SlideShare a Scribd company logo

Meterpreter awareness

Haydn Johnson
Haydn Johnson

This report is to explain some key commands within Meterpreter that allow you to have some sort of situational awareness. That is, how to gain more insight into system information, the user you currently are and what processes are running among other things.

Technology
1 of 10
Download to read offline
haydz | Security | April 26, 2015 Meterpreter and situational awareness AKA WHAT COMMANDS CAN I USE WITH METERPRETER
PAGE 1 Contents Introduction...................................................................................................................................................2 Assumptions:..........................................................................................................................................2 Basics: What is Meterpreter .........................................................................................................................2 What does that mean? ..............................................................................................................................2 In Summary................................................................................................................................................3 Upon receiving a Meterpreter session:........................................................................................................3 We must therefore find the session that we wish to interact with: .................................................... 4 To access the Metepreter session”.......................................................................................................... 4 Situational awareness................................................................................................................................... 4 Some easy to use Meterpreter commands:............................................................................................ 4 Getuid..................................................................................................................................................... 4 sysinfo.................................................................................................................................................... 4 Cat...........................................................................................................................................................5 Pwd..........................................................................................................................................................5 But Meterpter is not a terminal access?..................................................................................................5 Back to situational awareness ..................................................................................................................... 6 We are currently running as the svchost.exe process in a temp directory......................................... 6 In summary ............................................................................................................................................... 6 Tokens, what is this about tokens ...............................................................................................................7 How do I find out what token I have?.....................................................................................................7 Getuid......................................................................................................................................................7 Incognito.................................................................................................................................................7 Incognito.................................................................................................................................................7 Use incognito.............................................................................................................................................7 List_token –u......................................................................................................................................... 8 Attempt to IMPERSONATE WITH incognito....................................................................................... 8 Impersonate_token ............................................................................................................................... 8 Conclusion .................................................................................................................................................... 9
PAGE 2 Introduction This report is to explain some key commands within Meterpreter that allow you to have some sort of situational awareness. That is, how to gain more insight into system information, the user you currently are and what processes are running among other things. Effectively this is a rehash of information already out there, it helps me learn it if I write about it and hopefully it helps others to learn as well. Assumptions: I am taking the assumption that the reader has some prior knowledge/experience with the Metasploit Framework in launching payloads and creating listeners, as well as basic information security terminology. Basics: What is Meterpreter If you are into pentesting/hacking you may have heard of Meterpreter or have used it. But what exactly is it. Meterpreter in its most basic form is a shell/command line access tool. It may be in the form of a reverse or bind shell, but with many amazing options. It is simple to use and hard to master. The definition from Offensive Security: WHAT DOES THAT MEAN? A Payload:  In computer security it refers to the part of an exploit/malware that performs the malicious action. The data that is sent via the exploit. It performs the attacker’s intentions, such as gaining system information or looking around directories.
