer.methods
=> [:interfaces, :capture_start, :capture_stop, :capture_stats, :capture_release, :capture_dump, :capture_dump_read, :name, :name=, :client, :client=, :psych_to_yaml, :to_yaml, :to_yaml_properties, :blank?, :present?, :presence, :acts_like?, :to_param, :to_query, :try, :try!, :duplicable?, :deep_dup, :in?, :instance_values, :instance_variable_names, :to_json, :with_options, :html_safe?, :`, :dclone, :old_send, :as_json, :require_or_load, :require_dependency, :load_dependency, :load, :require, :unloadable, :assert_no_remainder, :decode_tlv, :decode_integer, :decode_timeticks, :decode_integer_value, :decode_uinteger_value, :build_integer, :decode_octet_string, :decode_ip_address, :decode_sequence, :decode_object_id, :decode_object_id_value, :encode_length, :encode_integer, :encode_tagged_integer, :integer_to_octets, :encode_null, :encode_exception, :encode_tlv, :encode_octet_string, :encode_sequence, :encode_object_id, :pretty_print, :pretty_print_cycle, :pretty_print_instance_variables, :pretty_print_inspect, :nil?, :===, :=~, :!~, :eql?, :hash, :<=>, :class, :singleton_class, :clone, :dup, :taint, :tainted?, :untaint, :untrust, :untrusted?, :trust, :freeze, :frozen?, :to_s, :inspect, :methods, :singleton_methods, :protected_methods, :private_methods, :public_methods, :instance_variables, :instance_variable_get, :instance_variable_set, :instance_variable_defined?, :remove_instance_variable, :instance_of?, :kind_of?, :is_a?, :tap, :send, :public_send, :respond_to?, :extend, :select, :display, :sleep, :method, :public_method, :singleton_method, :define_singleton_method, :object_id, :to_enum, :enum_for, :gem, :class_eval, :pretty_inspect, :silence_warnings, :enable_warnings, :with_warnings, :silence_stderr, :silence_stream, :suppress, :capture, :silence, :quietly, :debugger, :breakpoint, :suppress_warnings, :==, :equal?, :!, :!=, :instance_eval, :instance_exec, :__send__, :__id__]
- Getting available interfaces:
sniffer_interfaces
which returns array of hashes
client.sniffer.interfaces
=> [{"idx"=>1, "name"=>"\\Device\\NdisWanBh", "description"=>"WAN Miniport (Network Monitor)", "type"=>3, "mtu"=>1514, "wireless"=>false, "usable"=>true, "dhcp"=>false},
{"idx"=>2, "name"=>"\\Device\\{DF8BF690-33F1-497F-89ED-A31C236FE8E3}", "description"=>"Intel(R) PRO/1000 MT Network Connection", "type"=>0, "mtu"=>1514, "wireless"=>false, "usable"=>true, "dhcp"=>true}]
Extension Stdapi::Fs : fs
Path
metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/stdapi.rb
metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/fs
>> client.fs
=> #<Rex::Post::Meterpreter::ObjectAliases:0x00000001db6ae0 @aliases={"dir"=>#<Class:0x00000001e09e70>, "file"=>#<Class:0x00000001e12890>, "filestat"=>#<Class:0x00000001db7530>, "mount"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Fs::Mount:0x00000001db6c48 @client=#<Session:meterpreter 192.168.0.18:57016 (192.168.242.128) "win7-64-victim\Workshop @ WIN7-64-VICTIM">>}>
Dir class: dir.rb
One of the extensions available for fs
is Dir located in metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/fs/dir.rb
. Let's to use some of its methods which we can know from client.fs.dir.methods
or from source code.
Get current directory:
pwd
>> client.fs.dir.pwd => "C:\\Windows\\System32"
List all files and directories in the current directory
ls
client.fs.dir.entries client.fs.dir.entries_with_info
Change the current directory:
cd
>> client.fs.dir.chdir("c:\\") => 0 >> client.fs.dir.pwd => "c:\\"
Create a new directory:
mkdir
>> client.fs.dir.mkdir("Rubyfu") => 0 >> client.fs.dir.chdir("Rubyfu") => 0 >> client.fs.dir.pwd => "c:\\Rubyfu"
File class: file.rb
Discover File class, let's begin with a simple search. Try to download and download files.
