C2 Powershell Command & Control Framework with BuiltIn Commands (Modules)
mymeterp(r)eterServer [
STABLE]
@r00t-3xp10it { version 2.10 }
Original Shell: @ZHacker13 'https://github.com/ZHacker13/ReverseTCPShell'
Article Quick Jump List
- meterpeter Project Description
- List Of Available Modules
- How To - Under Linux Distributions
- How To - Under Windows Distributions
- Windows Defender (Target Related)
- Some meterpeter Screenshots
- Special Thanks|Contributions|Videos
- How To - Use PS2EXE to convert ps1 scripts to standalone executables
- Please Read my WIKI for Detailed information about each Module
meterpeter - This PS1 starts a listener Server on a Windows|Linux attacker machine and generates oneliner PS reverse shell payloads obfuscated in ANCII|BXOR with a random secret key and another layer of Characters/Variables Obfuscation to be executed on the victim machine (The payload will also execute AMSI reflection bypass in current session to evade AMSI detection while working). You can also recive the generated oneliner reverse shell connection via netcat. (in this case you will lose the C2 functionalities like screenshot, upload, download files, Keylogger, AdvInfo, PostExploitation, etc)
meterpeter payloads/droppers can be executed using User or Administrator Privileges depending of the cenario (executing the Client as Administrator will unlock ALL Server Modules, amsi bypasses, etc.). Droppers will mimic a Fake KB Security Update while in background Downloads and executes our Client in $env:tmp trusted location, with the intent of evading Windows Defender Exploit Guard. meterpeter payloads|droppers are FUD (dont test samples on VirusTotal).
This project has been inspired in the work of @ZHacker13 from GitHub -> github.com/ZHacker13/ReverseTCPShell <-
This Project allows Attackers to execute 'meterpeter.ps1' under 'Linux' or 'Windows' distributions. Under Linux distros users required to install powershell and apache2 webserver, Under Windows its optional the install of python3 http.server to deliver payloads under LAN networks. If this requirements are NOT met, then Client will be written in meterpeter working directory for manual deliver <- In this ocassion execute your Client.ps1 in $env:tmp ('recomended').
meterpeter Modules Shortcuts
meterpeter prompt reveals us some of the shortcuts we have available to use.
{ Please Read my WIKI for Detailed information about each Module }
exit : Exit Reverse TCP Shell (Server + Client).
Please Read my WIKI for Detailed information about each Module
Warning: powershell under linux distributions its only available for x64 bits archs ..
apt-get update && apt-get install -y powershell
apt-get install Apache2
service apache2 start
cd meterpeter pwsh -File meterpeter.ps1
USE THE 'Attack Vector URL' TO DELIVER 'Update-KB4524147.zip' (dropper) TO TARGET .. UNZIP (IN DESKTOP) AND EXECUTE 'Update-KB4524147.bat' (Run As Administrator)..
IF dropper.bat its executed: Then the Client will use $env:tmp has its working directory ('recomended').. IF Attacker decided to manualy execute Client: Then Client remote location (pwd) will be used has working dir .
Install Python3 (http.Server) to deliver payloads under LAN networks ..
https://www.python.org/downloads/release/python-381/
cd meterpeter powershell Set-ExecutionPolicy Unrestricted -Scope CurrentUser powershell -File meterpeter.ps1
Remark
- meterpeter.ps1 delivers Dropper/Payload using python3 http.server. IF attacker has python3 installed.
'If NOT then the payload (Client) its written in Server Local Working Directory to be Manualy Deliver' ..
DELIVER 'Update-KB4524147' (.ps1=manual) OR (.zip=automated|silentExec) TO TARGET ..
IF dropper.bat its executed: Then the Client will use $env:tmp has its working directory ('recomended').. IF Attacker decided to manualy execute Client: Then Client remote location (pwd) will be used has working dir .
PS2EXE BY : Ingo Karstein | MScholtes
Description: Script to convert powershell scripts to standalone executables
Source : https://gallery.technet.microsoft.com/scriptcenter/PS2EXE-GUI-Convert-e7cb69d5
meterpeter users can use this script (manually) to convert the Client.ps1 to Client.exe
'Update-KB4524147.ps1'build by meterpeter C2 to
'PS2EXE'directory.
'PS2EXE'directory (none admin privs required)
.\ps2exe.ps1 -inputFile 'Update-KB4524147.ps1' -outputFile 'Update-KB4524147.exe' -iconFile 'meterpeter.ico' -title 'meterpeter binary file' -version '2.10.6' -description 'meterpeter binary file' -product 'meterpeter C2 Client' -company 'Microsoft Corporation' -copyright '©Microsoft Corporation. All Rights Reserved' -noConsole -noVisualStyles -noError
REMARK:Client.exe (created by PS2EXEC) migth malfunction with meterpeter mimiratz scripts.
Using keylogger Module without the Client been executed as administrator, will trigger this kind of warnings by Windows Defender AMSI mechanism. IF the Client is executed as administrator and target machine as powershell version 2 installed, then the keylogger execution its achieved using PSv2 (bypassing Windows Defender AMSI|DEP|ASLR defenses). The same method its also valid for persistence Module, executing our client using powershell version 2 (PS downgrade Attack).
meterpeter.ps1 - Payloads|Droppers are FUD (Fully UnDetected) by AntiVirus (Please dont test samples on VirusTotal)
Remenbering that Dropper.bat even IF executed without Administrator Privileges, will try to bypass many defensive mechanisms.. for that alone plays a main role in all this process ..
Remember to set your PS execution Policy to default (attacker) After having used meterpeter in your pentestings.
meterpeter.ps1 for obvious reasons will NOT revert the target PS Policy to Restricted (default) to facilitate next
incursions into Remote-Host (in persistence cenario Demonstrations) ..
powershell Set-ExecutionPolicy Restricted -Scope CurrentUser
meterpeter Under Windows Distros: https://www.youtube.com/watch?v=d2npuCXsMvE
meterpeter Under Linux Distros: https://www.youtube.com/watch?v=CmMbWmN246E
@ZHacker13 (Original Rev Shell) | @tedburke (CommandCam.exe binary)
@codings9 (debugging project under Windows|Linux Distros)
- meterpeter WIKI pages (Oficial Documentation)