PAGE 3 DLL injection:  Running code within the address space of another process. Meterpreter runs inside other processes such as svchost.exe or calc.exe Staged:  The initial Meterpreter session is created, but different modules/stages can be added to allow different functionality as needed. IN SUMMARY So from that we can gather that Meterpreter is something we deliver via exploiting a vulnerability and gain commands to execute via running inside a process that is already running on the victims computer. Additionally, we can then add more functionality if needed. Upon receiving a Meterpreter session: Upon receiving a Meterpreter session, depending on how you have set up your Metasploit listen, it may automatically jump into the Meterpreter session or it may not. If it has not loaded the session automatically you will need to interactively open the sessions It may look like the following: The session has been created but is running as a background job.
PAGE 4 WE MUST THEREFORE FIND THE SESSION THAT WE WISH TO INTERACT WITH: As we can see in the above when we type sessions, the Metasploit handler will list the sessions for us. In this case session 1 has our win32 Meterpreter sessions. TO ACCESS THE METEPRETER SESSION” We simply type sessions –i and the session number The –i flag is to interactive with the session number you provide. Situational awareness So we now have a session on our victim’s machine. Where to from here? Well before we try any privilege escalation, let’s see who we are, where we are and all sorts of goodness. Mudge is well known red teamer and has a great blog post regarding situational awareness post here. The idea of situation awareness is to understand what access you have, that is what you can and cannot do. Can you add a user in order to access a box via rdesktop? Can you run executables in order to dump passwords? SOME EASY TO USE METERPRETER COMMANDS: Getuid  Will show the user you are active as sysinfo  Will print out system information, similar to an ipconfig command but with extra information, including the Computer name
PAGE 5 Cat  Will read a file Pwd  Will print the current directory you are working Examples of using the commands: BUT METERPTER IS NOT A TERMINAL ACCESS? Well, it is but it isn’t. You can drop down into a typical shell to gain normal command line access. Meterpreter lives within another process allowing you to drop the shell/command line access and bring it up when needed, it allows more functionality. To drop into a shell/command line access:
PAGE 6 Back to situational awareness Meterpreter runs as a process, so what process am I? Here comes the getpid command PID 1748, wow that’s helpful?? In order to understand the process we are running as we need to list the processes that the current machine/session is running We then need to run the PS command to list all processes running and find our Process ID. WE ARE CURRENTLY RUNNING AS THE SVCHOST.EXE PROCESS IN A TEMP DIRECTORY. Based on the fact we are running in a temp directory we could assume most appropriately that we have very little privileges, as it turn out on this machine we are running as an IWAM account. This account is a default account with very little privilege created from an installation of IIS 5.1 or prior. IN SUMMARY We understand that we are most likely a low level user running out of a temp directory. We understand the system information, the operating system and computer name.
PAGE 7 Tokens, what is this about tokens In windows the simple idea is that each process and thread has a token associated with it. This is just stating which user the process is associated with and if necessary which subset of the user’s rights the process has. Therefore knowing which token you have allows you better insight into understand your access. For example a user token allows you to do things that a normal use has rights to, this may be to run allowed programs but not download and install programs (if in an enterprise environment). A system token allows one to have system access and allows complete control over the victim’s machine. As this report is about privilege escalation we are assuming you do not have a system token. HOW DO I FIND OUT WHAT TOKEN I HAVE? The two ways I know, are to use getuid and incognito. Getuid  Will simply list the username Incognito  Is extra functionality that allows an attacker to impersonate a user token, it includes finding your current token. Incognito The aim is to impersonate a valid token on the system in order to gain more privileged access. The aim is to impersonate a valid token on the system in order to gain more privileged access. In order to use the functionality that incognito brings, we must load the module: USE INCOGNITO This will load the incognito module for us
PAGE 8 In order to attempt to steal tokens, we need to see if we have access to any tokens. List_token –u This will list all tokens by unique user name From this, we are able to see IUSR_<uname> tokens. Which after googling is just a similar account with similar limited privileges. The Microsoft documentation regarding IIS accounts is here. Which tells us that: “Internet Guest Account (IUSR_<computername>) The Internet Guest account is used for anonymous access to management points.” So we can see the tokens of a guest account which would appear not helpful at this time. ATTEMPT TO IMPERSONATE WITH INCOGNITO Impersonate_token This command will attempt to impersonate the specified token, allowing us to hopefully execute commands from then on with then access the token gives. Meterpreter informs us that we were successful in impersonating the token. However if we use the getuid command we can see that we are still using the ID of the same account. For an unknown reason the success was reported incorrectly.
PAGE 9 I write up via Metasploit unleashed shows successfully impersonating a System token. Conclusion These are some fun techniques I have played with while being stuck as an IIS guest account. The idea is to understand where you are and what you can do and then hopefully move laterally or vertically to get to system access.

