INFO3002 Ethical Hacking Principles and Practice

Lecture 6: Exploitation – Meterpreter & vncinject

School of Computer, Data and Mathematical Sciences

Western Sydney University
1
Lecture outline
This lecture will talk about two important payloads that use
the DLL injection technology: Meterpreter and vncinject.

■ What’s DLL Injection

■ Meterpreter Overview
■ How to obtain a Meterpreter shell
■ Meterpreter Commands
■ VNCinject

2
DLL Injection
■ Dynamic-Link Library (DLL) is Microsoft's implementation
of the load-on-demand library.
▬ These libraries typically have the file extension DLL.

■ DLL Injection is a hacking technique that injects a payload

into an existing process as a DLL, thus enabling the
payload to run.
■ The key advantage of this technique is 'being stealthy':
▬ The payload resides entirely in memory and uses no files on disk.
▬ No new processes will be created in most cases.

3
Meterpreter Overview
■ Meterpreter is one of the most important payloads in MSF.
■ It is a shell with hacking-specialised commands
▬ We'll cover these commands in later slides

■ It uses the DLL Injection technology.

4
Meterpreter Features
■ Stealthy
▬ Resides entirely in memory and uses no files on disk.
▬ In most cases, no new processes are created as Meterpreter injects
itself into the compromised process.
▬ Uses encrypted communications by default.

■ Powerful
▬ As to be seen later, Meterpreter can accomplish many tasks.

■ Extensible
▬ Extensions can be loaded to Meterpreter during run time.

5
How Meterpreter works
■ The target executes the initial stager, which is usually bind
or reverse.
■ The stager loads the Meterpreter DLL prefixed with a
Reflective part. The Reflective part injects the DLL into
another process.
▬ For how Reflective DLL injection works, see:
https://github.com/stephenfewer/ReflectiveDLLInjection

■ The Meterpreter uses a TLS (Transport Layer Security)

connection with the attacking machine.
■ Meterpreter can load extensions from the attacking
machine.

6
Lecture outline
■ Meterpreter Overview
■ How to obtain a Meterpreter shell
■ Meterpreter Commands
■ VNCinject

7
The Scenario
■ Meterpreter is typically applied to Windows OSes.
■ Many Windows vulnerabilities allow us to obtain a
Meterpreter shell.
■ In this lecture, we will use an SMB vulnerability in our
Win7 VM to demonstrate how to do this.

8
SMB (Server Message Block) Basics
■ SMB is a network file sharing protocol mostly used in
Windows OSes.

9
SMB vulnerabilities
■ SMB server typically uses TCP port 445.
■ Many vulns have been found so far in the SMB server.
■ In this lecture, we'll use the vuln announced in Microsoft
Security Bulletin MS17-010 as an example.
▬ https://docs.microsoft.com/en-us/security-
updates/securitybulletins/2017/ms17-010
▬ This vuln allows remote code execution with a specially crafted
request.
▬ It affects Microsoft Windows 7, 8, etc.
▬ It is related to several CVE IDs: CVE-2017-0143, etc.

10
GVM report on SMB vulns
■ The GVM report on our Win7 VM has revealed this vuln
on SMB:

■ Since SMB is a hot place for exploitation, we will not mind

to try another vuln scanner to find out more.

11
Nmap NSE on SMB vulns
■ Nmap has many scripts for testing SMB vulns.

■ If you don't want to miss any of them, you should try them
one by one.

12
Using Nmap NSE to detect ms17-010
The script name The port number The target IP addr

Vuln confirmed
13
Steps for obtaining Meterpreter shell
Having confirmed the vuln, the steps for obtaining the
Meterpreter shell are the same as the 7 steps taught in the last
lecture.
1. Search the exploits for the vuln
2. Select the exploit with a good rank
3. Find the Meterpreter payload for this exploit
4. Select the Meterpreter payload
5. Show the options for the exploit and the Meterpreter payload
6. Set the options
7. Launch the attack

14
1. Search exploits for ms17-010 in MSF
Search the MS Security Update ID:

15
2. Select a suitable exploit for Win7
■ You can use 'info' command to check each exploit
returned to see if it is suitable for the Win7 VM.
■ E.g., checking the exploit with index 2 called 'eternalblue'

■ Look for the field about 'targets':

Confirmed
16
2. Select a suitable exploit for Win7 (cntd)
■ So we'll use the one with index 2 called 'eternalblue'
■ Run 'use' command:

17
3. Show payloads
■ We'll see many of them:

■ We'll be interested in:

▬ windows/x64/meterpreter/bind_tcp
▬ windows/x64/meterpreter/reverse_tcp

18
3. Show payloads – filtering
■ MSF has a 'grep' command as well, but you need to put it before the
command whose outputs you want to filter. For example:

19
4. Set payload
■ Suppose we use the Meterpreter with the reverse TCP connection,
which is also the default one:

■ NB: Since it's the default one, you can actually skip the above
command.

20
 5. Show exploit and payload options

we need
to set
this
missing
option

21
6. Set exploit and payload options
■ RHOSTS means the IP of the target

■ LHOST means the IP of the host waiting for the Meterpreter TCP
connection request. It is typically the attacker machine.

■ Option names are NOT case sensitive

▬ RHOSTs and rhosts are the same

22
7. Launch the attack

23
Lecture outline
Now we can use the gained Meterpreter shell to demo
major Meterpreter commands.

■ Meterpreter Basics
■ How to obtain a Meterpreter shell
■ Meterpreter Commands
■ VNCinject

24
Meterpreter Commands Overview
■ Meterpreter provides more than 100 commands.
■ The entire list of commands can be obtained by typing
'help' at the 'meterpreter >' prompt.
■ The help info for each command can be obtained by:
▬ meterpreter > commandname -h

■ In this lecture, we'll introduce some major commands. In

future lectures, we'll introduce more commands,
especially those used in post exploitation.

25
Commands: cd, pwd, ls (or dir), cp, rm,
mkdir, mv
■ These commands have the same functionality as their
Linux or Windows counterparts.

26
Commands: lcd, lpwd, lls
■ These commands have the same functionality as cd, pwd,
and ls, but work on the local computer.

27
Commands: cat and edit
■ cat will display the contents of a file

■ edit can edit the contents of a file. If functions the same as vi

in Linux.

28
Command: download
■ Download files from target machine

The name of a local directory

29
Command: upload
■ Upload files to target machine

The remote directory; '.' means the current remote directory

30
Commands: exit and quit
■ Both commands will terminate the Meterpreter session and
return to the msf exploit prompt.

31
Command: background
■ Send the current Meterpreter session to the background and return to the
msf exploit prompt.
■ To get back to the Meterpreter session, use the sessions command and
then sessions -i <session ID> command.

32
Commands: ipconfig, ifconfig, arp,
netstat, resolve
■ These commands are roughly equivalent to their Windows or Linux
counterparts.

■ NB:
▬ ifconfig means interface config, roughly equivalent to ipconfig.
▬ resolve is roughly equivalent to nslookup.

33
Command: resource
■ Run the commands stored in a file.
▬ Similar to the 'source' command in Linux.

■ Syntax: resource <filename>

▬ The file typically stores a list of Meterpreter commands, and has suffix
'.rc'.

■ This command is very useful in post exploitation, as we will

see in our later lectures.

34
Command: getuid
■ Get the user account the Meterpreter is running with at the target.

■ Can be used to check whether Meterpreter has the administrative

privilege.

■ 'NT AUTHORITY\SYSTEM' is the built-in user account that many

Windows services (e.g., the SMB service) run with. It has the
administrative privilege.
▬ But it is different from the 'Administrator' account, which can be really
used in logging into the system.

35
Command: getpid
■ Get the ID of the process into which the Meterpreter is
injected.

■ To find out the name of the process with this ID, refer to the
next slide.

36
Command: ps
■ List the processes running on the target. Similar to 'ps' in Linux and
'tasklist' in Windows.

37
Command: ps – about spoolsv.exe
■ From the previous slide, we know that Meterpreter is injected
into a spoolsv.exe process.
■ spoolsv.exe (Spooler Service) runs the Windows OS printing
spooler service. Any time you print something with Windows,
this important service caches the print job into memory so
your printer knows what to print.
■ spoolsv.exe is one of the system processes that are often
used to inject DLL maliciously.
■ Others include svchost.exe and lsass.exe, which are also
shown in the previous slide.

38
Command: ps – about svchost.exe
■ Since svchost.exe is also frequently used by DLL injection
attacks, we briefly introduce it here as well.
■ svchost.exe (Service Host) is a system process that hosts
multiple Windows services such as RPC, SMB, etc.
▬ Ref: https://en.wikipedia.org/wiki/Svchost.exe

■ You can use the 'tasklist /svc' command to see the Windows
services hosted by each svchost.exe.

39
tasklist /svc

40
Command: migrate
■ Migrate the Meterpreter DLL to another process

■ Syntax: migrate <pid of the process to migrate>

-S: search a process containing certain string

41
Note – about explorer.exe
■ In the previous slide, Meterpreter migrates to the explorer.exe
process.
■ explorer.exe is the ‘Windows Explorer’ process.
▬ It is running even though there is no Windows Explorer window.

■ explorer.exe is run under the privilege of the logged-in user.

▬ So the migration from spoolsv.exe to explorer.exe actually changes the
user account of Meterpreter from NT Authority/System to EH21-W7-
xxx/admin.
▬ This is very useful if you want to do the keylogging of the logged-in user.
We'll show this in the coming slides.

42
Command: screenshot
■ Grab a screenshot of the target desktop

■ The current screenshot of the target desktop will be saved in

the /home/kali directory.

43
 Commands: keyscan_start,
keyscan_dump, keyscan_stop
■ Commands for logging user keystrokes. You first start, then dump, then
stop.
▬ Make sure Meterpreter is running with the same account as the
monitored user. E.g., 'migrate' it to the 'explorer.exe' process.
1

4
44
Command: shell
■ Starts a command-line console from the target
▬ Be careful: this will create a new process.

■ With a shell, you can do pretty much anything on the target using
Windows commands such as
▬ Editing registry (reg command)
▬ Changing firewall settings (netsh command)
▬ Shutting the system down (shutdown command)

45
Web Camera Commands
■ webcam_list: List webcams; check whether there is webcam installed on
the target.

■ webcam_snap: Take a snapshot from the specified webcam

■ webcam_stream: Play a video stream from the specified webcam

■ webcam_chat: Start a video chat

■ record_mic: Record audio from the default microphone for X seconds

If the target has a webcam, you can try the above commands.
They really work.

46
Lecture outline
■ Meterpreter Basics
■ How to obtain a Meterpreter shell
■ Meterpreter Basic Commands
■ VNCinject

47
Virtual Network Computing (VNC) Basics
■ VNC is a graphical desktop sharing service that uses the
Remote Frame Buffer (RFB) protocol.
▬ Ref: https://en.wikipedia.org/wiki/Virtual_Network_Computing

■ VNC involves the following three components:

▬ VNC server: the program on the remote machine that shares its
screen.
▬ VNC client (or viewer): the program that views and interacts with the
server.
▬ RFB protocol: transmits a rectangle of pixel data from server to
client, and transmits event messages from client to server.

48
Popular Software Implementing VNC
■ VNC was originally developed at the Olivetti & Oracle
Research Lab in Cambridge, UK.
■ Its many modern derivatives are open source today.
Notable ones include:
▬ RealVNC
▬ TightVNC: this one is used by vncinject we are going to talk about
▬ UltraVNC

49
vncinject
■ Similar to Meterpreter, vncinject is another payload that
uses the DLL injection technology.
■ It injects a VNC server into a vulnerable process running
in the target.
■ It is stealthy.
▬ In the target, you cannot see the VNC server process.

50
How to apply vncinject
■ The MS17-010 vulnerability mentioned previously also
allows a vncinject attack.
■ After selecting the
'exploit/windows/smb/ms17_010_eternalblue' as the
exploit, you can select one of the two as the payload:
▬ Windows/x64/vncinject/bind_tcp
▬ windows/x64/vncinject/reverse_tcp

51
Payload options for vncinject
■ The option named ViewOnly is very important. By default, it
is true, which allows you to only view the victim desktop, but
not to conduct any operations.

52
After successful exploitation, you should see

53
If you run 'tasklist' at the victim computer,
you won't see the VNC server process

54
Set the ViewOnly to false
■ If you want to control the victim computer, you need to set
ViewOnly to false.
▬ set ViewOnly false

■ However, this also allows the victim to know that someone

else is controlling the computer if the victim happens to sit
in front of screen.
■ You can try this by repeating the previous exploitation
steps.

Sometimes the exploitation can fail. If so, you should

restart the Win7 VM and then you should succeed.

55
Example Short Answer Question:
■ Explain what is DLL injection.

56
Lecture Summary
■ DLL injection attacks create no new files and processes at
the target, thus being stealthy.
■ Meterpreter is the most important payload used in DLL
injection attacks. You must command its usage.
■ VNCinject allows a hacker to obtain a remote graphical
desktop of the target, but it’s not very stealthy.

57
References
■ Online Tutorial from Offensive Security: Metasploit
Unleashed
▬ https://www.offensive-security.com/metasploit-unleashed/

■ The web links mentioned in the slides of this lecture

58