API and Extensions

Meterpreter extensions are located in metasploit-framework/lib/rex/post/meterpreter. It's highly recommended to browse and open the files to understand the code and it's style.

Extension ClientCore : `core`

Path

metasploit-framework/lib/rex/post/meterpreter/client_core.rb

>> client.core
=> #<Rex::Post::Meterpreter::ClientCore:0x00000005f83388 @client=#<Session:meterpreter 192.168.0.18:55861 (192.168.242.128) "win7-64-victim\Workshop @ WIN7-64-VICTIM">, @name="core">

use method is used to load meterpreter extensions which is used in the meterpreter console (ex. use sniffer, use mimikatz, etc )

Note: to list all loadable extensions in meterpreter console use use -l command.

From IRB console of the meterpreter, let's try to use sniffer extension

>> client.sniffer
=> nil

As you can see, it returns a nil because the sniffer extension hasn't yet loaded.

Let's try to load the extension

>> client.use "sniffer"
=> nil

As you can see it returns a nil because the method use is available in the core extension not in the meterpreter client instance.

To load extension: load sniffer

>> client.core.use "sniffer"
=> true
>> client.sniffer
=> #<Rex::Post::Meterpreter::Extensions::Sniffer::Sniffer:0x000000142cc108 @client=#<Session:meterpreter 192.168.0.18:55861 (192.168.242.128) "win7-64-victim\Workshop @ WIN7-64-VICTIM">, @name="sniffer">

To check all sniffer extension methods, go to metasploit-framework/lib/rex/post/meterpreter/extensions/sniffer/sniffer.rb

also, from IRB, get all methods as we know

client.sniffer.methods

which returns an array of all available methods

>> client.sniffer.methods
=> [:interfaces, :capture_start, :capture_stop, :capture_stats, :capture_release, :capture_dump, :capture_dump_read, :name, :name=, :client, :client=, :psych_to_yaml, :to_yaml, :to_yaml_properties, :blank?, :present?, :presence, :acts_like?, :to_param, :to_query, :try, :try!, :duplicable?, :deep_dup, :in?, :instance_values, :instance_variable_names, :to_json, :with_options, :html_safe?, :`, :dclone, :old_send, :as_json, :require_or_load, :require_dependency, :load_dependency, :load, :require, :unloadable, :assert_no_remainder, :decode_tlv, :decode_integer, :decode_timeticks, :decode_integer_value, :decode_uinteger_value, :build_integer, :decode_octet_string, :decode_ip_address, :decode_sequence, :decode_object_id, :decode_object_id_value, :encode_length, :encode_integer, :encode_tagged_integer, :integer_to_octets, :encode_null, :encode_exception, :encode_tlv, :encode_octet_string, :encode_sequence, :encode_object_id, :pretty_print, :pretty_print_cycle, :pretty_print_instance_variables, :pretty_print_inspect, :nil?, :===, :=~, :!~, :eql?, :hash, :<=>, :class, :singleton_class, :clone, :dup, :taint, :tainted?, :untaint, :untrust, :untrusted?, :trust, :freeze, :frozen?, :to_s, :inspect, :methods, :singleton_methods, :protected_methods, :private_methods, :public_methods, :instance_variables, :instance_variable_get, :instance_variable_set, :instance_variable_defined?, :remove_instance_variable, :instance_of?, :kind_of?, :is_a?, :tap, :send, :public_send, :respond_to?, :extend, :select, :display, :sleep, :method, :public_method, :singleton_method, :define_singleton_method, :object_id, :to_enum, :enum_for, :gem, :class_eval, :pretty_inspect, :silence_warnings, :enable_warnings, :with_warnings, :silence_stderr, :silence_stream, :suppress, :capture, :silence, :quietly, :debugger, :breakpoint, :suppress_warnings, :==, :equal?, :!, :!=, :instance_eval, :instance_exec, :__send__, :__id__]

Getting available interfaces: sniffer_interfaces

which returns array of hashes

client.sniffer.interfaces
=> [{"idx"=>1, "name"=>"\\Device\\NdisWanBh", "description"=>"WAN Miniport (Network Monitor)", "type"=>3, "mtu"=>1514, "wireless"=>false, "usable"=>true, "dhcp"=>false}, 
{"idx"=>2, "name"=>"\\Device\\{DF8BF690-33F1-497F-89ED-A31C236FE8E3}", "description"=>"Intel(R) PRO/1000 MT Network Connection", "type"=>0, "mtu"=>1514, "wireless"=>false, "usable"=>true, "dhcp"=>true}]

Extension Stdapi::Fs : `fs`

Path

metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/stdapi.rb
metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/fs

>> client.fs
=> #<Rex::Post::Meterpreter::ObjectAliases:0x00000001db6ae0 @aliases={"dir"=>#<Class:0x00000001e09e70>, "file"=>#<Class:0x00000001e12890>, "filestat"=>#<Class:0x00000001db7530>, "mount"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Fs::Mount:0x00000001db6c48 @client=#<Session:meterpreter 192.168.0.18:57016 (192.168.242.128) "win7-64-victim\Workshop @ WIN7-64-VICTIM">>}>

Dir class: `dir.rb`

One of the extensions available for fs is Dir located in metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/fs/dir.rb. Let's to use some of its methods which we can know from client.fs.dir.methods or from source code.