Recommended

Report on forensics tools
Report on forensics toolsReport on forensics tools
Report on forensics toolsVishnuPratap7
 
Hhs en02 windows_and_linux
Hhs en02 windows_and_linuxHhs en02 windows_and_linux
Hhs en02 windows_and_linuxShoaib Sheikh
 
Hhs en09 email_security
Hhs en09 email_securityHhs en09 email_security
Hhs en09 email_securityShoaib Sheikh
 
ARMITAGE-THE CYBER ATTACK MANAGEMENT
ARMITAGE-THE CYBER ATTACK MANAGEMENTARMITAGE-THE CYBER ATTACK MANAGEMENT
ARMITAGE-THE CYBER ATTACK MANAGEMENTDevil's Cafe
 
Hhs en05 system_identification
Hhs en05 system_identificationHhs en05 system_identification
Hhs en05 system_identificationShoaib Sheikh
 
Point of-sale-malware-backoff
Point of-sale-malware-backoffPoint of-sale-malware-backoff
Point of-sale-malware-backoffEMC
 
Hhs en10 web_security_and_privacy
Hhs en10 web_security_and_privacyHhs en10 web_security_and_privacy
Hhs en10 web_security_and_privacyShoaib Sheikh
 
Computer maintenance
Computer maintenanceComputer maintenance
Computer maintenanceJohndion Ruloma
 

Recommended

Report on forensics tools
Report on forensics toolsReport on forensics tools
Report on forensics toolsVishnuPratap7
 
Hhs en02 windows_and_linux
Hhs en02 windows_and_linuxHhs en02 windows_and_linux
Hhs en02 windows_and_linuxShoaib Sheikh
 
Hhs en09 email_security
Hhs en09 email_securityHhs en09 email_security
Hhs en09 email_securityShoaib Sheikh
 
ARMITAGE-THE CYBER ATTACK MANAGEMENT
ARMITAGE-THE CYBER ATTACK MANAGEMENTARMITAGE-THE CYBER ATTACK MANAGEMENT
ARMITAGE-THE CYBER ATTACK MANAGEMENTDevil's Cafe
 
Hhs en05 system_identification
Hhs en05 system_identificationHhs en05 system_identification
Hhs en05 system_identificationShoaib Sheikh
 
Point of-sale-malware-backoff
Point of-sale-malware-backoffPoint of-sale-malware-backoff
Point of-sale-malware-backoffEMC
 
Hhs en10 web_security_and_privacy
Hhs en10 web_security_and_privacyHhs en10 web_security_and_privacy
Hhs en10 web_security_and_privacyShoaib Sheikh
 
Computer maintenance
Computer maintenanceComputer maintenance
Computer maintenanceJohndion Ruloma
 
Checking Windows for signs of compromise
Checking Windows for signs of compromiseChecking Windows for signs of compromise
Checking Windows for signs of compromiseCal Bryant
 
20 Trip-Wire-.pdf
20 Trip-Wire-.pdf20 Trip-Wire-.pdf
20 Trip-Wire-.pdfG Srinu
 
20 Trip-Wire-.pdf
20 Trip-Wire-.pdf20 Trip-Wire-.pdf
20 Trip-Wire-.pdfG Srinu
 
You may be compliant...
You may be compliant...You may be compliant...
You may be compliant...Greg Swedosh
 
You may be compliant, but are you really secure?
You may be compliant, but are you really secure?You may be compliant, but are you really secure?
You may be compliant, but are you really secure?Thomas Burg
 
Operating System Structure Of A Single Large Executable...
Operating System Structure Of A Single Large Executable...Operating System Structure Of A Single Large Executable...
Operating System Structure Of A Single Large Executable...Jennifer Lopez
 
OWASP top 10 - 2021 - Tryhackme cyber securit training
OWASP top 10 - 2021 - Tryhackme cyber securit trainingOWASP top 10 - 2021 - Tryhackme cyber securit training
OWASP top 10 - 2021 - Tryhackme cyber securit trainingpodimenk
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical HackingRaghav Bisht
 
Point of-sale-malware-backoff
Point of-sale-malware-backoffPoint of-sale-malware-backoff
Point of-sale-malware-backoffAndrey Apuhtin
 
