EC Council CEH 312-50 V11 Topic: Post Exploitation
December 19, 2022

1. Meterpreter Basics

In today’s lecture, we’re going to learn some basics about how to interact with Metasploit’s meterpreter. So I already have a session here, and as you can see, it just says “meterpreter” in Linux, and the help command is always the best command you can run in any command line. So the first thing we’ll do is offer our assistance. And as you can see, you get a big list of all the commands that you can run and a description of what each of these commands does. So I’m going to show you some basics. Right now, the first thing that I want to show you is the background command. So background will effectively suspend the current session, rather than terminating it. It’ll just be very similar to minimizing a window.

So when I run background, I’ll go back to Metasploit, as you can see there. And I can run other Metasploit exploits to further exploit the target machine or just to exploit other machines while maintaining my connection to the computer that I just hacked. So to see a list of all the computers or sessions that we have, we can just run sessions to list the current sessions. And as you can see, we have a session here, meterpreter. So it’s still there; we didn’t lose it. And it’s between our device and the target device, which is 206. Now, in order to get back into that session to interact with the meterpreter again, all I need to do is run sessions again, minus the “interact.” And then I’m going to put number two, which is the ID of the session. And as you can see, I’m back in the meterpreter session. Another command that I want to show you is desisting information.

 And you see me run every time I hack into a system. And the reason for this command is that it shows you information about the target computer. So it shows us the computer name. Right here, we can see the operating system of the target computer. And with Windows 10, we can see the architecture. So it’s a 64-bit computer. So that in the future, if you wanted to run some executables on that target, we’d know it’s 64-bit and create 64-bit executables. We can see that the language is English, the workgroup that it’s working on, and the user ID that is logged in. And we can see the version of Meterpreter that’s running on the target machine, and it’s actually a 32-bit version of Meterpreter. Another useful command for gathering information is IP conflict. Now, IP conflict is very similar to the IP conflict that you get when you run command prompt on a Windows machine. and it’ll show you all the interfaces that are connected to the target computer.

We can see, for example, interface one, the Mac address, the IP address, and the interface that is connected to our network and from which we obtained the connection. So if the device is connected to multiple networks, you’ll be able to see all the interfaces and how to interact with them. Another useful information-gathering command that you can run is PS. Now PS will list all the processes that are running on the target computer. So these might be background processes or actual programmers running in the foreground as Windows programmers or GUIs. You can see the name of each process here, and then you can see the ID or PID in which it’s running. An interesting process is the Explorer TXE, which is literally the graphical interface of Windows.

And we can see that it’s running on process ID 1116. Now, a very good idea once you hack into a system is to migrate the process—the current process that you’re running on—into a process that is safer than your current process. For example, the Explorer is the graphical interface of Windows. So it’s always running as long as the person is using their device. So it’s much safer than the process that you gained access to the computer through. For example, if you gain access through an executable or a program, you will lose that access as soon as the person closes that program. So a better way to do it is to migrate to a process that is less likely to be closed or terminated. So what we’re going to do is use a command called “migrate” to move our current session into a different process. And we’re going to use the Explorer process because it’s very safe and there is no such process, obviously. So it should be two 1116, and the immigration should be successful. The meterpreter is now running from the Explorer executable.

Now if we go to the task manager on the target computer and run my system monitor or resource monitor, I’m sorry. Now if we go on the network and go into CP connections, you’ll see that the connection here on port 80 is coming from Explorer TXE. So it’s not coming from a malicious file. Our payload, or backdoor, is actually running through the Explorer. Now if you’ve seen Firefox or Chrome, you can migrate to that process, especially if you’re connecting through port 80 80 or you can use 80. Then it’s going to look even less suspicious because 80 and 80 are the ports used by web servers. So it’s very natural to have a connection. 80 or 80 80.

2. File System Commands

Now we’re going to learn more commands that will allow us to navigate, list, read, download, upload, and even execute files on the target computer. So I have my Meterpreter session right here, and the first thing that I’m going to do is get my current working directory using the PWD command. And as you can see, I’m in “Users” at the moment. Now if I want to list all the files and directories, I’m going to use LS, and let’s say that I want to navigate to this file, i.e., user, I’m going to do CD user, and if I do PWD, now you’ll see that I’m in users, i.e., user. And let’s go into downloads; list the files. As you can see now in the files that we listed, we have a file here called “passwords.txt.” So this seems like an interesting file. So let’s see if we want to read this file.