Get current directory: pwd

>> client.fs.dir.pwd
=> "C:\\Windows\\System32"

List all files and directories in the current directory ls
```
client.fs.dir.entries
client.fs.dir.entries_with_info
```

Change the current directory: cd

>> client.fs.dir.chdir("c:\\")
=> 0
>> client.fs.dir.pwd
=> "c:\\"

Create a new directory: mkdir

>> client.fs.dir.mkdir("Rubyfu")
=> 0
>> client.fs.dir.chdir("Rubyfu")
=> 0
>> client.fs.dir.pwd
=> "c:\\Rubyfu"

File class: `file.rb`

Discover File class, let's begin with a simple search. Try to download and download files.

client.fs.file.search("C:\\Users", "*.exe")

Extension Stdapi::Fs : `sys`

Path

metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/stdapi.rb
metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/sys

>> client.sys
=> #<Rex::Post::Meterpreter::ObjectAliases:0x00000001dcd600 @aliases={"config"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Config:0x00000001db69c8 @client=#<Session:meterpreter 192.168.0.18:57016 (192.168.242.128) "win7-64-victim\Workshop @ WIN7-64-VICTIM">>, "process"=>#<Class:0x00000001db69a0>, "registry"=>#<Class:0x00000001db8ed0>, "eventlog"=>#<Class:0x00000001dc0e28>, "power"=>#<Class:0x00000001dc4398>}>

Config class: `config.rb`

Get User ID: getuid

>> client.sys.config.getuid
=> "NT AUTHORITY\\SYSTEM"

Get system information

>> client.sys.config.sysinfo
=> {"Computer"=>"WIN7-64-VICTIM", "OS"=>"Windows 7 (Build 7600).", "Architecture"=>"x64 (Current Process is WOW64)", "System Language"=>"en_US", "Domain"=>"WORKGROUP", "Logged On Users"=>2}

Check if current process is running as SYSTEM user
```
>> client.sys.config.is_system?
=> true
```

Enables all possible privileges: getpriv

>> client.sys.config.getprivs
=> ["SeDebugPrivilege", "SeIncreaseQuotaPrivilege", "SeSecurityPrivilege", "SeTakeOwnershipPrivilege", "SeLoadDriverPrivilege", "SeSystemProfilePrivilege", "SeSystemtimePrivilege", "SeProfileSingleProcessPrivilege", "SeIncreaseBasePriorityPrivilege", "SeCreatePagefilePrivilege", "SeBackupPrivilege", "SeRestorePrivilege", "SeShutdownPrivilege", "SeSystemEnvironmentPrivilege", "SeChangeNotifyPrivilege", "SeRemoteShutdownPrivilege", "SeUndockPrivilege", "SeManageVolumePrivilege"]

Process class: `process.rb`

Get the current Process ID: getpid
```
>> client.sys.process.getpid
=> 2392
```
Get all exist processes with its details (pid, ppid, name, path, session, user, arch): ps
```
client.sys.process.get_processes
# Or
client.sys.process.processes
```

Extension Stdapi::Fs : `net`

Path

metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/stdapi.rb
metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net

>> client.net
=> #<Rex::Post::Meterpreter::ObjectAliases:0x00000001dcd3d0 @aliases={"config"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Net::Config:0x00000001dcd4e8 @client=#<Session:meterpreter 192.168.0.18:57016 (192.168.242.128) "win7-64-victim\Workshop @ WIN7-64-VICTIM">>, "socket"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Net::Socket:0x00000001dcd4c0 @client=#<Session:meterpreter 192.168.0.18:57016 (192.168.242.128) "win7-64-victim\Workshop @ WIN7-64-VICTIM">>, "resolve"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Net::Resolve:0x00000001dcd470 @client=#<Session:meterpreter 192.168.0.18:57016 (192.168.242.128) "win7-64-victim\Workshop @ WIN7-64-VICTIM">>}>

Get the current victim interfaces: ifconfig or ipconfig

client.net.config.get_interfaces
# Or 
client.net.config.interfaces
# Try nicer outputs
>> puts client.net.config.interfaces[0].pretty
Interface 11
============
Name         : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:ff:fa:10
MTU          : 1500
IPv4 Address : 192.168.242.128
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::482c:27b5:6914:e813
IPv6 Netmask : ffff:ffff:ffff:ffff::

Get network stat: netstat
```
client.net.config.netstat
```

Get the ARP table: arp

client.net.config.arp_table
client.net.config.arp_table[0].ip_addr      # IP address 
client.net.config.arp_table[0].mac_addr     # MAC address 
client.net.config.arp_table[0].interface    # Interface

Routes: route

client.net.config.routes        # List routes 
client.net.config.add_route("192.168.2.0", 24, "192.168.2.1")   # Add route

Get Proxy settings: getproxy
```
client.net.config.get_proxy_config
```

As you can see how easy to get familiar with meterpreter API. there are other extensions you can play with

meterpreter > use -l
espia
extapi
incognito
kiwi
lanattacks
mimikatz
priv
python
sniffer
stdapi

You can add more about those too in Rubyfu!

PreviousMeterpreter NextMeterpreter Scripting

Last updated 5 years ago

Extension ClientCore : core

Extension Stdapi::Fs : fs

Dir class: dir.rb

File class: file.rb

Extension Stdapi::Fs : sys

Config class: config.rb

Process class: process.rb

Extension Stdapi::Fs : net

Extension ClientCore : `core`

Extension Stdapi::Fs : `fs`

Dir class: `dir.rb`

File class: `file.rb`

Extension Stdapi::Fs : `sys`

Config class: `config.rb`

Process class: `process.rb`

Extension Stdapi::Fs : `net`