Obfuscation Methods And Planning
Obfuscation Methods And PlanningObfuscation Methods And Planning
Obfuscation Methods And Planningtmacuk
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shellNikhil Mittal
 
Information gathering
Information gatheringInformation gathering
Information gatheringMoTechInc
 
Monitoring What Matters: The Prometheus Approach to Whitebox Monitoring (Berl...
Monitoring What Matters: The Prometheus Approach to Whitebox Monitoring (Berl...Monitoring What Matters: The Prometheus Approach to Whitebox Monitoring (Berl...
Monitoring What Matters: The Prometheus Approach to Whitebox Monitoring (Berl...Brian Brazil
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for EveryoneNikhil Mittal
 
Ncsc security architecture anti patterns white paper
Ncsc security architecture anti patterns white paperNcsc security architecture anti patterns white paper
Ncsc security architecture anti patterns white paperAhmedHany Sayed
 
Backtrack Manual Part8
Backtrack Manual Part8Backtrack Manual Part8
Backtrack Manual Part8Nutan Kumar Panda
 
Authentication and Single Sing on
Authentication and Single Sing onAuthentication and Single Sing on
Authentication and Single Sing onguest648519
 
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfComputer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfxererenhosdominaram
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploitdevilback
 
Clustering Manual for Parallel Computing
Clustering Manual for Parallel ComputingClustering Manual for Parallel Computing
Clustering Manual for Parallel ComputingMamun Ahmed
 
Introduction to Just in Time Access - BrightTalk
Introduction to Just in Time Access - BrightTalkIntroduction to Just in Time Access - BrightTalk
Introduction to Just in Time Access - BrightTalkHaydn Johnson
 
Communication hack fest-2018-final
Communication hack fest-2018-finalCommunication hack fest-2018-final
Communication hack fest-2018-finalHaydn Johnson
 

More Related Content

Similar to Meterpreter awareness

Checking Windows for signs of compromise
Checking Windows for signs of compromiseChecking Windows for signs of compromise
Checking Windows for signs of compromiseCal Bryant
 
20 Trip-Wire-.pdf
20 Trip-Wire-.pdf20 Trip-Wire-.pdf
20 Trip-Wire-.pdfG Srinu
 
20 Trip-Wire-.pdf
20 Trip-Wire-.pdf20 Trip-Wire-.pdf
20 Trip-Wire-.pdfG Srinu
 
You may be compliant...
You may be compliant...You may be compliant...
You may be compliant...Greg Swedosh
 
You may be compliant, but are you really secure?
You may be compliant, but are you really secure?You may be compliant, but are you really secure?
You may be compliant, but are you really secure?Thomas Burg
 
Operating System Structure Of A Single Large Executable...
Operating System Structure Of A Single Large Executable...Operating System Structure Of A Single Large Executable...
Operating System Structure Of A Single Large Executable...Jennifer Lopez
 
OWASP top 10 - 2021 - Tryhackme cyber securit training
OWASP top 10 - 2021 - Tryhackme cyber securit trainingOWASP top 10 - 2021 - Tryhackme cyber securit training
OWASP top 10 - 2021 - Tryhackme cyber securit trainingpodimenk
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical HackingRaghav Bisht
 
Point of-sale-malware-backoff
Point of-sale-malware-backoffPoint of-sale-malware-backoff
Point of-sale-malware-backoffAndrey Apuhtin
 
Obfuscation Methods And Planning
Obfuscation Methods And PlanningObfuscation Methods And Planning
Obfuscation Methods And Planningtmacuk
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shellNikhil Mittal
 
Information gathering
Information gatheringInformation gathering
Information gatheringMoTechInc
 
Monitoring What Matters: The Prometheus Approach to Whitebox Monitoring (Berl...
Monitoring What Matters: The Prometheus Approach to Whitebox Monitoring (Berl...Monitoring What Matters: The Prometheus Approach to Whitebox Monitoring (Berl...
Monitoring What Matters: The Prometheus Approach to Whitebox Monitoring (Berl...Brian Brazil
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for EveryoneNikhil Mittal
 
