Post Exploitation Modules Meterpreter

Windows Post Exploitation

To begin with, you will need to put your current meterpreter session in the background, this can be done by running the following command:

background

The first module we can explore is the win_privs module, which can be used to automate the enumeration of the current user privileges. We can load the module, configure the SESSION option and then run it using the following commands:

Enumerate current user privileges

As shown in the preceding screenshot, this module will enumerate the privileges of the current user you have access to on the target system and will provide you with useful information like whether the user is admin and whether UAC is enabled or disabled.

Enumerate Logged on Users

The next module we can use is the enum_logged_on_users which as the name suggests, enumerates a list of currently and previous logged on users. Run the module:

As shown in the preceding screenshot, this module will enumerate a list of currently and previous logged on users as well as the respective SIDs of the user accounts.

We can also check if the target system is a virtual machine by leveraging a module called checkvm. This module will tell you whether the target system is a VM or container. Run the module:

As shown in the preceding screenshot, the module tells us that the target system is a virtual machine running on the Xen hypervisor.

Enumerate Applications

Another important module is the enum_applications module. This module enumerates a list of installed application/programs on the target system. Run the module:

As shown in the preceding screenshot, the module enumerates a list of installed applications. This information is very useful as it can be used to search for vulnerabilities in the installed programs that can be leveraged or exploited to elevate your privileges or reveal important information. It also gives you an idea as to what this system is being used for.

Enumerate Computers

We can utilize the enum_computers module to enumerate a list of computers connected to the same LAN that the target is a part of. Try running the module:

As shown in the preceding screenshot, the module reveals that the target system is not part of a Windows domain.

Enumerate Shares

We can also enumerate a list of shares by using the enum_shares module. Run the module:

As shown in the preceding screenshot, the module only finds the print share.

Gather domain info with post exploitation module

Enabling the RDP service using windows post exploitation module

Post exploitation to dump Linux hashes and crack them

Run the provided auxiliary module to find the plain text password of the root user.

Post Exploitation Shell to Meterpreter

Linux Post Exploitation Modules

Configs Enumeration

Module 1: post/linux/gather/enum_configs

Link: https://www.rapid7.com/db/modules/post/linux/gather/enum_configs

Environment Variables

Module 2: post/linux/gather/env

Link: https://www.rapid7.com/db/modules/post/linux/gather/env

Network info

Module 3: post/linux/gather/enum_network

Link: https://www.rapid7.com/db/modules/post/linux/gather/enum_network

Command:

Enumerate Protections

Module 4: post/linux/gather/enum_protections

Link: https://www.rapid7.com/db/modules/post/linux/gather/enum_protections

System info

Module 5: post/linux/gather/enum_system

Link: https://www.rapid7.com/db/modules/post/linux/gather/enum_system

Check if docker

Module 6: post/linux/gather/checkcontainer

Link: https://www.rapid7.com/db/modules/post/linux/gather/checkcontainer

Check VM

Module 7: post/linux/gather/checkvm

Link: https://www.rapid7.com/db/modules/post/linux/gather/checkvm

Check Users history

Module 8: post/linux/gather/enum_users_history

Link: https://www.rapid7.com/db/modules/post/linux/gather/enum_users_history

Multi Manage sessions

Module 9: post/multi/manage/system_session

Link: https://www.rapid7.com/db/modules/post/multi/manage/system_session

Command:

Now, let’s create a bash file which will create a user on the target machine by uploading a test.sh file and execute it.

Now, let’s run the Apache server on the attacker’s machine and copy the test.sh file in the root folder.

Command:

Now, let’s use the download and exec post-exploitation module on the target machine.

Checking Excecutables

Module 10: post/linux/manage/download_exec

Link: https://www.rapid7.com/db/modules/post/linux/manage/download_exec

Command:

Let’s verify it by interacting with the session.

Command:

Gather SSH Creds

Module 11: post/multi/gather/ssh_creds

Link: https://www.rapid7.com/db/modules/post/multi/gather/ssh_creds

Command:

Docker Creds

Module 12: post/multi/gather/docker_creds

Link: https://www.rapid7.com/db/modules/post/multi/gather/docker_creds

Command:

Hashdump

Module 13: post/linux/gather/hashdump

Link: https://www.rapid7.com/db/modules/post/linux/gather/hashdump

Command:

Encrypt FS Creds

Module 14: post/linux/gather/ecryptfs_creds

Link: https://www.rapid7.com/db/modules/post/linux/gather/ecryptfs_creds

Command:

Enum PSK

Module 15: post/linux/gather/enum_psk

Link: https://www.rapid7.com/db/modules/post/linux/gather/enum_psk

Command:

Enum Xchat

Module 16: post/linux/gather/enum_xchat

Link: https://www.rapid7.com/db/modules/post/linux/gather/enum_xchat

Command:

Module 17: post/linux/gather/phpmyadmin_credsteal

Link: https://www.rapid7.com/db/modules/post/linux/gather/phpmyadmin_credsteal

Command:

PPTPD Chap Secrets

Module 18: post/linux/gather/pptpd_chap_secrets

Link: https://www.rapid7.com/db/modules/post/linux/gather/pptpd_chap_secrets

Command:

SSH Key Persistence

Module 19: post/linux/manage/sshkey_persistence

Link: https://www.rapid7.com/db/modules/post/linux/manage/sshkey_persistence

Command:

References

PreviousImporting Nmap Scan Results Into MSFNextPivoting on Metasploit

Last updated