All I have to do to read it is type cat and passwords TXT. And as you can see, it contains tests one and two. So if I go here and run the file, you can see that this is the actual content of the file. Now let’s say that I really want this file and I want to keep it for later. Then I can download that file. To do that, we’re just going to say “download” and put the file name, which is passwords TXT. Now the file has been downloaded successfully, and if I go to my root folder, you’ll see that I have a file called “passwords,” and it contains tests one and two. Let’s say that I have a backdoor, a virus, a Trojan horse, or a keylogger that I want to upload on the target computer. I can do that very easily. Now I’ll return to my root, specifically to show you a file called backdoorcalc.exe. So we’re going to try to upload that file, and to do that, we’re just going to run upload, put the file name, and hit enter. And as you can see now, the file has been uploaded successfully.

Now let’s check the list to make sure that the file exists, and we can see that we have a new file called backdoor calc exe. and to execute this file on the target computer. Now we’ve only uploaded it, so if it was a virus or a keylogger and you want to execute it, all you have to do is execute and specify the file that you’d like to execute after the F command, and then type in the name of the file. So it’s backdoor calc.exe in this case. And, as you can see, process 3128 has been created. So my backdoor has been executed. If you uploaded a virus or anything else, it will do what it’s supposed to do because you just executed that file. Another feature that I want to show you is Shell, which basically just converts the current Metasploit or Meterpreter session into the operating system shell. So if I just type in Shell, you’ll see that I’ll get a Windows prompt or Windows command line where I can execute Windows commands. As you can see, now it’s on a different channel, and I can run any Windows command that I want through this now.

So I can just do that to just add directories. I can do Ipconfig or use any Windows command that I want exactly, like running the commands through the command prompt. There are many more commands available for file system management now. So if you type in “help” and go to the Filesystem section, you’ll see that you can edit and download. We showed that you can move a file to another file. It can also rename files, delete files, remove directories, and perform searches. So there are so many more things that you can do with File System; this was just an overview of the beta, basic, or main commands that you can use when managing the file system of the target computer.

3. Maintaining Access – Basic Methods

In all of the scenarios and videos we’ve done so far, we would lose our connection to the target computer as soon as the target person restarted their computer because we used a normal backdoor. And once they restart their computer, our backdoor will be terminated. The process will be terminated, and we’ll lose the connection. So in today’s lecture, we’re going to talk about methods that will allow us to maintain our access to the target computer so that we can come back at any time and regain full control over that computer. So there are a number of methods to do that. The first is to use Ville Evasion, and instead of the normal backdoor, we can use the HTTP backdoor that we created, which can be a Http service or a TCP service. So I’ll actually show you here. If I just run Ville Evasion and do a list, you’ll see that we have at number seven right here and at number five service back doors, so you can use any of them.

If I use five and we can see the information, all you need to do is set up your Lost, enter the Lost, and then generate the back door. And once you’ve created it, you can use it, combine it with other information, and send it to the intended recipient, as we did. Or you can upload it using the upload command that we learned and then execute it. And that will install the back door as a service on the target computer. So then all you need to do is use the multihandler, and anytime the target computer starts, it’ll try to connect back to you because this is a reverse shell. Now, I’m not going to be explaining this method because it’s very simple. We’ve done something very similar to it before. We created a backdoor using Ville Evasion, and we uploaded stuff to the direct computer. So all you have to do is create a backdoor upload, have it executed, and you’re done. Also, it doesn’t always work. So that’s why I’m not going to be explaining it.

The normal backdoors are much more reliable. That’s why I used a normal backdoor when I was combining it with stuff and changing its icon and all that. The other method is to use a module that comes with Meterpreter called Persistence. And let me show you how you use that. So if you wanted to use that, all you need to do is run, and the name of the module is Persistence. So we’re going to type that down, and then I’m going to put a minus sign to see the help menu to show me all the options that I can set up. You can begin a multi-handler set of ways with the letter A. You don’t really need to do that. You don’t really need to change the location where the battery will be installed. The minus P option will specify the payload again. Windows Meter Repetitive Verse TCP is a really good payload, so you don’t really need to mess with that.