Ncsc security architecture anti patterns white paper
Ncsc security architecture anti patterns white paperNcsc security architecture anti patterns white paper
Ncsc security architecture anti patterns white paperAhmedHany Sayed
 
Authentication and Single Sing on
Authentication and Single Sing onAuthentication and Single Sing on
Authentication and Single Sing onguest648519
 
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfComputer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfxererenhosdominaram
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploitdevilback
 
Clustering Manual for Parallel Computing
Clustering Manual for Parallel ComputingClustering Manual for Parallel Computing
Clustering Manual for Parallel ComputingMamun Ahmed
 

Similar to Meterpreter awareness (20)

Checking Windows for signs of compromise
Checking Windows for signs of compromiseChecking Windows for signs of compromise
Checking Windows for signs of compromise
 
20 Trip-Wire-.pdf
20 Trip-Wire-.pdf20 Trip-Wire-.pdf
20 Trip-Wire-.pdf
 
20 Trip-Wire-.pdf
20 Trip-Wire-.pdf20 Trip-Wire-.pdf
20 Trip-Wire-.pdf
 
You may be compliant...
You may be compliant...You may be compliant...
You may be compliant...
 
You may be compliant, but are you really secure?
You may be compliant, but are you really secure?You may be compliant, but are you really secure?
You may be compliant, but are you really secure?
 
Operating System Structure Of A Single Large Executable...
Operating System Structure Of A Single Large Executable...Operating System Structure Of A Single Large Executable...
Operating System Structure Of A Single Large Executable...
 
OWASP top 10 - 2021 - Tryhackme cyber securit training
OWASP top 10 - 2021 - Tryhackme cyber securit trainingOWASP top 10 - 2021 - Tryhackme cyber securit training
OWASP top 10 - 2021 - Tryhackme cyber securit training
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
 
Point of-sale-malware-backoff
Point of-sale-malware-backoffPoint of-sale-malware-backoff
Point of-sale-malware-backoff
 
Obfuscation Methods And Planning
Obfuscation Methods And PlanningObfuscation Methods And Planning
Obfuscation Methods And Planning
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
 
Information gathering
Information gatheringInformation gathering
Information gathering
 
Monitoring What Matters: The Prometheus Approach to Whitebox Monitoring (Berl...
Monitoring What Matters: The Prometheus Approach to Whitebox Monitoring (Berl...Monitoring What Matters: The Prometheus Approach to Whitebox Monitoring (Berl...
Monitoring What Matters: The Prometheus Approach to Whitebox Monitoring (Berl...
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
 
Ncsc security architecture anti patterns white paper
Ncsc security architecture anti patterns white paperNcsc security architecture anti patterns white paper
Ncsc security architecture anti patterns white paper
 
Backtrack Manual Part8
Backtrack Manual Part8Backtrack Manual Part8
Backtrack Manual Part8
 
Authentication and Single Sing on
Authentication and Single Sing onAuthentication and Single Sing on
Authentication and Single Sing on
 
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfComputer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
 
Clustering Manual for Parallel Computing
Clustering Manual for Parallel ComputingClustering Manual for Parallel Computing
Clustering Manual for Parallel Computing
 

More from Haydn Johnson

Introduction to Just in Time Access - BrightTalk
Introduction to Just in Time Access - BrightTalkIntroduction to Just in Time Access - BrightTalk
Introduction to Just in Time Access - BrightTalkHaydn Johnson
 
Communication hack fest-2018-final
Communication hack fest-2018-finalCommunication hack fest-2018-final
Communication hack fest-2018-finalHaydn Johnson
 
Kubernetes - security you need to know about it
Kubernetes - security you need to know about itKubernetes - security you need to know about it
Kubernetes - security you need to know about itHaydn Johnson
 
