Part 8.2 - Meterpreter

Video Activity

In this second video on the Meterpreter shell, Dean introduces more commands. The shell contains a full set of file system commands very similar to the dir command and its variants found in Linux shells. Additionally, there are networking commands such as netstat and others for enumerating IP addresses, dumping routing tables and the ARP cache. The...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
5 hours 38 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Description

In this second video on the Meterpreter shell, Dean introduces more commands. The shell contains a full set of file system commands very similar to the dir command and its variants found in Linux shells. Additionally, there are networking commands such as netstat and others for enumerating IP addresses, dumping routing tables and the ARP cache. The video concludes with a discussion of commands useful for pentesting such as those for running post exploits, enumerating processes running on a remote host, port forwarding, setting timeouts and encoding, and the sysinfo shell command.

Video Transcription
00:03
>> Again, back to some file system commands.
00:03
I can go to different directories,
00:03
I can get my working directory,
00:03
will show files, I can make directors,
00:03
I can move files around,
00:03
I can remove directories.
00:03
Most of your basic command shell functionality
00:03
is enabled in meterpreter itself.
00:03
I've also gotten networking commands.
00:03
Even though I already know the IP address,
00:03
[NOISE] I can certainly list it again,129,
00:03
that's my remote system that's metasploitable.
00:03
Maybe I want to do something else.
00:03
Maybe I want to run netstat-RN,
00:03
and you'll look at my ports that are listening,
00:03
>> and maybe
00:03
>> see some information about established connections.
00:03
[NOISE]
00:03
Let's type -AN,
00:03
and give me the same information.
00:03
I can also run other commands
00:03
like what's my routing table?
00:03
What's in my ARP cache?
00:03
The ARP cache right now I've only
00:03
been connected to from CAL instance, which is.131.
00:03
But if you were connecting to a system that
00:03
was being used by lots of other people,
00:03
just playing ARP cache is very useful because now
00:03
I can see other systems that are
00:03
connected because their IP address,
00:03
and the MAC address are saved
00:03
in this ARP cache.
00:03
I can look at route information,
00:03
I can see what my default gateway is.2, in this case.
00:03
Ipv6 information is also
00:03
available if I was interested in that.
00:03
Being able to poke around in
00:03
the file system is pretty handy.
00:03
I can also do things like
00:03
uploading, and downloading files.
00:03
For instance, if I want to
00:03
now have to have the permission to read a file.
00:03
If I do an ls in my current directory,
00:03
I can see that I've got some globally readable files,
00:03
it looks like I can try to do something
00:03
like download server, research.
00:03
We can see that that actually
00:03
worked, and if this is a certificate file,
00:03
and we'll get into some of these things
00:03
later, and then that can be really useful.
00:03
Now, where does this file go?
00:03
I'll switch to my other command shell and if I go to
00:03
my Downloads directory [NOISE] on my given system,
00:03
that shuts not wear it when maybe it went
00:03
to root itself, there it is.
00:03
It did not go to my Downloads directory,
00:03
so goes to whatever directory you
00:03
launch your console from, and
00:03
I was already in route when I did that.
00:03
I don't need this file. I'm going
00:03
to go ahead, and delete it.
00:03
Controlled Page Up to switch back to my other tab.
00:03
Remember your shortcuts?
00:03
Uploading, downloading files,
00:03
I can also edit a file.
00:03
[NOISE] It's going to look like my certificates here.
00:03
This is probably my public cert.
00:03
Basically, throws you into like a vi type editor,
00:03
which is very handy if you don't
00:03
want to have to pull a file back,
00:03
add the file, push it back out.
00:03
That increases the odds of getting detected.
00:03
We want to always think
00:03
about taking the action that's required in the way
00:03
that creates the minimum amount of traceable events.
00:03
Other things to think about if I'm
00:03
in my meterpreter shell,
00:03
I also have the ability to
00:03
run all kinds of post exploits.
00:03
I can do that by using the run command, there it is.
00:03
Executing the script, executing
00:03