S is to get it to start using system privileges. Now, as you’ve seen before, we don’t have system privileges; we have normal user privileges. So what you should be using is minus U, and then you can use minus I to set up the amount of time that the back door will try to connect back to you. So it will try to connect every 10 seconds, or 20 seconds, or 15 seconds, whatever you specify, with P to specify the port and R to specify your computer, the IP of your computer. So all you have to do to run this is run persistence. Start it under user privileges by pressing minus U. I’d use the interval. I’d probably put it at 20 seconds, so it will try to connect back to me every 20 seconds. And then I’d use the minus sign, and I’d probably put 80 because, as I said, port 80 doesn’t look suspicious, so the target person will see that there are connections trying to come out of port 80, which is cool, but it’s not really suspicious. I’d then use minus R to specify my IP address, which is 1020 14 to 3.

So very simply, persistence is the module that you’re going to be using. You can tell it to run under user privileges. I is the number of seconds between attempts to connect to you, p is the port you’ll be listening on, and R is your port. Sorry for not including your IP address. Now, obviously, once you run this, if you wanted to receive a connection, you would have to start multihandler on port 80 or on the selected port and use the selected payload. The problem with this method is that it’s detectable by antivirus programs. So therefore, I’m not going to be explaining it. I’m going to explain a combination of both of these methods that will not be detectable by antivirus software and is much more robust than the first method using Ville evaporation.

4. Maintaining Access – Using a Reliable & Undetectable Method

What we’re going to do is use our backdoor, the normal HTTP reverse meterpreter backdoor that we created in the first video when we created an undetectable backdoor. We’ll use that and inject it as a service so that it runs every time the target person boots up their computer and tries to connect to us after a certain amount of time. To accomplish this, I’ll first control see this, and then I’ll background the current session. So we’ve seen that before. You can do the background, and I can still interact with that session on number one. And I’m going to use a module. So this is like the multi-handler module that comes with Metasploit, and it’s called Exploit Windows Local Persistence. Then I’m going to show its options to see what we need to configure. So you can see here that we have similar options to what we’ve seen with the Metasploit service. So the first thing is the amount of time that the target will try to connect back to us. So the interval is 10 seconds, and I’m going to keep that to 10 seconds.

So every 10 seconds, the target computer will try to connect back to me. DxE is now the name that will appear under the processes from which the connection is returning. So I’m going to set that to “less detectable” in the browser. So we’re going to set the Exe name to “browser” or “Exe,” and then the path where the payload or the backdoor will be installed. I’ll leave that the same. I’m going to keep the registry name and entry the same. This is very important. You need to specify which session you want to run this exploit on. And as you can see now, we were using session number one. That’s our meterpreter session. And if I do sessions, it’s a list of the available sessions, and we can see that it’s ID number one. So what we need to do is set our session here to number one. As a result, I’m going to set the session to one. Okay? And we’re going to leave the startup to the user person, to the user privileges. Now let’s show the options. So the browser and session number one are both good. Now we need to do one thing, which is the most important thing: specify the payload that will be injected as a service. So to do that, we’re going to do a Show Advanced.

And we haven’t seen this before. So every module has advanced options that we hadn’t looked at before. So Show Advanced will show you the advanced options that you can set up for this particular module. So when I run this, you’ll see that I’ll get so many more options. And the one that we’re interested in is this one. So it’s called “Exe Custom,” which means that we’re going to use a custom exe to run and inject into the target computer as a service. So I’m going to use VAR www HTML backdoor exe as my execution. As you may recall, I had that running on backdoor and stored in varw HTML backdoor exe. So I’m going to hit enter, and I’m just going to do “show advanced” again to make sure that it was set up properly because sometimes I misspell things and it’s vary humpback exe.