Human(e) Security in a World of Business 2018
Human(e) Security in a World of Business 2018Human(e) Security in a World of Business 2018
Human(e) Security in a World of Business 2018Haydn Johnson
 
UOIT Purple Team - Student Edition 2017
UOIT Purple Team - Student Edition 2017UOIT Purple Team - Student Edition 2017
UOIT Purple Team - Student Edition 2017Haydn Johnson
 
PT_OWASP_AUSTIN_2017
PT_OWASP_AUSTIN_2017PT_OWASP_AUSTIN_2017
PT_OWASP_AUSTIN_2017Haydn Johnson
 
Phishing dc618 haydnjohnson
Phishing dc618 haydnjohnsonPhishing dc618 haydnjohnson
Phishing dc618 haydnjohnsonHaydn Johnson
 
How to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHow to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHaydn Johnson
 
Nolacon phishing 2017_haydn_johnson
Nolacon phishing 2017_haydn_johnsonNolacon phishing 2017_haydn_johnson
Nolacon phishing 2017_haydn_johnsonHaydn Johnson
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest Haydn Johnson
 
Purple teaming Cyber Kill Chain
Purple teaming Cyber Kill ChainPurple teaming Cyber Kill Chain
Purple teaming Cyber Kill ChainHaydn Johnson
 
Bsides to 2016-penetration-testing
Bsides to 2016-penetration-testingBsides to 2016-penetration-testing
Bsides to 2016-penetration-testingHaydn Johnson
 
ProsVJoes - Task 2016
ProsVJoes - Task 2016ProsVJoes - Task 2016
ProsVJoes - Task 2016Haydn Johnson
 
Automation of Penetration Testing
Automation of Penetration TestingAutomation of Penetration Testing
Automation of Penetration TestingHaydn Johnson
 
Power sploit persistence walkthrough
Power sploit persistence walkthroughPower sploit persistence walkthrough
Power sploit persistence walkthroughHaydn Johnson
 

More from Haydn Johnson (17)

Introduction to Just in Time Access - BrightTalk
Introduction to Just in Time Access - BrightTalkIntroduction to Just in Time Access - BrightTalk
Introduction to Just in Time Access - BrightTalk
 
Communication hack fest-2018-final
Communication hack fest-2018-finalCommunication hack fest-2018-final
Communication hack fest-2018-final
 
Kubernetes - security you need to know about it
Kubernetes - security you need to know about itKubernetes - security you need to know about it
Kubernetes - security you need to know about it
 
Human(e) Security in a World of Business 2018
Human(e) Security in a World of Business 2018Human(e) Security in a World of Business 2018
Human(e) Security in a World of Business 2018
 
UOIT Purple Team - Student Edition 2017
UOIT Purple Team - Student Edition 2017UOIT Purple Team - Student Edition 2017
UOIT Purple Team - Student Edition 2017
 
PT_OWASP_AUSTIN_2017
PT_OWASP_AUSTIN_2017PT_OWASP_AUSTIN_2017
PT_OWASP_AUSTIN_2017
 
Phishing dc618 haydnjohnson
Phishing dc618 haydnjohnsonPhishing dc618 haydnjohnson
Phishing dc618 haydnjohnson
 
How to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHow to Plan Purple Team Exercises
How to Plan Purple Team Exercises
 
Nolacon phishing 2017_haydn_johnson
Nolacon phishing 2017_haydn_johnsonNolacon phishing 2017_haydn_johnson
Nolacon phishing 2017_haydn_johnson
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest
 
Purple teaming Cyber Kill Chain
Purple teaming Cyber Kill ChainPurple teaming Cyber Kill Chain
Purple teaming Cyber Kill Chain
 
Bsides to 2016-penetration-testing
Bsides to 2016-penetration-testingBsides to 2016-penetration-testing
Bsides to 2016-penetration-testing
 
ProsVJoes - Task 2016
ProsVJoes - Task 2016ProsVJoes - Task 2016
ProsVJoes - Task 2016
 
Automation of Penetration Testing
Automation of Penetration TestingAutomation of Penetration Testing
Automation of Penetration Testing
 
