Time
5 hours 38 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Description

In this video and the next, Dean reviews the Metasploit Meterpreter shell. This is an extremely useful tool for establishing a session with a remote target and poking around for vulnerabilities to exploit. Meterpreter leverages the stager in order to build a connection with the remote target. From there, you can run Metepreter-specific commands. You can put the shell in the background and even launch multiple shells on both the target as well as on multiple targets which you can return to later. The video concludes by mentioning the ability to load multiple modules and extensions. This ability makes Meterpreter an extremely flexible and interactive pentesting environment.

Video Transcription

00:04
Okay, so let's let's get into discussing
00:08
Mutter Peter.
00:10
It's kind of interesting. Word has a Medicine Floyd
00:14
type of
00:16
feel to it, and the interpreter is a payload
00:20
that once it's delivered, you get a very highly functional shell on that remote system, and you can do all kinds of other things. I'm interpreter basically on Lee
00:31
will exist in memory on the target system,
00:35
so this gives you a lot of stealth options as well, since you're not necessarily writing to disk if you're careful and you're choosing the correct options.
00:44
So I've got my minutes portable instance
00:48
already booted up. I know that there's a particular vulnerability, which I'm just going to exploit really quickly. We can explain a little bit more about it later,
00:56
but for the sake of demonstrating the interpreter shell, I'm gonna go ahead and connect.
01:00
So let's,
01:03
uh,
01:03
hair back command Sea witch
01:07
are good in my medicine portable workspace. Now I know that the display table has a post GREss database,
01:15
just like Kelly does, actually,
01:19
and lucky for us through some experimentation and scanning,
01:23
I've discovered that the default
01:27
log in and password for post grass is in place
01:30
and That means that the user name and password of both post post dress Ah, lot of software applications will do this.
01:38
You install the software database a web server, What have you and you get a default credential set.
01:45
So what I'm gonna do is
01:49
do a quick search for post GREss exploits
01:53
because I'm not sure if I remember exactly what the exploit is called.
01:59
I've got a nice window here,
02:00
and I believe the one that I want is this guy right here. The post crest payload.
02:08
As we can see, this is rated as a an excellent
02:14
payload.
02:15
So that gives me a good idea that the
02:20
the payload will work.
02:22
One thing I want to do beforehand is do a set G four Molly remote host
02:28
that we don't have to type this in every time.
02:34
I know that my disposable instance
02:38
is 0.1 29 something. Go ahead and do that.
02:42
You could do set, Dash G, if you wish. I think said she's just a little bit easier to deal with.
02:47
Okay, so now I want to use this particular exploits. All type my use command.
02:54
Copy and paste this.
03:00
Now I'm in the context of the Post Press payload.
03:02
So if I show my options,
03:06
I can see that it's got a default database to search
03:12
rather for authentication purposes.
03:14
And my user name is already pre populated with post grass.
03:17
I know that the password is supposed to be
03:20
post grass based on my research.
03:23
So what I can do is Aiken set
03:25
password.
03:27
Another thing I meant to point out earlier is that you noticed for the options for each module. They are not case sensitive.
03:35
Your your entries, the settings Air case sensitive. If I put in something, that's upper case, it's supposed to be lower case. It's always there. Not gonna work
03:43
my password. I know that it's supposed to also be post crests. I'll go ahead and set that.
03:49
If I verify my options, I can see that everything looks good to go.
03:53
I noticed that the target is showing me a Lennox X 86 which is good because that's appropriate for this particular,
04:01
uh, target.
04:03
I could also check to see if there's any advanced options, and there are.
04:08
We don't need any of these for this particular exploit, but it's good to just poke around when you're looking at an exploit to see what it's
04:14
capabilities are targets.
04:16
You see the X 86 or 64 bit X 86. I've got two different options there,
04:21
but the woman I've got selected should work. So I'm gonna go ahead and type exploit.
04:27
You can't run as well as a command too,
04:31
too. Huh?
04:32
Uh, actually execute the exploit.
04:36
I like exploit better because it's more descriptive. Okay, so let's let's look at what we have here.
04:42
I started my reverse handler on my local system.
04:45
So I'm listening, my Callie, Instances listening on Port four for four.
04:49
So that's what my, my, uh,
04:53
local port will be. It's not shown here. In my options. It's pre defined as part of the exploit.
05:00
Some of them are like that. You just have to explore each exploit as you use it in order to find the right one.
05:06
So we've connected to the target system on port 5432 This is also a default port. That post crest listens on
05:15
and we can see that we've got a banner grab.
05:19
