Part 8.1 - Meterpreter: Metasploit Course | Cybrary

Video Activity

Create Free Account

In this video and the next, Dean reviews the Metasploit Meterpreter shell. This is an extremely useful tool for establishing a session with a remote target and poking around for vulnerabilities to exploit. Meterpreter leverages the stager in order to build a connection with the remote target. From there, you can run Metepreter-specific commands. Yo...

Sign up with

Or

Already have an account? Sign In »

Time

5 hours 38 minutes

Difficulty

Intermediate

CEU/CPE

6

Create Free Account

In this video and the next, Dean reviews the Metasploit Meterpreter shell. This is an extremely useful tool for establishing a session with a remote target and poking around for vulnerabilities to exploit. Meterpreter leverages the stager in order to build a connection with the remote target. From there, you can run Metepreter-specific commands. You can put the shell in the background and even launch multiple shells on both the target as well as on multiple targets which you can return to later. The video concludes by mentioning the ability to load multiple modules and extensions. This ability makes Meterpreter an extremely flexible and interactive pentesting environment.

00:04

Okay, so let's let's get into discussing

00:08

Mutter Peter.

00:10

It's kind of interesting. Word has a Medicine Floyd

00:14

type of

00:16

feel to it, and the interpreter is a payload

00:20

that once it's delivered, you get a very highly functional shell on that remote system, and you can do all kinds of other things. I'm interpreter basically on Lee

00:31

will exist in memory on the target system,

00:35

so this gives you a lot of stealth options as well, since you're not necessarily writing to disk if you're careful and you're choosing the correct options.

00:44

So I've got my minutes portable instance

00:48

already booted up. I know that there's a particular vulnerability, which I'm just going to exploit really quickly. We can explain a little bit more about it later,

00:56

but for the sake of demonstrating the interpreter shell, I'm gonna go ahead and connect.

01:00

So let's,

01:03

uh,

01:03

hair back command Sea witch

01:07

are good in my medicine portable workspace. Now I know that the display table has a post GREss database,

01:15

just like Kelly does, actually,

01:19

and lucky for us through some experimentation and scanning,

01:23

I've discovered that the default

01:27

log in and password for post grass is in place

01:30

and That means that the user name and password of both post post dress Ah, lot of software applications will do this.

01:38

You install the software database a web server, What have you and you get a default credential set.

01:45

So what I'm gonna do is

01:49

do a quick search for post GREss exploits

01:53

because I'm not sure if I remember exactly what the exploit is called.

01:59

I've got a nice window here,

02:00

and I believe the one that I want is this guy right here. The post crest payload.

02:08

As we can see, this is rated as a an excellent

02:14

payload.

02:15

So that gives me a good idea that the

02:20

the payload will work.

02:22

One thing I want to do beforehand is do a set G four Molly remote host

02:28

that we don't have to type this in every time.

02:34

I know that my disposable instance

02:38

is 0.1 29 something. Go ahead and do that.

02:42

You could do set, Dash G, if you wish. I think said she's just a little bit easier to deal with.

02:47

Okay, so now I want to use this particular exploits. All type my use command.

02:54

Copy and paste this.

03:00

Now I'm in the context of the Post Press payload.

03:02

So if I show my options,

03:06

I can see that it's got a default database to search

03:12

rather for authentication purposes.

03:14

And my user name is already pre populated with post grass.

03:17

I know that the password is supposed to be

03:20

post grass based on my research.

03:23

So what I can do is Aiken set

03:25

password.

03:27

Another thing I meant to point out earlier is that you noticed for the options for each module. They are not case sensitive.

03:35

Your your entries, the settings Air case sensitive. If I put in something, that's upper case, it's supposed to be lower case. It's always there. Not gonna work

03:43

my password. I know that it's supposed to also be post crests. I'll go ahead and set that.

03:49

If I verify my options, I can see that everything looks good to go.

03:53

I noticed that the target is showing me a Lennox X 86 which is good because that's appropriate for this particular,

04:01

uh, target.

04:03

I could also check to see if there's any advanced options, and there are.

04:08

We don't need any of these for this particular exploit, but it's good to just poke around when you're looking at an exploit to see what it's

04:14

capabilities are targets.

04:16

You see the X 86 or 64 bit X 86. I've got two different options there,

04:21

but the woman I've got selected should work. So I'm gonna go ahead and type exploit.

04:27

You can't run as well as a command too,

04:31

too. Huh?

04:32

Uh, actually execute the exploit.

04:36

I like exploit better because it's more descriptive. Okay, so let's let's look at what we have here.

04:42

I started my reverse handler on my local system.

04:45

So I'm listening, my Callie, Instances listening on Port four for four.

04:49

So that's what my, my, uh,

04:53

local port will be. It's not shown here. In my options. It's pre defined as part of the exploit.

05:00

Some of them are like that. You just have to explore each exploit as you use it in order to find the right one.

05:06

So we've connected to the target system on port 5432 This is also a default port. That post crest listens on

05:15

and we can see that we've got a banner grab.

05:19

So I got some really good information here. I know this is post crest version 831

05:24

I can see that it's running on Lennox.

05:28

And I can see a colonel, uh, information here, a boon to 4 to 3.

05:32

So I'm also getting some good information about the target in addition, to be able to connect.

05:40

So, uh, I've transmitted my stager.

05:44

And if you remember from our previous discussion, stager is

05:48

a component of the next point that helps you to

05:51

build a connection

05:54

than the stage itself

05:56

gets sent. So we see that there's, ah,

05:58

one point off for nine meg worth of data

06:01

on the stage, actually. Is the

06:05

the Pete the component of the the exploit that actually builds a connection?

06:10

Now I can finally see that I've opened my I'm interpreter session

06:14

between

06:15

my remote system reserved my local system 1 31 of the remote system 1 29

06:20

And of course, we know that the interpreter work because I've got, um, attributed prompt now,

06:27

like you would expect, I can type to help command

06:30

to see what options I've got available within motor Peter and was quite a few here.

06:34

Looks for the majority of these throughout our course. I would expect that you would poke around and try some of these options on your own as well, because you want to understand what interpreter can do for you.

06:50

But some really easy things to think about.

06:54

Uh, one of the commands that I always liked Thio

06:59

to think about early in the session is to use the background command,

07:03

and that lets you,

07:05

um,

07:06

put a session in the background and then return to it later

07:12

so I can run background.

07:15

So it tells me Session one has not been sent to the background, and this is good because now I can the session still alive. But I can get back to the context of my exploit if I want to run some other commands

07:27

first. Since I could run the Sessions Command

07:30

and this shows me my active sessions, I may have multiple sessions acted with different systems, any given time or even multiple sessions active with same target system.

07:40

I can see I've got a session I d here session idea of one

07:44

tells me the type of show

07:46

and some other information

07:48

about the the system and my connection itself.

07:54

Now, if I want to go back into interacting with this session's command Earth. With this session,

08:00

you'll notice I can use the dash. I option

08:03

I can kill my sessions. I can list them and so on. I can run scripts or some other advanced features, but for right now, what I want to do

08:13

is go back to the session I've already creates. I'll do a Sessions dash I

08:18

with the one because that's my session I d.

08:20

Now I'm back in my motor prettier shell.

08:24

Once I'm in the interpreter shell, I can do lots of different things

08:30

for since I can

08:33

look at my

08:37

my core commands, I already showed you background.

08:41

I can also kill scripts

08:43

that are running in the background. I could list of scripts running in the background, can close channels.

08:48

I can look at info about a particular module.

08:52

I can load more extensions into my interpreter. So this is a beautiful thing about interpreter and acts as sort of a toehold on that remote system. Once you've got connected with motor pretty shell. Now you've got a very flexible on interactive environment to bring other information in other tools and auxiliary models, and so on

09:11

are extensions I can do those things. In order to enhance my ability to

09:18

interact with this system,

09:20

I can still use and load modules and extensions just like you'd expect.

09:26

I can even interact with the final system. I can cat a file.

09:28

So, for instance,

09:31

let's let's first see what what I'm running under.

09:43

Oh, I'm thinking I'm in a command line shell. That's why I'm

09:46

I'm running the

09:48

the royal commands there.

09:52

But one thing I can do is try to see if I can look at, for instance, at maybe I've

09:58

tried to compromise the system and now I want to see if I can look at the password file

10:07

so you can see I I've been able to look at this

10:11

password file has, uh,

10:13

some information that that might be useful,

10:16

but it really doesn't have any

10:20

hashes.

10:22

And so I'm trying to run the sea shadow for tryin'to show the That's the shadow file,

10:28

and that's not let him to do that. So I may not have

10:31

all of the

10:33

the permission that I would like.

10:35

One thing I can do, however, once I've got the motor pretty shell established

10:41

is I can run the shelter man to try to get a command shell. You'll notice I'm not root on this command shell. So that's why I could not run.

10:48

That's the shadow.

10:50

I am logged in his post crypts, which we saw from the

10:54

the, um,

10:56

exploit

10:58

options that we set up originally.

11:00

Well, go ahead and exit that command shell. I don't need to be there,

11:05

Control C to terminate that channel. My interpretive shell is still valid, but that command shell that I launched

11:13

is is now terminated.

Part 8.2 - Meterpreter

Part 1.1 - Scanners

Part 1.2 - Scanners

Part 1.3 Scanners

Part 2 - Discovering Exploits

This Metasploit tutorial will teach you to utilize the deep capabilities of Metasploit for penetration testing and help you to prepare to run vulnerability assessments for organizations of any size.

CEO of SteppingStone Solutions

CyDefe Assessment

This assessment is designed to validate students understanding of the Metasploit framework. These challenges will ...

Interview Mocha Test

One of the largest penetration tools out there, Metasploit is a penetration testing platform that ...

The Advanced Penetration Testing course teaches the cyber attack lifecycle from the perspective of an ...

15 CEU/CPE Hours Available

Certificate of Completion Offered