Empire Work shop
Empire Work shopEmpire Work shop
Empire Work shop
 
Power sploit persistence walkthrough
Power sploit persistence walkthroughPower sploit persistence walkthrough
Power sploit persistence walkthrough
 
Purple View
Purple ViewPurple View
Purple View
 

Recently uploaded

Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

Recently uploaded (20)

Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

Meterpreter awareness

  • 1. haydz | Security | April 26, 2015 Meterpreter and situational awareness AKA WHAT COMMANDS CAN I USE WITH METERPRETER
  • 2. PAGE 1 Contents Introduction...................................................................................................................................................2 Assumptions:..........................................................................................................................................2 Basics: What is Meterpreter .........................................................................................................................2 What does that mean? ..............................................................................................................................2 In Summary................................................................................................................................................3 Upon receiving a Meterpreter session:........................................................................................................3 We must therefore find the session that we wish to interact with: .................................................... 4 To access the Metepreter session”.......................................................................................................... 4 Situational awareness................................................................................................................................... 4 Some easy to use Meterpreter commands:............................................................................................ 4 Getuid..................................................................................................................................................... 4 sysinfo.................................................................................................................................................... 4 Cat...........................................................................................................................................................5 Pwd..........................................................................................................................................................5 But Meterpter is not a terminal access?..................................................................................................5 Back to situational awareness ..................................................................................................................... 6 We are currently running as the svchost.exe process in a temp directory......................................... 6 In summary ............................................................................................................................................... 6 Tokens, what is this about tokens ...............................................................................................................7 How do I find out what token I have?.....................................................................................................7 Getuid......................................................................................................................................................7 Incognito.................................................................................................................................................7 Incognito.................................................................................................................................................7 Use incognito.............................................................................................................................................7 List_token –u......................................................................................................................................... 8 Attempt to IMPERSONATE WITH incognito....................................................................................... 8 Impersonate_token ............................................................................................................................... 8 Conclusion .................................................................................................................................................... 9
  • 3. PAGE 2 Introduction This report is to explain some key commands within Meterpreter that allow you to have some sort of situational awareness. That is, how to gain more insight into system information, the user you currently are and what processes are running among other things. Effectively this is a rehash of information already out there, it helps me learn it if I write about it and hopefully it helps others to learn as well. Assumptions: I am taking the assumption that the reader has some prior knowledge/experience with the Metasploit Framework in launching payloads and creating listeners, as well as basic information security terminology. Basics: What is Meterpreter If you are into pentesting/hacking you may have heard of Meterpreter or have used it. But what exactly is it. Meterpreter in its most basic form is a shell/command line access tool. It may be in the form of a reverse or bind shell, but with many amazing options. It is simple to use and hard to master. The definition from Offensive Security: WHAT DOES THAT MEAN? A Payload:  In computer security it refers to the part of an exploit/malware that performs the malicious action. The data that is sent via the exploit. It performs the attacker’s intentions, such as gaining system information or looking around directories.