So that’s perfect. Everything is good to go. I’m going to exploit this, and that will upload VARW HTMLPack exe on the target computer using the session that we specified. Session number one, as you can see now, has been uploaded and installed, and one important thing that you need to keep in mind is this resource file because you can use it to clean up and delete the back door once you’re done. So if you don’t want the back door anymore on the target computer, you can use this file to delete that back door. So I’m going to start that in a leaf pad here so that I can run it and delete my back door if I ever want to. If I do sessions, I still have my session here and can interact with it. So what I’m going to do is actually kill that session; I’m going to kill all my sessions. And now, as you can see, I have no connections with the target computer. And I’m going to use my exploit-multi handler so I can listen for incoming connections, and everything is already configured correctly on this. So I have my right port and my right IP. Now if I exploit this right now, I’ll get a connection right away because my backdoor has been injected into the target computer on port 80, 80 on reverse HTTP, but I’m not going to do that now.

I’m going to restart the target computer just to show you that I’m always connected to this computer now. So I’m just going to do a normal restart. So this computer will basically try to connect back to me every 10 seconds. No matter how many times they restarted it, they shut it down. Every time this computer is running, it will try to connect back to me every 10 seconds. So all I have to do is run the Meterpreter handler and wait for connections. Now that this computer is running, as you can see, it doesn’t have to be at startup when I’m listening, and I’m just going to do an exploit to listen, and it will take a maximum of 10 seconds to get a connection back. And as you can see, I established a connection to the target computer. I can do CIS info and run all the commands that we have learned so far on that computer and have full access to it.

5. Spying – Capturing Key Strikes & Taking Screen Shots

In this video, we’ll see how we can log any mouse or keyboard event that happens on the target computer. We’re going to do that using a plugin or a module that comes in with a meterpreter. So I have my meterpreter here already, and to do that, all you need to do is just type “Key scan start.” All of this is now available in the Help. You’ll see it if you run the help, and it now starts in my keyboard. Sniffer, I have Firefox open here, and let’s say I wanted to go to and then log in to my now, as you can see, it’s https here, and everything is fine. Let’s say I want to log in to my account, so I’ll enter my account name, zay isecurity.organd, and my password, which is 123456. Now obviously this is the wrong password; I’m just trying to show you here.

Now, if we come back here to see the log of everything that has been recorded, we’re going to type in keyscandump. Now, as you can see, we can see that the target person typed in, hit enter, then put their username, which is [email protected], hit tab, and then put the password, 123456. Now, this will obviously record everything that happens in there. You can also do KeyScan Stop, which will stop the sniffer because we can now stop it. Now, another cool thing that you can do is get a screenshot. So you can just type in a screenshot. If I spell that right, it will save it here for you in the root. Now, if I go to my browser, you’ll see that I have a screenshot.

This one, I believe, is showing you what’s on the target computer. You can see it here. Now, these are just two useful features. The key login is very useful because you can get usernames and passwords from it and see what the target person is doing. The screenshot gives you a good idea of what they’re doing, but the keylogger is far more useful. Now obviously you can use other keylogger programs, like a portable keylogger, and all you have to do is just upload it using the upload command that we learned before and executed.

6. Pivoting – Theory (What is Pivoting?)

In today’s lecture and the next few lectures, we’re going to talk about pivoting. We’re going to assume that our target is this metasploitable device. Now, each one of these circles, the big circles, we’re going to assume is a network. And as you can see, the metasploitable device is not visible to the hacker, so the hacker cannot see this device. This device is hidden either behind the network or for some other reason. The hacker is not able to ping or access the IP address of this device. So, in our example, we’ll assume it exists in a different internal network.

So we can see that this big network has four devices. It has the metasploitable device; it has an iPhone, another device; and the Windows device, which we hacked. and we can see that it’s in red. And the hacker can be found in this smaller network. And there are only two devices. There is the hacker and the red device, the Windows 10 device, which we hacked. So the target of pivoting is to use the device that we hacked, the common device in the middle, to compromise other devices that only this device has access to. So our target, the hacker, cannot see the target, which is the meta-split device. But the device that we just hacked, the Windows device, can see that device because they’re on the same network.

So in our next video, we’re going to try to hack into the metasploitable device. While the metasploitable device is not going to be visible to the hacker, which is the Kali device, the only way to access the metasploitable is through the Windows device, which we are going to use as a pivot in order to hack this device right there. Now, to replicate this network layout, we’ll need to modify the network settings of the virtual machines in our lab. So I have VMware running here already, and I’m going to zoom in. And first of all, I just want to show you the network settings for Kali. So I’m going to click on Edit settings, and if we click on Network, you’ll notice that it is connected to an AT network. This is the option that we’ve been using throughout the course, and I’m actually going to keep it the same because Kylie is the machine that we use to hack into other computers. It’s going to be connected to the network, and we’re going to use it to gain initial access to the Windows machine. So let’s go ahead and have a look at the Windows machine. So I’m going to click it here, and I’m going to click on its settings, and we’re going to go to the network. And if we zoom in, you’ll see that this is connected to an app network.

We need this because, as I said, we’re going to use the Kali machine to hack into this machine to gain our initial access. But if we go back to the layout, you’ll notice that the Windows machine is going to be the machine that we’re going to use as a pivot to hack into the other network. So it’ll be the link between two networks: the one to which Kali is connected and an unreachable network to which we actually want to hack. As a result, because this is supposed to be a pivot, and as shown in the layout, it must be connected to two networks. So right now, it’s already connected to the network in here, as we can see, which is the same network that Cali is connected to. And we need this to gain our initial access. But we’re also going to click on the ad in here and add another network adapter for this computer so that it has two network adapters so that we can connect it to two networks, and we’re going to set this network’s settings to “bridged” instead of “unbridged.” So now Windows has two network adapters. Adapter. One is connected to the Nat network, which is the same network that Kali is connected to, so that we can gain initial access to it. And then it’s also connected to another network that Kali cannot see.

It’s an unreachable network for Kali. And that’s the goal of this scenario. It’s the goal of this module to try to reach this unreachable network. And for this second network, we set it to use a bridge connection. So we’re happy with this. We’re going to click OK, and we’re going to go to the metasploitable computer, and we’re actually going to set this computer to also be connected to the same bridge network that the Windows machine is connected to, so this way this metasploitable machine is unreachable to Kali because it’s connected to a completely different network than Kali. Therefore, Kali cannot directly communicate with it and cannot hack it, even if it’s vulnerable. Therefore, we’re going to have to hack into the Windows machine, use the Windows machine as a pivot because it is the link between the two computers and between the two networks, to hack into this unreachable network or into this unreachable computer. So I’m going to zoom out, and I’m going to click on OK, and we are done now.

So let’s go back to the network layout with labels, and as you can see now, both Kali and Windows are connected to the Nat network, and therefore they can communicate with each other. Like I said, we’re going to gain our initial access through this Windows network, and then we’re going to set up pivoting rules so we can use the Windows machine to access the unreachable metasploitable machine. On the other hand, we have the Metasploitable machine, whose network settings are set to bridge, so it’s unreachable to Kali but reachable to the Windows machine because we configure the Windows machine to have two adapters, one of which can connect to the same network as Kali and the other of which can connect to the same network as Metasploitable. And therefore, if somebody wants to hack into Metasploitable, they’ll have to hack into Kali and use it as a pivot to access this unreachable network. And that’s what we’re going to do in the next lecture.

7. Pivoting – Using a Hacked System to Hack Into Other Systems

Now that we understand the concept of pivoting, it’s really not that difficult to perform. All we need to do is upload any tool we need to use. For example, if you wanted to use Nap or ARP Spoof or Dsnf, you could upload any of these tools, run them on this computer, which is connected to this big network, and then run a port scanner on it. You can use ARP poisoning and man-in-the-middle attacks, as we previously learned. So it’s very simple. All they have to do is use the upload command, upload it here, and use it from the command line, like we were using it anyway in the previous videos. What I’m going to show you today is how to set up a route between the hacked computer and your computer so that you can use any metasploit auxiliary or module against this big network. So we’ll be able to use Metasploit exploits, we’ll be able to use port scanners that come in with Metasploit, and other useful modules. To do that, we’re going to use a module called Auto react.

