hello-xbugs / meterpeter Goto Github PK

my_meterp(r)eter_Server

@r00t-3xp10it { version 2.7 }
Original Shell: @ZHacker13 'https://github.com/ZHacker13/ReverseTCPShell'

meterpeter Project Description
How to change client working dir
How To - Under Linux Distributions
How To - Under Windows Distributions
List Of Available Modules
Windows Defender (Target Related)
Some meterpeter Screenshots
Two meterpeter video tutorials
Special Thanks|Contributions

meterpeter - This PS1 starts a listener Server on a Windows|Linux attacker machine and generates oneliner PS reverse shell payloads obfuscated in ANCII|BXOR with a random secret key and another layer of Characters/Variables Obfuscation to be executed on the victim machine (The payload will also execute AMSI reflection bypass in current session to evade AMSI detection while working). You can also recive the generated oneliner reverse shell connection via netcat. (in this case you will lose the C2 functionalities like screenshot, upload, download files, Keylogger, AdvInfo, PostExploitation, etc)

meterpeter payloads/droppers can be executed using User or Administrator Privileges depending of the cenario (executing the Client as Administrator will unlock ALL Server Modules, amsi bypasses, etc.). Droppers will mimic a Fake KB Security Update while in background Downloads and executes our Client in $env:tmp trusted location, with the intent of evading Windows Defender Exploit Guard. meterpeter payloads|droppers are FUD (dont test samples on VirusTotal).

This project has been inspired in the work of @ZHacker13 from GitHub -> github.com/ZHacker13/ReverseTCPShell <-

This Project allows Attackers to execute 'meterpeter.ps1' under 'Linux' or 'Windows' distributions. Under Linux distros users required to install powershell and apache2 webserver, Under Windows its optional the install of python3 http.server to deliver payloads under LAN networks. If this requirements are NOT met, then Client will be written in meterpeter working directory for manual deliver <- In this ocassion execute your Client.ps1 in $env:tmp ('recomended').

Client Remote Working directory its located in $env:tmp, But meterpeter gives us access to one 'Interactive powershell console', that means that all powershell commands executed in ' :meterpeter> ' prompt will be executed remotely.

Quick Jump List

• Info : Retrieve Target PC Information
• AdvInfo : Advanced Gather Information Modules [Sub-Menu]
  • ListAdm : Retrieve Client Shell Path|Privileges
  • ListAcc : Retrieve Remote-Host Accounts List
  • ListSmb : Retrieve Remote-Host SMB shares List
  • ListDns : Retrieve Remote-Host DNS Entrys List
  • ListApp : Retrieve Remote-Host Installed Applications List
  • ListTask : Retrieve Remote-Host Schedule Tasks List [Sub-Menu]
    • Check : Retrieve Schedule Tasks List
    • Inform : Advanced Info Single Task Information
    • Create : Create Remote-Host New Task
    • Delete : Delete Remote-Host Single Task
  • ListRece : Retrieve Remote-Host Recent Folder Contents
  • StartUp : Retrieve Remote-Host StartUp Folder Contents
  • ListDriv : Retrieve Remote-Host Drives Available List
  • ListRun : Retrieve Remote-Host Startup Run Entrys
  • ListProc : Remote-Host Processe(s) [Sub-Menu]
    • Check : Retrieve Remote Processe(s) Running List
    • KillProc : Kill Remote Process By Name From Running
  • ListConn : Retrieve Remote-Host Active TCP Connections List
  • ListIpv4 : Retrieve Remote-Host IPv4 Network Statistics List
  • ListWifi : Remote-Host Profiles/SSID/Passwords [Sub-Menu]
    • ListProf : Retrieve Remote-Host wifi Profile
    • ListNetw : Retrieve wifi Available networks List
    • ListSSID : Retrieve Remote-Host SSID Entrys List
    • SSIDPass : Retrieve Stored SSID passwords
• Session : Retrieve C2 Server Connection Status.
• Upload : Upload File from Local-Host to Remote-Host.
• Download : Download File from Remote-Host to Local-Host.
• Screenshot : Save Screenshot from Remote-Host to Local-Host.
• keylogger : Remote-Host Keylogger [Sub-Menu].
  • Install : Install Remote keylogger
  • StartK : Start remote keylogger
  • ReadLog : Read keystrokes logfile
  • StopKP : Stop keylogger Process(s)
• PostExploit: Post-Exploitation Modules [Sub-Menu]
  • Persist : Remote Persist Client [Sub-Menu]
    • StartUp : Persiste Client Using startup Folder
    • RUNONCE : Persiste Client using REGISTRY:RunOnce Key
    • REGRUN : Persiste Client using REGISTRY:Run Key
    • Schtasks : Make Client Beacon Home with xx minuts of Interval
    • WinLogon : Persiste Client using WinLogon REGISTRY:Userinit Key
  • Restart : Restart in xx seconds
  • ListLog : List/Delete EventLogs Module [Sub-Menu]
    • Check : Retrieve Remote-Host EventLogs List
    • DelLogs : Delete Remote-Host EventLogs (eventvwr)
    • DelFull : Delete Remote-Host LogFiles from Disk
  • SetMace : Change files date/time TimeStomp
  • ListPas : Search for passwords in txt Files
  • GoogleX : Open Remote Browser in google sphere (prank)
  • LockPC : Lock Remote workstation (prank|refresh explorer)
  • SpeakPC : Make Remote-Host Speak your sentence
  • AMSIset : Enable/Disable AMSI Module [Sub-Menu]
    • Disable : Disable AMSI in REGISTRY:hklm|hkcu
    • Enable : Enable AMSI in REGISTRY:hklm|hkcu
  • UACSet : Enable/Disable remote UAC Module [Sub-Menu]
    • Disable : Disable UAC in REGISTRY:hklm
    • Enable : Enable UAC in REGISTRY:hklm
  • TaskMan : Enable/Disable TaskManager Module [Sub-Menu]
    • Disable : Disable TaskManager in REGISTRY:hklm
    • Enable : Enable TaskManager in REGISTRY:hklm
  • Firewall : Enable/Disable Remote Firewall Module [Sub-Menu]
    • Check : Review Remote-Host Firewall Settings
    • Disable : Disable Remote-Host Firewall
    • Enable : Enable Remote-Host Firewall
  • DumpSAM : Dump SAM/SYSTEM Credentials to a remote location
  • Dnspoof : Hijack Entrys in hosts file Module [Sub-Menu]
    • Check : Review Remote-Host hosts File
    • Spoof : Add Entrys to Remote-Host hosts File
    • Default : Defaults Remote-Host hosts File
  • NoDrive : Hide Drives from Explorer Module [Sub-Menu]
    • Disable : Hide Drives from explorer in REGISTRY:hklm
    • Enable : Enable Drives from explorer in REGISTRY:hklm
• exit : Exit Reverse TCP Shell (Server + Client).

