Meterpreter Scripting

One of the most powerful features of Meterpreter is the versatility and ease of adding additional features. This is accomplished through the Meterpreter scripting environment. This section will cover the automation of tasks in a Meterpreter session through the use of this scripting environment, how you can take advantage of Meterpreter scripting, and how to write your own scripts to solve your unique needs.

Before diving right in, it is worth covering a few items. Like all of the Metasploit framework, the scripts we will be dealing with are written in Ruby and located in the main Metasploit directory in scripts/meterpreter. If you are not familiar with Ruby, a great resource for learning ruby is the online book “Programming Ruby”.

Before starting, please take a few minutes to review the current subversion repository of Meterpreter scripts. This is a great resource to utilize to see how others are approaching problems, and possibly borrow code which may be of use to you.

 

Existing Scripts

Metasploit comes with a ton of useful scripts that can aid you in the Metasploit Framework. These scripts are typically made by third parties and eventually adopted into the subversion repository. We’ll run through some of them and walk you through how you can use them in your own penetration test.

The scripts mentioned below are intended to be used with a Meterpreter shell after the successful compromise of a target. Once you have gained a session with the target you can utilize these scripts to best suit your needs.

Read more @ offensive-security.com/metasploit-unleashed/Existing_Scripts

 

Writing Meterpreter Scripts

There are a few things you need to keep in mind when creating a new meterpreter script.

  • Not all versions of Windows are the same
  • Some versions of Windows have security countermeasures for some of the commands
  • Not all command line tools are in all versions of Windows.
  • Some of the command line tools switches vary depending on the version of Windows

In short, the same constraints that you have when working with standard exploitation methods. MSF can be of great help, but it can’t change the fundamentals of that target. Keeping this in mind can save a lot of frustration down the road. So keep your target’s Windows version and service pack in mind, and build to it.

For our purposes, we are going to create a stand alone binary that will be run on the target system that will create a reverse Meterpreter shell back to us. This will rule out any problems with an exploit as we work through our script development.

Read more @ offensive-security.com/metasploit-unleashed/Writing_Meterpreter_Scripts

 

Custom Scripting

Now that we have a feel for how to use irb to test API calls, let’s look at what objects are returned and test basic constructs. Now, no first script would be complete without the standard “Hello World”, so lets create a script named “helloworld.rb” and save it to /pentest/exploits/framework/scripts/meterpreter.

Read more @ offensive-security.com/metasploit-unleashed/Custom_Scripting

 

Useful API Calls

We will cover some common API calls for scripting the Meterpreter and write a script using some of these API calls. For further API calls and examples, look at the Command Dispacher code and the REX documentation that was mentioned earlier.

For this, it is easiest for us to use the irb shell which can be used to run API calls directly and see what is returned by these calls. We get into the irb by running the ‘irb’ command from the Meterpreter shell.

Read more @ offensive-security.com/metasploit-unleashed/Useful_API_Calls

 

Useful Functions

Let’s look at a few other functions which could be useful in building a Meterpreter script. Feel free to reuse these as needed.

Read more @ offensive-security.com/metasploit-unleashed/Useful_Functions

Maintaining Access

After successfully compromising a host, if the rules of engagement permit it, it is frequently a good idea to ensure that you will be able to maintain your access for further examination or penetration of the target network. This also ensures that you will be able to reconnect to your victim if you are using a one-off exploit or crash a service on the target. In situations like these, you may not be able to regain access again until a reboot of the target is preformed.

Once you have gained access to one system, you can ultimately gain access to the systems that share the same subnet. Pivoting from one system to another, gaining information about the users activities by monitoring their keystrokes, and impersonating users with captured tokens are just a few of the techniques we will describe further in this module.

 

Keylogging

After you have exploited a system there are two different approaches you can take, either smash and grab or low and slow.

Low and slow can lead to a ton of great information, if you have the patience and discipline. One tool you can use for low and slow information gathering is the keystroke logger script with Meterpreter. This tool is very well designed, allowing you to capture all keyboard input from the system, without writing anything to disk, leaving a minimal forensic footprint for investigators to later follow up on. Perfect for getting passwords, user accounts, and all sorts of other valuable information.

Lets take a look at it in action. First, we will exploit a system as normal.

Read more @ offensive-security.com/metasploit-unleashed/Keylogging

 

Meterpreter Backdoor

After going through all the hard work of exploiting a system, it’s often a good idea to leave yourself an easier way back into the system later. This way, if the service you exploited is down or patched, you can still gain access to the system. To read about the original implementation of metsvc, go to http://www.phreedom.org/software/metsvc/.

Using the metsvc backdoor, you can gain a Meterpreter shell at any point.

One word of warning here before we go any further. Metsvc as shown here requires no authentication. This means that anyone that gains access to the port could access your back door! This is not a good thing if you are conducting a penetration test, as this could be a significant risk. In a real world situation, you would either alter the source to require authentication, or filter out remote connections to the port through some other method.

First, we exploit the remote system and migrate to the ‘Explorer.exe’ process in case the user notices the exploited service is not responding and decides to kill it.

Read more @ offensive-security.com/metasploit-unleashed/Meterpreter_Backdoor

 

Persistent Backdoors

Maintaining access is a very important phase of penetration testing, unfortunately, it is one that is often overlooked. Most penetration testers get carried away whenever administrative access is obtained, so if the system is later patched, then they no longer have access to it.

Persistent backdoors help us access a system we have successfully compromised in the past. It is important to note that they may be out of scope during a penetration test; however, being familiar with them is of paramount importance. Let us look at a few persistent backdoors now!

 

Netcat Backdoor

In this example, instead of looking up information on the remote system, we will be installing a netcat backdoor. This includes changes to the system registry and firewall.

First, we must upload a copy of netcat to the remote system.

Read more @ offensive-security.com/metasploit-unleashed/Netcat_Backdoor

 

Meterpreter Service

After going through all the hard work of exploiting a system, it’s often a good idea to leave yourself an easier way back into the system later. This way, if the service you exploited is down or patched, you can still gain access to the system. Metasploit has a Meterpreter script, persistence.rb, that will create a Meterpreter service that will be available to you even if the remote system is rebooted.

One word of warning here before we go any further. The persistent Meterpreter as shown here requires no authentication. This means that anyone that gains access to the port could access your back door! This is not a good thing if you are conducting a penetration test, as this could be a significant risk. In a real world situation, be sure to exercise the utmost caution and be sure to clean up after yourself when the engagement is done.

Once we’ve initially exploited the host, we run the persistence script with the ‘-h’ switch to see which options are available:

Read more @ offensive-security.com/metasploit-unleashed/Meterpreter_Service