Let me show you first how, if I try to run an exploit on the target computer, on the metasploitable computer, it’s not going to work because it’s not visible to me. So I’m going to do a sessions list, and you’ll see that I already have a connection with the Windows computer here. So I’ve already hacked it and will use exploit multi-timba and user map script. Now, we already used this exploit against the Meta Exploitable before, but it was on the same network, so it was visible to us. What we’re doing now is trying to attack a device that is not visible to us.

And then I’m going to show you options. I’m going to set my rhost to 1020 1544 because that’s the IP of the metasploitable device. Then I’m going to do show payloads, and I’m going to use this payload right here. So I’m going to set the payload for these show options. Everything is set up properly. So I’m going to do an exploit, and you’ll see that this exploit will time out because, if we go back to the diagram here, this device cannot see this device, so it’s trying to run an exploit on this device even though this device has that vulnerability.

But I won’t be able to use it because I can’t see that device. And as you can see now from the exploit’s failed connection timeouts, we just couldn’t connect to the target computer. So now I’m going to interact with my meterpreter on ID 1, which is session ID 1. So I’m in my meterpreter. I’m going to run Fconfig first to see what my network looked like or the networks to which the target computer is connected so we can see all of the interfaces that are connected to the target computer. and I’m going to look for interfaces with IP addresses. So we have this interface; number four has an IP address, and we can see that this IP address is on our network, so it’s really not very useful. It’s already on our network; we’re on 1020-14 anyway on that subnet. So this one is not very useful for me. Another one that I can see is this one, which is connected to 1020-15 five.So it’s on a different subnet right here, which I cannot see from my Kali Linux device. So I’m going to try to set up a route between this subnet and my current subnet.

So I’m going to copy this and then put my current session in the background. So I’m back into Metasploit, and I’ll clear this. Then I’m going to use post-manage. Now by the way, at any stage of this, ifyou want to see all the managed modules for example,you can just leave it at this and double tapand you’ll see all the manage modules and you cantry and use them and experiment with them. So the one that we want to use is auto route, and I’m going to do show options to see the options that I can set, and we have two options that we need to set: the session that we had and the subnet. So I’m going to set the session first, and it’s session number one, and then I’m going to set the subnet to what we saw when we did the ifconfig command; it was 1020, 15, and I’m going to put a zero on it. So again, we’re using the very simple commands we’ve already learned and set in the session to number one.

That’s the session that we hacked for the Windows, and the subnet is the subnet that the Windows is connected to but we don’t have access to. So it’s the 1020 I’m going to exploit, and this will create the connection or route between my device and the Windows device. So what I’m going to do now is go back to the same exploit that I tried at the start of the video, and you’ll see that the exploit is going to work because the Windows device is visible to me now. So instead of using that exploit, you can use, as I said, port scanners or discovery modules that come with Metasploit or any other module that comes with Metasploit because my device can now see the target computer. It can see this metasploitable device because it was not visible to me at the start. But now that I’m connected to this computer, I’ve set up a route between this network and my computer, and I can see the metasploitable device. So I’m going to use the same exploit that I used previously, which was exploit multisambai user map script; just clear that. Now I’ll show the options, and I’ll leave them alone because everything is already set up correctly, so I’ll just do exploit and as.

you can now see command Chill was properly started, and I now have access to the metasploitable device, so I can do ID and am root. I can do a Unite A to just confirm that for you, and we can see that we’re in the metasploitable device. And I can run any Linux command that I want, so I can do LS PWD, and I should be in the route, and I can do CD, go to Bar, for example, and do any Linux command that I want. So I basically have full access to the target computer. Now, again, as I said, you could upload stuff and run it from the target computer, but it’s not always a good idea to upload things to a hacked computer. So setting up the routes like this and using pivoting is a much safer choice. And I highly recommend that you go and have a look at other metasploitable modules, because metasploit is really, really big. It’s hard for me to code everything. I just covered the main, basic stuff, but you can always go in and have a look at other modules and try them. Using the modules is usually the same. We had a look at a broad array of modules, so it should be easy to just configure options and run these modules the way you want.

Leave a Reply

How It Works

Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!