Welcome back, my fledgling hackers!
As we have progressed through this series on Metasploit Basics, we have used numerous techniques to exploit your target system including;
SMB Exploits (EternalBlue and MS08_067, for instance);
File Format (ms14-0440_sandworm, office_word_hta);
Browser Exploits (autopwn, Abobe Flash and numerous others);
Social Engineering Toolkit(SET);
and many others.
Exploiting the target is just the beginning of the fun! Once we have control of the system, we begin the post-exploitation phase and this is where we can wreak havoc! In Metasploit terms, modules designed for post exploitation are referred to as simply post.
In this tutorial, we will look at few fun things we can do on the system once we have successfully exploited the system including;
1. Checking the idletime
2. Turning on and snapping pictures from the web cam as well as web cam streaming
3. Turning on the system microphone to listen
4. Grab the password hashes
5. Use Mimikatz to capture a plethora on information from the target system
When exploiting a target with Metasploit, we have many more options for post exploitation if you use the Meterpreter payload. The Meterpreter is far more than a command line shell. It has additional functionality that no simple shell can replicate.
The Meterpreter is an advanced payload that uses DLL injection to run entirely in memory (leaving no trace on the hard drive) . This special payload has a large collection of built-in commands and scripts. For a complete look at these commands and scripts, see the following posts here on Hackers-Arise.
Not all of the commands and scripts will work with every Meterpreter on every operating system. Many of them are designed for use only on Windows systems.
Types of Meterpreter Payloads
The Meterpreter is not a single payload. There are numerous Meterpreter payloads, usually one for each type of operating system or target. In addition, you can select Meterpreters that connect over a raw TCP connection, HTTP or HTTPS. In many cases, to get past firewall restrictions on outbound traffic, it will be necessary to use HTTP or HTTPS Meterpreters where the connection will appear as normal outbound Internet traffic and likely be allowed to pass.
To find these Meterpreters, we can use the search function in Metasploit filtering for the type of module (type:payload), platform (platform:windows) and containing the keyword meterpreter. When we hit enter, we see the results below.
msf > search type:payload platform:windows meterpreter
As you can see above, there are innumerable meterpreter payloads. I have circled three that work with x64 Windows OS's and connect back with a raw TCP connection, HTTP (port 80) and HTTPS (port 443).
Step #1 Explore Post Modules
Once we have exploited the system, we can then begin to use the post exploitation commands and modules. We can find these post exploitation modules by using the search function again and filter for module type "post".
msf > search type:post
To be more specific, we can filter for those that can used on a compromised Windows system.
msf> search type:post platform:windows
In addition to these post exploitation modules, the meterpreter enables you to use railgun, a post exploitation feature that enables you to control the target machine's Windows API. I'll do another tutorial on Railgun further in this series, Metasploit Basics.
Now that we have introduced you a bit to the meterpreter payload, let's take a look at some of things we can do with it.
Here we will be assuming that we have exploited a Windows 7 system with EternalBlue.
Step #2 Idletime
Often, one of the first things we want to do is to find out how long the system has been idle. This will give us an indication of whether anyone is presently working on the computer.
meterpreter > idletime
As you can see, the user has been idle on this system for just 7 minutes and 44 seconds. That probably means that they are nearby. When using the standard meterpreter, you are virtually invisible to the user, so no need to worry about detection (VNC payloads require the use of the mouse and this would obviously be noticed by a user on their system).
Step #2 Access their Web Cam
Once we have exploited the system with EternalBlue, we have system admin (GUID=500) privileges which means we have free run of the computer. This means we can do just about anything we want.
Let's assume we want to take periodic webcam shots from the user's webcam. The first step is to use the meterpreter command webcam_list to find out what webcams are on the system, if any.
meterpreter > webcam_list
As we can see, there is just one web cam on this system "HP Truevision HD".
