background image

Meterpreter

95

As of this writing, the only way to remove the Meterpreter agent is to 

delete the registry entry in 

HKLM\Software\Microsoft\Windows\CurrentVersion\

Run\

 and remove the VBScript located in 

C:\WINDOWS\TEMP\

. Be sure to 

document the registry keys and locations (such as 

HKLM\Software\Microsoft\

Windows\CurrentVersion\Run\xEYnaHedooc 

) to remove them manually. Gen-

erally, you can do this through Meterpreter or drop to a shell and remove it 
that way. If you feel more comfortable using a GUI, you can use 

run vnc

 and 

remove the script with 

regedit

. (Note that the registry keys will change each time, 

so make sure that you document where Metasploit adds the registry keys.)

Leveraging Post Exploitation Modules

As mentioned earlier, the Meterpreter scripts are slowly being converted to 
post exploitation modules. The move to post exploitation modules will finally 
give a fully consistent standard and format to the Metasploit modules. As you 
read through later chapters, you’ll see the overall structure of auxiliary mod-
ules and exploits. In the past, Meterpreter scripts used their own format, 
which was very different from the way other modules behaved.

One added benefit of moving the modules to the same format is the ability 

to perform the same attack on all sessions available. Suppose, for example, 
that you have 10 open Meterpreter shells. In the traditional fashion, you 
would need to run 

hashdump

 on each or write custom scripts to query through 

each console. In the new format, you would be able to interact with each 
session and perform the 

hashdump

 on multiple systems if needed. 

The next listing shows an example of how to use the post exploitation 

modules:

meterpreter > 

run post/windows/gather/hashdump

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY de4b35306c5f595438a2f78f768772d2...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...

To see a list of post exploitation modules, enter the following and then 

press the 

TAB

 key on your keyboard at the end of the line:

meterpreter > 

run post/

Upgrading Your Command Shell to Meterpreter

One of the newer features in the Metasploit Framework is its ability to 
upgrade a command shell payload to a Meterpreter payload once the system 
has been exploited, by issuing the 

sessions -u

 command. This is useful if we 

use a command shell payload as an initial stager and then find that this newly 
exploited system would make the perfect launching pad for further attacks