a post module for instance,
00:03
I might want to see if I
00:03
can get hashed dump from the system,
00:03
even though I know the Postgres password,
00:03
that's not the administrator password.
00:03
I might have to do some other work in order
00:03
to be able to
00:03
get the root password, or some other valuable things.
00:03
Tab completion does not work
00:03
in a context like this unfortunately,
00:03
so I have to know what I'm typing in.
00:03
But I'm going to try to run edges,
00:03
not a Windows system.
00:03
That won't work. Let me do this real quick.
00:03
[NOISE] I'll background this session.
00:03
I'll do a search for posts,
00:03
this going to give me a lot of information,
00:03
but I might be able to find
00:03
posts for Linux if I scroll up here.
00:03
It's post for multi.
00:03
Looks like Linux gather hash tab might
00:03
>> be a good choice.
00:03
>> I'll go ahead, and copy that.
00:03
Might have been faster to do a
00:03
>> search for hashtab itself.
00:03
>> That's a shorter list.
00:03
I know that's what I want to do.
00:03
Now I can go through, and I can find
00:03
the one that I was interested in.
00:03
Now, I'm going to go back to session 1,
00:03
which is the one that I meterpreter session is
00:03
enabled and what I can do is I can try to run this,
00:03
hash., see if it actually works.
00:03
See, it doesn't work. I have to be root
00:03
nor for that one to work, which makes sense.
00:03
We're seeing some of
00:03
the limitations of the command shell that you have.
00:03
I have a meterpreter shell which is useful,
00:03
but it only lets me run
00:03
commands that the Postgres user account
00:03
is authorized to run, and this
00:03
traces us back to the idea
00:03
of the principle of least privilege.
00:03
I don't want to run Postgres as root,
00:03
if I did that and I'd also do not
00:03
change the password on with some other vulnerability.
00:03
Now, when I compromise
00:03
the application or compromised the command,
00:03
or rather the credentials,
00:03
if the Postgres ID has root type privileges,
00:03
now I can do other powerful things
00:03
that I wouldn't be able to do otherwise.
00:03
There's good reasons for
00:03
respecting the principle of least privilege.
00:03
You don't want to get overly
00:03
generous with doling out privileges when you're
00:03
building a system for obvious reasons.
00:03
I also might want to, for instance,
00:03
run some commands, and
00:03
see what processes are running on that remote system.
00:03
I just did a ps command,
00:03
and it basically gives you full ps output.
00:03
This way I can tell with
00:03
some detail what's actually
00:03
running on that remote system.
00:03
Process ID numbers, pair of process IDs,
00:03
the name, and any paths that are
00:03
irrelevant would all be shown here.
00:03
I notice I've got a bunch of things running.
00:03
I've got some applications,
00:03
disk CCD or rather distant CC, the demon for that.
00:03
I've got an Apache web server running,
00:03
I got some Ruby components
00:03
running. there's a lot of things.
00:03
Looks like I've got VNC running.
00:03
There's a lot of clues that
00:03
I've just uncovered for how I might
00:03
go about further compromising the system.
00:03
I haven't even done a scan yet.
00:03
I just happened to take a guess that
00:03
the Postgres database would have a default password
00:03
and it does so I'm able to get in and
00:03
get all this information.
00:03
Let's run our help command one more time.
00:03
Other things we can do,
00:03
I showed a few things like running a shell PS schematic,
00:03
I can kill the process if I have permission to do so,
00:03
I can execute commands.
00:03
I can even set up port forwarding,
00:03
which might be useful depending on
00:03
your needs at the time.
00:03
There are some other options I'm
00:03
looking at for like encoding, setting timeouts.
00:03
There are ways to try to get a picture from the webcam.
00:03
See that option in this context.
00:03
But other things to think about,
00:03
I can suspend a process.
00:03
I can also run
00:03
the SAS info command to give me a concise output,
00:03
you name dash a command would do on a UNIX system.
00:03
Gives me some good details here for what I would be.
00:03
Other details I want to track for this remote system
00:03
to know that I've got something truly useful.
00:03
We'll definitely explore more features of
00:03
the meterpreter shell as we go
00:03
through some of the demonstrations,
00:03
but this is a good introduction.
00:03
See you in the next video.
Up Next