Next, we simply need to use another meterpreter command, webcam_snap, to take snapshots from the compromised system's webcam.
meterpreter > webcam_snap
If the system had more than one webcam, we can indicate the webcam we want to capture from by using -i switch followed by the number of the webcam. So, if we wanted to capture from webcam #2, we would enter;
meterpreter > webcam_snap -i 2
After taking the snapshot, the Meterpreter stores the image with a random filename ending in .jpeg. If they happen to be at their computer, you will receive a picture of them. You will now need to open that picture with a graphics or photo application from your attack system.
Let's open that .jpeg and see who is on that system.
Looks like you were very lucky!
Even better, we can get the webcam to stream video for us.
After executing the command, the Meterpreter will open your default web browser and stream the video from the target's webcam to your system.
Step #3: Plant a Bug on Their Computer (Listen to the Microphone)
In addition to taking snapshots from the webcam, you can also enable the microphone built into the system and listen to conversations within reach of the microphone. Once again, the Meterpreter has a built-in command for doing so called record_mic.
meterpreter > record_mic
As you can see, when we run this command, it records the ambient sounds near the computer and places them in a .wav file in the root user's directory with a random file name.
This meterpreter command has numerous options that can be useful. For instance;
-d : the number of seconds to record (default = 1)
-f : The wav file path.
-p : Automatically play the captured audio, by default ‘true’.
Now, we can construct a useful command that records 10 seconds of audio, creates a .wav file named spyaudio.wav and automatically plays back the audio through your systems speakers
meterpreter > record_mic -d 10 -f spyaudio.wav -p true
Step #4 Keylogging
Although not as effective as a hardware keylogger, the meterpreter can place a software keylogger on the system to capture all the keystrokes from one application. The key here is that we can only capture the keystrokes of one process or application at a time.
To do so, we need to move (migrate) the meterpreter to a process where we expect the target will be entering data. This might be a web browser, MS Word, Outlook, etc.
First, we need to Process ID of the application. From the meterpreter shell, you can simply type ps. This will list all the processes running similar to the way the ps command works in Linux.
meterpreter > ps
Once you have identified the application you want to place your keylogger on, you need to migrate the meterpreter to that process.
meterpreter > migrate 2308
As you can see, we have migrated to process 2308 (yours will likely be different), which in this case is MS Word.
Next, we start the keylogger with the command keyscan_start.
meterpreter > keyscan_start
The keylogger has now started and is placing all the keystrokes from that application into a buffer(keystrokes include all characters including returns, backspaces, etc.).
When we want recover the keystrokes, we simply use the command keyscan_dump.
Looks like he has some ill-intentions!
Step #4 Dump the System Password Hashes
Once we are inside the system with system admin privileges, we can also access all of the password hashes on the system. The meterpreter has a simple way to do by simply entering the hashdump command.
msf > hashdump
As you can see, the target system has dumped all the password hashes to my screen. Of course, we will still need to crack these hashes with a tool such as hashcat.
Step #5 Access System Information and Passwords with mimikatz
Mimikatz was developed by gentile kiwi as a standalone program for extracting key information from RAM from a running system. A few years back, it was ported for Metasploit as a post exploitation module so that we can do the same after exploiting our target.
The first step is to make certain we have system admin privileges. If not, we can use the meterpreter command, getsystem, to escalate privileges.
meterpreter > getsystem
To make certain we have admin privileges we can query the system with getuid
meterpreter > getuid
Now that we are certain we have system admin privileges on the target system, we can load mimikatz.
meterpreter > load mimikatz
Next, let's get a help screen next.
meterpreter > help mimikatz
Now, we can get the password hashes by running the command.
meterpreter > mimikatz_command -f samdump::hashes
For more on mimikatz, check out my mimikatz article here.
Once we have compromised a system with Metasploit and the meterpreter payload, the fun begins! They are innumerable meterpreter commands and post-exploitation modules that we can use to manage and manipulate the target system.
If you are looking to become a Metasploit Expert, check out our upcoming Metasploit Kung-Fu course.
Also, look for my upcoming book "Metasploit Basics for Hackers" coming out early 2019.