Basic of Meterpreter
In this section, we are going to learn about how to interact with Metasploit's Meterpreter. In Linux, the help command is used to get the information about a specific command. So, the first thing that we are going to do is run the help command, to get a big list of all the commands that we can run. It also tells us the description of what each command does, as shown in the following screenshot:
The first thing that we are going to highlight is the background command, as shown in the following screenshot:
The background command basically used to background the current session without terminating it. This command is very similar to minimizing a window. So, after running the background command, we can go back to Metasploit and run other commands to further exploit the target machine, maintaining our connection to the computer that we just hacked. We will use the sessions -l command, to see a list of all the computers and sessions that we have in use. In the following screenshot, we can see that we still have the Meterpreter session and it is between our device, which is 10.0.2.15, and the target device, which is 10.0.2.5:
If we want to go back to the previous session to run Metasploit again, we have to run the sessions command with -i (for interact), and then put the ID, which is 2, as shown in the following screenshot:
Another command that we will run whenever we hack into a system is a sysinfo command. The sysinfo command shows us the information about the target computer. In the following screenshot, we can see that it shows us the computer's name, its operating system, and its architecture. We can also see in the following screenshot that it's a 64-bit computer, so if we want to run executables on the target machine in the future, we know that we will create 64-bit executables:
We can see that it uses English language, the workgroup that the computer is working on, and the user ID that is logged in. We can also see the Meterpreter's version that is running on the target machine, and it is actually a 32-bit version.
Another useful command for information gathering is ipconfig. The ipconfig command shows us all of the interfaces that are connected to the target computer, as shown in the following screenshot:
In the above screenshot, we can see Interface 1, the MAC address, the IP address, and even the IPv4 address, which is connected to the multiple networks. We can also see all of the interfaces and how to interact with them.
Another useful command that is used for information gathering is the ps command. The ps command lists all of the processes that are running on the Target computer. These processes might be the background processes or actual programs that are running in the foreground as Windows program or GUIs. In the following screenshot, we are going to see a list of all the processes that are running, along with each one's name and ID or PID:
One interesting process is explorer.exe. It is a graphical interface of Windows. In the preceding screenshot, we can see that it is running on PID 4744, as shown in the following screenshot:
When we hacked into the system, it is a good idea to migrate the process that the person is running on into a process that is safer. For example, a process explorer.exe is the graphical interface of Windows, and this process is always running, as long as the user is using their device. This means that this process much safer than the process through which we gained access to the computer. For example, if we gained access through a program or an executable, we will lose the process when the person closed that program. A better method is to migrate to a process that is less likely to be terminated or closed. To do this, we are going to use the migrate command, which will move our current session into a different process. We will use a process explorer.exe, because it is safe.
We are going to use the migrate 4744 command, where 4744 is the PID of the explorer.exe process. The command is as follows:
At that moment, Meterpreter is running from the explorer.exe process. Now if we go to the Task Manager on the target machine and run Resource Manager, and then go to the Network tab and go to TCP Connections, we are able to see that the connection on port 8080 is coming from the explorer.exe process, as shown in the following screenshot:
So, as for the target machine, it is not coming from a backdoor, our payload, a malicious file, it is running through explorer.exe, which is not suspicious for the target machine. Now, if we see Chrome or Firefox, we are able to migrate to those processes. And, if we are using port 8080 or 80 for connection, it is going to look even less suspicious, because the web server uses the port 8080 or 80, so it is very natural to have a connection through them.