00:05
>> Let's get into discussing Meterpreter.
00:05
It's a interesting word,
00:05
has a Metasploit type of feel to it.
00:05
The Meterpreter is a payload that once it's delivered,
00:05
you get a very highly functional shell on
00:05
that remote system and
00:05
you can do all kinds of other things.
00:05
A Meterpreter, basically only
00:05
will exist in memory on the target system.
00:05
This gives you a lot of
00:05
stealth options as well since you're not
00:05
necessarily writing to disk if you're
00:05
careful and you're choosing the correct options.
00:05
I've got my Metasploitable instance already booted up.
00:05
I know that there's a particular vulnerability
00:05
which I'm just going to exploit really quickly.
00:05
We can explain a little bit more about it later.
00:05
But for the sake of demonstrating
00:05
>> the Meterpreter shell,
00:05
>> I'm going to go ahead and connect.
00:05
Let's head that command.
00:05
I'm going to see which are good.
00:05
I'm in my Metasploitable workspace.
00:05
Now, I know that Metasploitable
00:05
>> has a Postgres database,
00:05
>> just like Kali does actually.
00:05
>> through some experimentation and scanning,
00:05
>> I've discovered that the default login
00:05
and password for Postgres
00:05
is in place and that means that
00:05
the username and the password are both Postgres.
00:05
A lot of software applications will do this.
00:05
You install the software database, a web server,
00:05
what have you, and you get a default credential set.
00:05
What I'm going to do is do a quick search for
00:05
Postgres exploits because I'm not
00:05
sure if I remember exactly what the exploit is called.
00:05
I've got a nice window here.
00:05
I believe the one that I want is
00:05
this guy right here, the Postgres payload.
00:05
As we can see, this is rated as A
00:05
>> and excellent payload.
00:05
>> That gives me a good idea that the payload will work.
00:05
One thing I want to do beforehand is do
00:05
a set-G for my remote host.
00:05
That way I don't have to type this in every time.
00:05
I know that my Metasploitable instance is 0.129.
00:05
I'm going to go ahead and do that.
00:05
You can do set-G if you wish.
00:05
I think set-G is just a little bit easier to deal with.
00:05
Now I want to use this particular exploit.
00:05
I'll type my use command.
00:05
Copy and paste this.
00:05
Now, I'm in the context of the Postgres payload.
00:05
If I show my options,
00:05
I can see that it's got a default database to search,
00:05
rather for authentication purposes,
00:05
and my username is already pre-populated with Postgres.
00:05
I know that the password is supposed to be Postgres,
00:05
based on my research.
00:05
What I can do is I can set password.
00:05
Another thing I meant to point out
00:05
earlier is that you notice
00:05
for the options for each module,
00:05
they are not case sensitive.
00:05
Your entries, the settings are case sensitive.
00:05
If I put in something
00:05
that's uppercase that's supposed to be lowercase,
00:05
it's obviously not going to work.
00:05
But for my password, I know that it's
00:05
supposed also to be Postgres.
00:05
I'll go ahead and set that.
00:05
If I verify my options,
00:05
I can see that everything looks good to go.
00:05
Notice that the target is showing me a Linux x86,
00:05
which is good because that's appropriate
00:05
for this particular target.
00:05
see if there's any advanced options and there are.
00:05
We don't need any of these for this particular exploit,
00:05
but it's good to just poke around
00:05
when you're looking at exploit to
00:05
see what its capabilities are.
00:05
Targets, it's either x86 or 64-bit x86.
00:05
I've got two different options there.
00:05
But the one that I've got selected should work.
00:05
I'm going to go ahead and type Exploit.
00:05
You can type Run as well as a command
00:05
to actually execute the exploit.
00:05
I like exploit better because it's more descriptive.
00:05
Let's look at what we have here.
00:05
I started my reverse handler on my local system.
00:05
I'm listening, my Kali instance
00:05
is listening on port 444,
00:05
that's my local port will be,
00:05
it's not shown here in my options.
00:05
It's predefined as part of
00:05
the exploit. Some of them are like that.
00:05
You just have to explore each exploit as you
00:05
use it in order to find the right one.
00:05
We've connected to the target system on Port 5432.
00:05
This is also a default port that Postgres listens
00:05
on and we can see that we've got a banner grab.
00:05
I got some really good information here.
00:05
I know this is Postgres version A31.
00:05
I can see that it's running on Linux and I can
00:05
see a Kannel information here, boom 2423.
00:05
I'm also getting some good information about
00:05
the target in addition to being able to connect.
00:05
I've transmitted my stager
00:05
and if you remember from our previous discussion,
00:05
the stager is a component
00:05
of an exploit that helps you to build a connection,
00:05
then the stage itself gets sent.
00:05
We see that there's 1.49 meg worth of data and
00:05
the stage actually is
00:05
the component of the exploit
00:05
that actually builds the connection.
00:05
Now, I can finally see that
00:05
I've opened my Meterpreter session
00:05
between my local system 131,
00:05
the remote system 129.
00:05
Of course, we know that the Meterpreter work
00:05
because I've got a Meterpreter prompt now.
00:05
Like you would expect,
00:05
I can type the Help command
00:05
to see what options I've
00:05
got available within Meterpreter.
00:05
There's quite a few here.
00:05
Looks for the majority of these throughout our course.
00:05
I would expect that you
00:05
would poke around and try some of these options on
00:05
your own as well because you want to
00:05
understand what Meterpreter can do for you.
00:05
But some really easy things to think about,
00:05
one of the commands that I always like
00:05
to think about early
00:05
in a session is to use the background command.
00:05
a session in the background
00:05
>> and then return to it later.
00:05
>> I can run Background.
00:05
It tells me Session 1
00:05
>> has now been sent to the background.
00:05
>> This is good because the session is still live,
00:05
but I can get back to
00:05
the context of my exploit
00:05
if I want to run some other commands.
00:05
For instance, I can run the sessions command
00:05
and this shows me my active sessions.
00:05
I may have multiple sessions
00:05
active with different systems any given time,
00:05
or even multiple sessions
00:05
active with the same target system.
00:05
I can see I've got a session ID here,
00:05
It tells me the type of shell and
00:05
some other information about
00:05
the system and my connection itself.
00:05
Now, if I want to go back
00:05
into interacting with this session,
00:05
you'll notice I can use the -I option.
00:05
I can kill my sessions,
00:05
I can list them, and so on.
00:05
I can run scripts or some other advanced features.
00:05
But for right now, what I want to
00:05
do is go back to the session I've already created.
00:05
I'll do a sessions-I with
00:05
a one because that's my session ID,
00:05
now I'm back in my Meterpreter shell.
00:05
Once I'm in the Meterpreter shell,
00:05
I can do lots of different things.
00:05
For instance, I can look at my core commands,
00:05
I already showed you background.
00:05
I can also kill scripts
00:05
that are running in the background.
00:05
I can list the scripts running in the background,
00:05
I can close channels.
00:05
I can look at info about a particular module.
00:05
I can load more extensions into Meterpreter.
00:05
This is a beautiful thing about Meterpreter,
00:05
it acts as a toehold on that remote system.
00:05
Once you've got connected with the Meterpreter shell,
00:05
now you've got a very
00:05
flexible and interactive environment to bring
00:05
other information and other tools and
00:05
auxiliary modules and so on or extensions.
00:05
I can do those things in order to enhance
00:05
my ability to interact with this system.
00:05
load modules and extensions just like you'd expect.
00:05
I can even interact with the file system.
00:05
For instance, let's first see what I'm running under.
00:05
Oh, I'm thinking I'm in a command-line shell
00:05
>> that's why I'm running the wrong commands there.
00:05
>> But one thing I can do
00:05
is try to see if I can look at, for instance,
00:05
maybe I've tried to compromise the system and now I
00:05
want to see if I can look at the password file.
00:05
I've been able to look at this password file,
00:05
has some information that might be useful,
00:05
but it really doesn't have any hashes.
00:05
I'm trying to run the /etc/shadow or trying to show
00:05
the /etc/shadow file and that's not letting me do that.
00:05
I may not have all of the permission that I would like.
00:05
One thing I can do, however,
00:05
once I've got the Meterpreter shell
00:05
established is I can run
00:05
the shell command and try to get a command shell.
00:05
You'll notice I am not route on this command shell,
00:05
so that's why I could not run /etc/shadow.
00:05
I am logged in as Postgres,
00:05
the exploit options that we set up originally.
00:05
I'm going to go ahead and exit that command shell.
00:05
I don't need to be there.
00:05
I'm going to click "CTRL+C" to terminate that channel.
00:05
My Meterpreter shell is still valid,
00:05
but that command shell
00:05
>> that I launched is now terminated.