Meterpreter - what lasting effect does it have on a system?

[pr0l3]

Here's the scenario.

I work for a small business - an IT firm. We're considering implementing a red team test against one of our larger clients as an educational experience for the staff.

My quesiton is - in using meterpreter, what lasting effect does it have on a system?

[Mr-Protocol]

It's not so much meterpreter as it is other things.

1) Don't do persistant meterpreter install

2) It comes down to what exploit/s are performed. DO NOT USE A LIVE SYSTEM. Know the possibilities of the exploit crashing a service and/or causing damage. There is a ranking system for "friendliness" i cannot recall what the proper term is.

[pr0l3]

I don't plan on using an aggressive exploit - basically ONLY social engineering.

And yeah, I'm basically just looking to grab and dash. Print out the documents as an 'example' and show them what's possible. Nothing persistent.

[digip]

So long as your exploit runs in memory only and you don't use persistence, like say a PDF file they would open from an email, once they reboot, its gone. Not to mention, if its session in memory only, when you kill the session, you cut the chord to the target unless you left a bind setup to return to later, so as long as its not persistent and resides in memory, you should be good, not to mention 99% of AV's don't do memory sweeps anyway, and if migrating to system processes, most likely won't be picked up. Just be sure to use a UAV bypass if on a windows system so you can elevate your privileges before doing post exploitation such as file downloads and use a secure tunnel for the reverse shell(which I think now everything used in msf pretty much encrypts the traffic for you, but don't quote me on that).

[digininja]

This might sound harsh but it needs saying...

If you don't know what Metasploit does and how it affects the end systems then you really shouldn't be using it in anything other than a lab environment. It is very easy to think you are doing something that is completely innocent and won't harm anything and in the process you take down a critical system by accident.

digip gives the example of using a non-persistent PDF which is safer than running an exploit against a service but you have to consider what happens if the user decides to send a copy of it home to read it later, you have then ran an exploit on their machine, in some jurisdictions that would be considered illegal.

You also mention doing a "a red team test", I'm guessing that you don't understand the terminology here. A red team test usually refers to a full on, no holes barred assault on the target. They usually run over long periods and involve long phases of recon, scoping and then attacks which can include physical attacks.

I'd strongly recommend that you drop the idea. If the client wants to have the test done then liaise with a proper security testing firm and have them do the testing. If you want to know what they are doing so you get some understanding into the processes then make it part of the deal that one of your team sits with the tester throughout the test.

[digip]

This might sound harsh but it needs saying...

If you don't know what Metasploit does and how it affects the end systems then you really shouldn't be using it in anything other than a lab environment. It is very easy to think you are doing something that is completely innocent and won't harm anything and in the process you take down a critical system by accident.

digip gives the example of using a non-persistent PDF which is safer than running an exploit against a service but you have to consider what happens if the user decides to send a copy of it home to read it later, you have then ran an exploit on their machine, in some jurisdictions that would be considered illegal.

You also mention doing a "a red team test", I'm guessing that you don't understand the terminology here. A red team test usually refers to a full on, no holes barred assault on the target. They usually run over long periods and involve long phases of recon, scoping and then attacks which can include physical attacks.

I'd strongly recommend that you drop the idea. If the client wants to have the test done then liaise with a proper security testing firm and have them do the testing. If you want to know what they are doing so you get some understanding into the processes then make it part of the deal that one of your team sits with the tester throughout the test.

I actually meant to NOT use a PDF, guess I didn't word that well, but you pretty much hit the mark on what I was trying to get across. Basically leave nothing on the system, or users files that could be sent to others, etc.

[digininja]

Agree with that

[pr0l3]

Agreed. I'll keep it in the lab.

I've become pretty proficient - but it seems that when I ask these types of questions (albeit without the 'I'm gonna use it' added on) I just get told that if I don't know what it does I shouldn't be using it.

It's become one of those things where I'm kind of caught in a loop. The practical side I can teach myself - that's what a lab is for. The theoretical side of things is different.

Can you guys - especially the ones who DO know the 'back end' stuff, point me towards some reading material?

[digininja]

If you want to learn about Metasploit then this is one of the main sources of information

http://www.offensive-security.com/metasploit-unleashed/Main_Page

It also depends on your budget and how you learn. I can't learn at home, only in a class room with no distractions and forced attention. Others learn best in small chunks at home. For courses, check out SANS or Offensive Security, they do home learning as well but also look at Security Tube for that area.

And honestly, despite how much you think you know and have learned, don't do anything real world without some kind of supervision from someone who knows what they are doing. Worst case you break something you shouldn't and end up in legal bother, best case you do half a job and miss something critical so end up giving someone a false sense of security.

One of the reasons I say all this is because I've been on client sites where someone in house has been testing and they think they are bullet proof, they rarely are.

[digip]

If you want to learn about Metasploit then this is one of the main sources of information

http://www.offensive-security.com/metasploit-unleashed/Main_Page

It also depends on your budget and how you learn. I can't learn at home, only in a class room with no distractions and forced attention. Others learn best in small chunks at home. For courses, check out SANS or Offensive Security, they do home learning as well but also look at Security Tube for that area.

And honestly, despite how much you think you know and have learned, don't do anything real world without some kind of supervision from someone who knows what they are doing. Worst case you break something you shouldn't and end up in legal bother, best case you do half a job and miss something critical so end up giving someone a false sense of security.

One of the reasons I say all this is because I've been on client sites where someone in house has been testing and they think they are bullet proof, they rarely are.

QFE

Also, security tube I believe has a Metasploit video mega primer to get people started with Metasploit from beginners on up.

[mubix]

Honestly these guys covered it really well. Technically Meterpreter itself operates only in memory. So really the only effect it has is when memory is referenced / accessed / or stored (ie. System Profiling software, Normal process execution, and Hibernate respectively). The more evident parts come in a few flavors:

• How the Meterpreter shellcode / payload gets executed.
  • Is it a binary you put your payload in? a PDF?
    • Where was it stored?
      • Is it backed up?
      • Is it in a location targeted by Volume Shadow Copies or Restore Points?
      • Does the company have a shared storage of roaming profiles?
  • How was it delivered?
    • Was the delivery encrypted?
    • Was it a single delivery or to many hosts/users?
• What C2 mechanism is used? HTTP/TCP/DNS/etc?
  • Are the comms encrypted?
  • Do they go trough a proxy?

These are just a small number of questions, and many you can ask in a lab. Run SecurityOnion's live CD, with a pfSense firewall running Squid, put an XP VM behind them and toss your Social Engineering payload at it with your attack C2 outside of it. Use Sys Internals Process Monitor on the victim. Make sure Bro, and all the other gadets and gizmos SecurityOnion has are enabled and in-line.

I guarantee you'll learn a ton just setting everything up, and a ton more once you test out your first SE.