So I got some really good information here. I know this is post crest version 831
05:24
I can see that it's running on Lennox.
05:28
And I can see a colonel, uh, information here, a boon to 4 to 3.
05:32
So I'm also getting some good information about the target in addition, to be able to connect.
05:40
So, uh, I've transmitted my stager.
05:44
And if you remember from our previous discussion, stager is
05:48
a component of the next point that helps you to
05:51
build a connection
05:54
than the stage itself
05:56
gets sent. So we see that there's, ah,
05:58
one point off for nine meg worth of data
06:01
on the stage, actually. Is the
06:05
the Pete the component of the the exploit that actually builds a connection?
06:10
Now I can finally see that I've opened my I'm interpreter session
06:14
between
06:15
my remote system reserved my local system 1 31 of the remote system 1 29
06:20
And of course, we know that the interpreter work because I've got, um, attributed prompt now,
06:27
like you would expect, I can type to help command
06:30
to see what options I've got available within motor Peter and was quite a few here.
06:34
Looks for the majority of these throughout our course. I would expect that you would poke around and try some of these options on your own as well, because you want to understand what interpreter can do for you.
06:50
But some really easy things to think about.
06:54
Uh, one of the commands that I always liked Thio
06:59
to think about early in the session is to use the background command,
07:03
and that lets you,
07:05
um,
07:06
put a session in the background and then return to it later
07:12
so I can run background.
07:15
So it tells me Session one has not been sent to the background, and this is good because now I can the session still alive. But I can get back to the context of my exploit if I want to run some other commands
07:27
first. Since I could run the Sessions Command
07:30
and this shows me my active sessions, I may have multiple sessions acted with different systems, any given time or even multiple sessions active with same target system.
07:40
I can see I've got a session I d here session idea of one
07:44
tells me the type of show
07:46
and some other information
07:48
about the the system and my connection itself.
07:54
Now, if I want to go back into interacting with this session's command Earth. With this session,
08:00
you'll notice I can use the dash. I option
08:03
I can kill my sessions. I can list them and so on. I can run scripts or some other advanced features, but for right now, what I want to do
08:13
is go back to the session I've already creates. I'll do a Sessions dash I
08:18
with the one because that's my session I d.
08:20
Now I'm back in my motor prettier shell.
08:24
Once I'm in the interpreter shell, I can do lots of different things
08:30
for since I can
08:33
look at my
08:37
my core commands, I already showed you background.
08:41
I can also kill scripts
08:43
that are running in the background. I could list of scripts running in the background, can close channels.
08:48
I can look at info about a particular module.
08:52
I can load more extensions into my interpreter. So this is a beautiful thing about interpreter and acts as sort of a toehold on that remote system. Once you've got connected with motor pretty shell. Now you've got a very flexible on interactive environment to bring other information in other tools and auxiliary models, and so on
09:11
are extensions I can do those things. In order to enhance my ability to
09:18
interact with this system,
09:20
I can still use and load modules and extensions just like you'd expect.
09:26
I can even interact with the final system. I can cat a file.
09:28
So, for instance,
09:31
let's let's first see what what I'm running under.
09:43
Oh, I'm thinking I'm in a command line shell. That's why I'm
09:46
I'm running the
09:48
the royal commands there.
09:52
But one thing I can do is try to see if I can look at, for instance, at maybe I've
09:58
tried to compromise the system and now I want to see if I can look at the password file
10:07
so you can see I I've been able to look at this
10:11
password file has, uh,
10:13
some information that that might be useful,
10:16
but it really doesn't have any
10:20
hashes.
10:22
And so I'm trying to run the sea shadow for tryin'to show the That's the shadow file,
10:28
and that's not let him to do that. So I may not have
10:31
all of the
10:33
the permission that I would like.
10:35
One thing I can do, however, once I've got the motor pretty shell established
10:41
is I can run the shelter man to try to get a command shell. You'll notice I'm not root on this command shell. So that's why I could not run.
10:48
That's the shadow.
10:50
I am logged in his post crypts, which we saw from the
10:54
the, um,
10:56
exploit
10:58
options that we set up originally.
11:00
Well, go ahead and exit that command shell. I don't need to be there,
11:05
Control C to terminate that channel. My interpretive shell is still valid, but that command shell that I launched
11:13
is is now terminated.

Up Next

Metasploit

This Metasploit tutorial will teach you to utilize the deep capabilities of Metasploit for penetration testing and help you to prepare to run vulnerability assessments for organizations of any size.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor