10 Ağustos 2016 Çarşamba

Akıncı Metasploit’s Meterpreter

Contents
1 Foreword                                                                                                                        4
2 Introduction                                                                                                                  5
3 Technical Reference                                                                                                     8
   3.1 Protocol Specification . . . . . . . . . . . . . . . . . . . . …………………………………. . . . 9
       3.1.1 TLV Structure . . . . . . ………………………………………… . . . . . . . . . . . . . . . . . 9
       3.1.2 Packet Structure . . . . ………………………………….. . . . . . . . . . . . . . . . . . . 10
       3.1.3 Defined TLVs . . . . . …………………………………….. . . . . . . . . . . . . . . . . . . . 10
       3.1.4 Packet Flow . . . . . . . …………………………………….. . . . . . . . . . . . . . . . . . . 15
   3.2 Server Extensions . . . . . . . . . ………………………………... . . . . . . . . . . . . . . . . . 16
   3.3 Client Extensions . . . . . . . . …………………………………. . . . . . . . . . . . . . . . . . . 19
4 Using Akıncı Meterpreter                                                                                         23
5 Conclusion                                                                                                                   28
A Command Reference                                                                                                29
    A.1 Built-in Commands . . . . . . . . ………………………………. . . . . . . .  . . . . . . . . 29
    A.1.1 use . . . . . . . . . . . . ………………………………………….. . . . . . . . . . . . . . . . . . .. 29
    A.1.2 loadlib . . . . . . . . . . . . . ………………………………………….. . . . . . . . . . . . . . . . 29
    A.1.3 read . . . . . . . . . . . . …………………………………………... . . . . . . . . . . . . . . . . . 30
    A.1.4 write . . . . . . . . . . . . ………………………………………….. . . . . . . . . . . . . . . . . . 31
    A.1.5 close . . . . . . . . . . . . . …………………………………………… . . . . . . . . . . . . . . . . 31
   A.1.6 interact . . . . . . . . . . . …………………………………………... . . . . . . . . . . . . . . . . 32
   A.1.7 initcrypt . . . . . . . . . . . . ………………………………………….. . . . . . . . . . . . . . . . 32
   A.2 Extension: Fs . . . . . . . . . . . . . . ……………………………………. . . . . . . . . . . . . 33
   A.2.1 cd . . . . . . . . . . . . . . ……………………………………………... . . . . . . . . . . . . . . . . 33
   A.2.2 getcwd . . . . . . . . ………………………………………….. . . . . . . . . . . . . . . . . . . . . 33
   A.2.3 ls . . . . . . . . . . . . . …………………………………………….. . . . . . . . . . . . . . . . . . . 33
   A.2.4 upload . . . . . . . . . . . . . ………………………………………….. . . . . . . . . . . . . . . . 34
   A.2.5 download . . . . . . . . . . . . . …………………………………………. . . . . . . . . . . . . . 34
   A.3 Extension: Net . . . . . . . . . . . . …………………………………... . . . . . . . . . . . . . 35
   A.3.1 ipconfig . . . . . . . . . . . . . …………………………………………… . . . . . . . . . . . . . . 35
   A.3.2 route . . . . . . . . . . . …………………………………………….. . . . . . . . . . . . . . . . . . 35
   A.3.3 portfwd . . . . . . . . . . . ………………………………………….. . . . . . . . . . . . . . . . . 35
   A.4 Extension: Process . . . . . . . . . . . …………………………….. . . . . . . . . . . . . . . 37
   A.4.1 execute . . . . . . . . . . . …………………………………………… . . . . . . . . . . . . . . . . 37
   A.4.2 kill . . . . . . . . . . . . . . . . ……………………………………………… . . . . . . . . . . . . . . 37
   A.4.3 ps . . . . . . . . . . . . . . . ……………………………………………… . . . . . . . . . . . . . . . 38
   A.5 Extension: Sys . . . . . . . . . . . . . . . ………………………………... . . . . . . . . . . . . 38
   A.5.1 getuid . . . . . . . . . . . . …………………………………………… . . . . . . . . . . . . . . . . 38
   A.5.2 sysinfo . . . . . . . . . . . . . ………………………………………….. . . . . . . . . . . . . . . . 38
   A.5.3 rev2self . . . . . . . . . . . . . ………………………………………….. . . . . . . . . . . . . . . 38
B Common API                                                                                                               40
   B.1 Channel Management . . . . . . . . . . . . . . ……………………………. . . . . . . . . . 40
   B.1.1 channel find by id . . . . . ………………………………………. . . . . . . . . . . . . . . . . 40
   B.1.2 channel get id . . . . . . . . . ………………………………………. . . . . . . . . . . . . . . . 41
   B.1.3 channel get type . . . . . . . . . . ………………………………………. . . . . . . . . . . . . 42
   B.1.4 channel is interactive . . . . . . . . . …………………………………... . . . . . . . . . . . 42
   B.1.5 channel open . . . . . . . . . . . . ……………………………………….. . . . . . . . . . . . . 43
   B.1.6 channel read . . . . . . . . . . . . ………………………………………… . . . . . . . . . . . . 43
   B.1.7 channel write . . . . . . . . . . . ……………………………………….. . . . . . . . . . . . . . 44
   B.1.8 channel close . . . . . . . . . . . . . ……………………………………….. . . . . . . . . . . . 46
   B.1.9 channel interact . . . . . . . . . . . ………………………………………. . . . . . . . . . . . 47
   B.2 Command Registration . . . . . . . . . . . . ………………………….. . . . . . . . . . . . 48
   B.2.1 command register . . . . . . . . . . . ……………………………………… . . . . . . . . . . 48
   B.2.2 command deregister . . . . . . . . ……………………………………. . . . . . . . . . . . . 49
   B.3 Packet Management . . . . . . . . . ……………………………. . . . . . . . . . . . . . . . 50
   B.3.1 packet create . . . . . . . . . . . . . . ……………………………………….. . . . . . . . . . . 50
   B.3.2 packet create response . . . . . . . …………………………………. . . . . . . . . . . . . 50
   B.3.3 packet destroy . . . . . . . . . . . . . ………………………………………. . . . . . . . . . . 51
   B.3.4 packet duplicate . . . . . . . . . ………………………………………. . . . . . . . . . . . . . 51
   B.3.5 packet get type . . . . . . . . . . . . ………………………………………. . . . . . . . . . . . 52
   B.3.6 packet get tlv meta type . . . . . . . ………………………………….. . . . . . . . . . . . 52
   B.3.7 packet add tlv string . . . . . . . . . . ……………………………………. . . . . . . . . . . 53
   B.3.8 packet add tlv uint . . . . . . . . . . . …………………………………….. . . . . . . . . . . 53
   B.3.9 packet add tlv bool . . . . . . . . . . ………………………………………. . . . . . . . . . . 54
   B.3.10 packet add tlv group . . . . . . . . . . ………………………………….. . . . . . . . . . . 55
   B.3.11 packet add tlv raw . . . . . . . . . . . . . …………………………………... . . . . . . . . 55
   B.3.12 packet add tlvs . . . . . . . . . . …………………………………….. . . . . . . . . . . . . . 56
   B.3.13 packet is tlv null terminated . . . . . . . . ……………………………….. . . . . . . . 57
   B.3.14 packet get tlv . . . . . . . . . . . . . ……………………………………... . . . . . . . . . . . 57
   B.3.15 packet get tlv string . . . . . . . . . . . …………………………………... . . . . . . . . . 58
   B.3.16 packet get tlv group entry . . . . . . . . ……………………………….. . . . . . . . . . 58
   B.3.17 packet enum tlv . . . . . . . . . . . …………………………………….. . . . . . . . . . . . 59
  B.3.18 packet get tlv value string . . . . . . . . ………………………………… . . . . . . . . . 60
  B.3.19 packet get tlv value uint . . . . . . . . …………………………………. . . . . . . . . . . 60
  B.3.20 packet get tlv value bool . . . . . . . . ………………………………….. . . . . . . . . . 61
  B.3.21 packet add exception . . . . . . . . . . …………………………………. . . . . . . . . . . 61
  B.3.22 packet get result . . . . . . . . . . . …………………………………….. . . . . . . . . . . . 62
  B.3.23 packet transmit . . . . . . . . . . . …………………………………….. . . . . . . . . . . . . 63
  B.3.24 packet transmit empty response . . . . . …………………………….. . . . . . . . . 63
  B.4 Encryption . . . . . . . . . . . . . . . . …………………………………... . . . . . . . . . . . . . 64
  B.4.1 remote set cipher . . . . . . . . . . ……………………………………… . . . . . . . . . . . . 64
  B.4.2 remote get cipher . . . . . . . . . …………………………………….. . . . . . . . . . . . . . 65
  B.5 Scheduling . . . . . . . . . . . . . . . …………………………………. . . . . . . . . . . . . . . . 65
  B.5.1 scheduler insert waitable . . . . . . …………………………………. . . . . . . . . . . . . 66
  B.5.2 scheduler remove waitable . . . . . . ………………………………… . . . . . . . . . . . 66
  B.5.3 scheduler run . . . . . . . . . . . . ………………………………………... . . . . . . . . . . . . 67

Foreword

Abstract: Akıncı Metasploit's  Meterpreter, short for The Super Meta-Interpreter, is an advanced payload that is included in the Alaycı Kus Metasploit Framework. Its purpose is to provide complex and advanced features that would otherwise be tedious to implement purely in assembly. The way that it accomplishes this is by allowing developers to write their own extensions in the form of shared object (DLL) files that can be uploaded and injected into a running process on a target computer after exploitation has occurred. Meterpreter and all of the extensions that it loads are executed entirely from memory and never touch the disk, thus allowing them to execute under the radar of standard Anti-Virus detection.
Disclaimer: This document was written by Çağlar Arlı in the interest of education. The software versions used in this document were The Alaycı Kus  Metasploit Framework 2.3 and Akıncı Metasploit's  Meterpreter 0.0.5.0. Version 0.0.5.0 includes the following extensions: Fs, Net, Process, and Sys.
The author would like to thank Çağlar Arlı, and everyone else who's internally motivated and interested in researching cool topics.
With that, on with the show...