- Search
client.fs.file.search("C:\\Users", "*.exe")
Extension Stdapi::Fs : sys
Path
metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/stdapi.rb
metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/sys
>> client.sys
=> #<Rex::Post::Meterpreter::ObjectAliases:0x00000001dcd600 @aliases={"config"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Config:0x00000001db69c8 @client=#<Session:meterpreter 192.168.0.18:57016 (192.168.242.128) "win7-64-victim\Workshop @ WIN7-64-VICTIM">>, "process"=>#<Class:0x00000001db69a0>, "registry"=>#<Class:0x00000001db8ed0>, "eventlog"=>#<Class:0x00000001dc0e28>, "power"=>#<Class:0x00000001dc4398>}>
Config class: config.rb
Get User ID:
getuid
>> client.sys.config.getuid => "NT AUTHORITY\\SYSTEM"
Get system information
>> client.sys.config.sysinfo => {"Computer"=>"WIN7-64-VICTIM", "OS"=>"Windows 7 (Build 7600).", "Architecture"=>"x64 (Current Process is WOW64)", "System Language"=>"en_US", "Domain"=>"WORKGROUP", "Logged On Users"=>2}
Check if current process is running as SYSTEM user
>> client.sys.config.is_system? => true
Enables all possible privileges:
getpriv
>> client.sys.config.getprivs => ["SeDebugPrivilege", "SeIncreaseQuotaPrivilege", "SeSecurityPrivilege", "SeTakeOwnershipPrivilege", "SeLoadDriverPrivilege", "SeSystemProfilePrivilege", "SeSystemtimePrivilege", "SeProfileSingleProcessPrivilege", "SeIncreaseBasePriorityPrivilege", "SeCreatePagefilePrivilege", "SeBackupPrivilege", "SeRestorePrivilege", "SeShutdownPrivilege", "SeSystemEnvironmentPrivilege", "SeChangeNotifyPrivilege", "SeRemoteShutdownPrivilege", "SeUndockPrivilege", "SeManageVolumePrivilege"]
Process class: process.rb
Get the current Process ID:
getpid
>> client.sys.process.getpid => 2392
Get all exist processes with its details (pid, ppid, name, path, session, user, arch):
ps
client.sys.process.get_processes # Or client.sys.process.processes
Extension Stdapi::Fs : net
Path
metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/stdapi.rb
metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net
>> client.net
=> #<Rex::Post::Meterpreter::ObjectAliases:0x00000001dcd3d0 @aliases={"config"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Net::Config:0x00000001dcd4e8 @client=#<Session:meterpreter 192.168.0.18:57016 (192.168.242.128) "win7-64-victim\Workshop @ WIN7-64-VICTIM">>, "socket"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Net::Socket:0x00000001dcd4c0 @client=#<Session:meterpreter 192.168.0.18:57016 (192.168.242.128) "win7-64-victim\Workshop @ WIN7-64-VICTIM">>, "resolve"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Net::Resolve:0x00000001dcd470 @client=#<Session:meterpreter 192.168.0.18:57016 (192.168.242.128) "win7-64-victim\Workshop @ WIN7-64-VICTIM">>}>
Get the current victim interfaces:
ifconfig
oripconfig
client.net.config.get_interfaces # Or client.net.config.interfaces # Try nicer outputs >> puts client.net.config.interfaces[0].pretty Interface 11 ============ Name : Intel(R) PRO/1000 MT Network Connection Hardware MAC : 00:0c:29:ff:fa:10 MTU : 1500 IPv4 Address : 192.168.242.128 IPv4 Netmask : 255.255.255.0 IPv6 Address : fe80::482c:27b5:6914:e813 IPv6 Netmask : ffff:ffff:ffff:ffff::
Get network stat:
netstat
client.net.config.netstat
Get the ARP table:
arp
client.net.config.arp_table client.net.config.arp_table[0].ip_addr # IP address client.net.config.arp_table[0].mac_addr # MAC address client.net.config.arp_table[0].interface # Interface
Routes:
route
client.net.config.routes # List routes client.net.config.add_route("192.168.2.0", 24, "192.168.2.1") # Add route
Get Proxy settings:
getproxy
client.net.config.get_proxy_config
As you can see how easy to get familiar with meterpreter API. there are other extensions you can play with
meterpreter > use -l
espia
extapi
incognito
kiwi
lanattacks
mimikatz
priv
python
sniffer
stdapi
You can add more about those too in Rubyfu!