  • 4. PAGE 3 DLL injection:  Running code within the address space of another process. Meterpreter runs inside other processes such as svchost.exe or calc.exe Staged:  The initial Meterpreter session is created, but different modules/stages can be added to allow different functionality as needed. IN SUMMARY So from that we can gather that Meterpreter is something we deliver via exploiting a vulnerability and gain commands to execute via running inside a process that is already running on the victims computer. Additionally, we can then add more functionality if needed. Upon receiving a Meterpreter session: Upon receiving a Meterpreter session, depending on how you have set up your Metasploit listen, it may automatically jump into the Meterpreter session or it may not. If it has not loaded the session automatically you will need to interactively open the sessions It may look like the following: The session has been created but is running as a background job.
  • 5. PAGE 4 WE MUST THEREFORE FIND THE SESSION THAT WE WISH TO INTERACT WITH: As we can see in the above when we type sessions, the Metasploit handler will list the sessions for us. In this case session 1 has our win32 Meterpreter sessions. TO ACCESS THE METEPRETER SESSION” We simply type sessions –i and the session number The –i flag is to interactive with the session number you provide. Situational awareness So we now have a session on our victim’s machine. Where to from here? Well before we try any privilege escalation, let’s see who we are, where we are and all sorts of goodness. Mudge is well known red teamer and has a great blog post regarding situational awareness post here. The idea of situation awareness is to understand what access you have, that is what you can and cannot do. Can you add a user in order to access a box via rdesktop? Can you run executables in order to dump passwords? SOME EASY TO USE METERPRETER COMMANDS: Getuid  Will show the user you are active as sysinfo  Will print out system information, similar to an ipconfig command but with extra information, including the Computer name
  • 6. PAGE 5 Cat  Will read a file Pwd  Will print the current directory you are working Examples of using the commands: BUT METERPTER IS NOT A TERMINAL ACCESS? Well, it is but it isn’t. You can drop down into a typical shell to gain normal command line access. Meterpreter lives within another process allowing you to drop the shell/command line access and bring it up when needed, it allows more functionality. To drop into a shell/command line access:
  • 7. PAGE 6 Back to situational awareness Meterpreter runs as a process, so what process am I? Here comes the getpid command PID 1748, wow that’s helpful?? In order to understand the process we are running as we need to list the processes that the current machine/session is running We then need to run the PS command to list all processes running and find our Process ID. WE ARE CURRENTLY RUNNING AS THE SVCHOST.EXE PROCESS IN A TEMP DIRECTORY. Based on the fact we are running in a temp directory we could assume most appropriately that we have very little privileges, as it turn out on this machine we are running as an IWAM account. This account is a default account with very little privilege created from an installation of IIS 5.1 or prior. IN SUMMARY We understand that we are most likely a low level user running out of a temp directory. We understand the system information, the operating system and computer name.
  • 8. PAGE 7 Tokens, what is this about tokens In windows the simple idea is that each process and thread has a token associated with it. This is just stating which user the process is associated with and if necessary which subset of the user’s rights the process has. Therefore knowing which token you have allows you better insight into understand your access. For example a user token allows you to do things that a normal use has rights to, this may be to run allowed programs but not download and install programs (if in an enterprise environment). A system token allows one to have system access and allows complete control over the victim’s machine. As this report is about privilege escalation we are assuming you do not have a system token. HOW DO I FIND OUT WHAT TOKEN I HAVE? The two ways I know, are to use getuid and incognito. Getuid  Will simply list the username Incognito  Is extra functionality that allows an attacker to impersonate a user token, it includes finding your current token. Incognito The aim is to impersonate a valid token on the system in order to gain more privileged access. The aim is to impersonate a valid token on the system in order to gain more privileged access. In order to use the functionality that incognito brings, we must load the module: USE INCOGNITO This will load the incognito module for us
  • 9. PAGE 8 In order to attempt to steal tokens, we need to see if we have access to any tokens. List_token –u This will list all tokens by unique user name From this, we are able to see IUSR_<uname> tokens. Which after googling is just a similar account with similar limited privileges. The Microsoft documentation regarding IIS accounts is here. Which tells us that: “Internet Guest Account (IUSR_<computername>) The Internet Guest account is used for anonymous access to management points.” So we can see the tokens of a guest account which would appear not helpful at this time. ATTEMPT TO IMPERSONATE WITH INCOGNITO Impersonate_token This command will attempt to impersonate the specified token, allowing us to hopefully execute commands from then on with then access the token gives. Meterpreter informs us that we were successful in impersonating the token. However if we use the getuid command we can see that we are still using the ID of the same account. For an unknown reason the success was reported incorrectly.
  • 10. PAGE 9 I write up via Metasploit unleashed shows successfully impersonating a System token. Conclusion These are some fun techniques I have played with while being stuck as an IIS guest account. The idea is to understand where you are and what you can do and then hopefully move laterally or vertically to get to system access.