Quick Jump List

  Warning: powershell under linux distributions its only available for x64 archs ..

apt-get update && apt-get install -y powershell

apt-get install Apache2

service apache2 start

cd meterpeter
pwsh Set-ExecutionPolicy Unrestricted -Scope CurrentUser
pwsh -File meterpeter.ps1

USE THE 'Attack Vector URL' TO DELIVER 'Update-KB4524147.zip' (dropper) TO TARGET ..
UNZIP (IN DESKTOP) AND EXECUTE 'Update-KB4524147.bat' (Run As Administrator)..

 IF dropper.bat its executed: Then the Client will use $env:tmp has its working directory ('recomended')..
 IF Attacker decided to manualy execute Client: Then Client remote location (pwd) will be used has working dir .

Quick Jump List

https://www.python.org/downloads/release/python-381/

cd meterpeter
powershell Set-ExecutionPolicy Unrestricted -Scope CurrentUser
powershell -File meterpeter.ps1

 Remark:
 -------
 meterpeter.ps1 delivers Dropper/Payload using python3 http.server. IF attacker has python3 installed
 If NOT then the payload (Client) its written in Server Local Working Directory to be Manualy Deliver ..

 Remmnenber to close the http.server terminal after the target have recived the two files (Dropper & Client)
 and we have recived the connection back in our meterpeter Server { to prevent Server|Client connection errors }

DELIVER 'Update-KB4524147' (.ps1=manual) OR (.zip=automated|silentExec) TO TARGET ..

 IF dropper.bat its executed: Then the Client will use $env:tmp has its working directory ('recomended')..
 IF Attacker decided to manualy execute Client: Then Client remote location (pwd) will be used has working dir .

Quick Jump List

Using keylogger Module without the Client been executed as administrator, will trigger this kind of warnings by Windows Defender AMSI mechanism. IF the Client is executed as administrator and target machine as powershell version 2 installed, then the keylogger execution its achieved using PSv2 (bypassing Windows Defender AMSI|DEP|ASLR defenses). The same method its also valid for persistence Module, executing our client using powershell version 2 (PS downgrade Attack).

meterpeter.ps1 - Payloads|Droppers are FUD (Fully UnDetected) by AntiVirus (Please dont test samples on VirusTotal)

Remenbering that Dropper.bat even IF executed without Administrator Privileges, will try to bypass many defensive mechanisms.. for that alone plays a main role in all this process ..

Remember to set your PS execution Policy to default (attacker) After having used meterpeter in your pentestings.
meterpeter.ps1 for obvious reasons will NOT revert the target PS Policy to Restricted (default) to facilitate next
incursions into Remote-Host (in persistence cenario Demonstrations) ..

powershell Set-ExecutionPolicy Restricted -Scope CurrentUser

meterpeter Settings File
Allow Attackers to automate the creation of payloads (Client) without the need of User inputs. To activate it Attacker just need to edit the Settings file, change is values and then rename it from 'settingZZZ' to 'Settings' before executing the Server.

Quick Jump List

meterpeter Under Windows Distros: https://youtu.be/5_VLBWYUuJ8
meterpeter Under Linux Distros: http://Not-recorded-yet

@ZHacker13 (Original Rev Shell) | @codings9 (debugging project under Windows|Linux)
Jump To Top of this readme File