Time
5 hours 38 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Description

In this second video on the Meterpreter shell, Dean introduces more commands. The shell contains a full set of file system commands very similar to the dir command and its variants found in Linux shells. Additionally, there are networking commands such as netstat and others for enumerating IP addresses, dumping routing tables and the ARP cache. The video concludes with a discussion of commands useful for pentesting such as those for running post exploits, enumerating processes running on a remote host, port forwarding, setting timeouts and encoding, and the sysinfo shell command.

Video Transcription

00:04
so again, back to some file system commands.
00:07
I can go to different directories.
00:10
I can get my working directory
00:12
show files that could make directors I can move files around. It could remove directories so most of your basic command shell functionalities, enabled interpreter itself.
00:23
I've also got networking commands.
00:26
So even though I already know the
00:30
the I P address,
00:32
I can certainly listed again,
00:34
right? 1 29 That's my remote system. That's menace plausible.
00:39
Maybe I want to do something else. Maybe I want to run
00:42
next day.
00:45
That's our end to look at mine
00:48
ports that are listening and maybe see some information about
00:53
established connections.
01:03
All right, so next
01:04
that's that dash hands giving the same information.
01:07
Um,
01:07
I could also run
01:10
other commands like
01:14
what is What are my? What's my robbing people? What's in my art cash
01:18
with your cash
01:19
right now, I've only been
01:22
connected to from the Cali instance, which is not 1 31
01:25
But if you were connecting to a system that was being used by lots of other people, just plain out cash is very useful because now I can see
01:32
other systems that are connected because their I P address and the Mac address are saved in this. In this cash,
01:38
this is our cash. I could look at route information.
01:42
I can see what my
01:46
default gateway is
01:48
Dr To in this case,
01:51
baby. Six information is also available if I was interested in that.
01:57
So being able to, um, to poke around in the
02:04
in the file system is pretty handy. I can also do things like uploading and downloading files.
02:12
So, for instance, if I want to have to have the permission to read a file
02:16
so if I do l s in my current directory,
02:20
I can see that I've got, um, got some global,
02:25
globally readable files. It looks like so I can try to do something like download
02:32
server dot cert.
02:37
And we can see that that actually worked.
02:39
And if this is a certificate file and we'll get into some of these things later and then that could be really useful. Now, where does this final go switch to my other command shell?
02:49
And if I go to
02:51
my Donald's directory
02:55
on my given system,
03:00
it's nowhere. When maybe it went to
03:04
route itself
03:06
narratives.
03:07
So it did not go to my Donald's director. So goes to whatever director you launch your console from. And I was already in
03:14
route when I did that.
03:19
So I don't need this file. I'm gonna go ahead and delete it.
03:21
Control Paige up to switch back to my other tab. Remember your shortcuts.
03:28
So uploading downloading fouls. I can also edit a file.
03:37
It's gonna look like, uh, my certificates here.
03:39
This is probably my public cert.
03:44
So basically throws you into, like, a V I
03:47
type editor,
03:50
which is very handy if you, you know, you don't want to have to pull a file back at the follow push it back out. That's that increases the odds of getting detected, right? So we wantto always think about
04:01
taking the action that's required in the way that
04:05
creates the minimum amount of
04:08
traceable events.
04:13
So other things to think about
04:15
if I'm in my
04:16
I'm in my shell, my interpreter show I also have the ability to run
04:23
all kinds of post exploits.
04:26
And I can do that
04:30
by using the run command. There it is.
04:36
So executing the script, executing a post module, for instance, I might wantto see if I can
04:43
get hashed up from this system even though I know the Post Christ password. That's not the administrator password. I might have to, you know, do some other work in order to
04:55
I'll be able to, uh,
04:58
get the root password or some other valuable things.
05:00
Um,
05:01
tent have completion. Does not work in the context like this, unfortunately. So I have to know what I'm typing in, but I'm gonna try to run. Actually, is not a Windows system that will work.
05:15
Let me do this real quick
05:19
background this session
05:23
and
05:26
do a search for Post is gonna give me a lot of information.
05:30
I thought I might be able to find
05:33
post for Lennox. I scroll up here
05:40
Supposed for multi.
05:46
Uh, looks like Lennox gather hashtag might be a good choice.
05:51
Go ahead and copy. That
05:53
might have been faster to do a search for hashtag itself.
05:59
That's a shorter list. I know. That's what I want to do. So now I can go through and I can find the one that I was interested in.
06:05
Okay, so now I'm gonna go back to
06:10
session one, which is the one that I may trip intercession is is enabled.
06:15
And what I can do is I can try to run this,
06:21
see if it actually works.
06:25
Oh, see, it doesn't work. I have to be rude in order for that, which makes sense. All right, so we're seeing some of the limitations of the kind of command show that you have. I have a interpreter shell, which is useful,
06:35
but it only lets me run
06:39
commands that the post GREss user account
06:42
is authorized to run.
06:44
And this traces us back to the idea of the principal at least privilege, right? I don't want to run Post Press as route
06:50
if I did that, and I'd also do not change the password on with some other vulnerability. Now, when I get it,
06:57
compromise
07:00
the application or compromised the command,
07:03
rather the credentials. If the Post Press i d. Has route type privileges now, I can do other powerful things that I wouldn't be able to do otherwise.
07:13
So there's good reasons for
07:15
for ah
07:16
respecting the principle of these privilege. You don't want to get
07:20
overly
07:23
generous with doling out privileges when you're building a system for obvious reasons, I also might want thio, for instance, run
07:31
some
07:33
command to see what processes are running on that remote system. So I just did a P s command,
07:39
and it basically gives you full PS output.
07:42
And this way I can tell with some detail
07:46
what's actually running on that remote system
07:48
process. I d numbers, pair of process I. D. S. The name and any paths that are relevant would all be shown here.
08:00
I notice I've got a bunch of things running. I've got
08:03
some applications dissed CCD, her brother just cc the demon for that.
08:11
I've got an Apache Web server running.
08:13
Got some ruby components running.
08:18
So a lot of things looks like I've got V N C running. So there's a lot of clues I've just uncovered for how I might go about
08:26
further compromising this system.
08:30
And I haven't even done a scan yet. I just happened to
08:31
to take a guess that the post grass database
08:35
would have a default password, and it does. So I'm able to get in and get all of this. This information,
08:43
let's run our health care and one more time,
08:46
other things we can do. I showed a few things, you know, like running a shell PS command. I can kill the process. If I have permission to do so, I can execute commands.
08:58
I can't even set up port forwarding, which might be useful depending on your
09:05
you're you're needs at the time.
09:11
And there's some other options I'm, uh, looking at for, like, encoding setting time outs,
09:18
There are ways to try to get a picture from the Webcam.
09:24
I don't see that option in this context,
09:26
but other things to think about, I can suspend a process. I can also
09:31
run Assist Info Command to give me a concise output. Kind of like a you named Ash a command would do on a UNIX system.
09:39
Give me some good details here
09:43
For what? I would be
09:45
other other details. I want to track for this remote system to know that I've got
09:50
something truly useful.
09:54
All right, so we'll definitely explore more features of the interpreter shell as we go through some of the demonstrations. But this is a good introduction. Alright, See, in the next video

Up Next

Metasploit

This Metasploit tutorial will teach you to utilize the deep capabilities of Metasploit for penetration testing and help you to prepare to run vulnerability assessments for organizations of any size.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor