Cortana Tutorial - Armitage
Cortana Tutorial - Armitage
Cortana Tutorial - Armitage
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Interacting with a Meterpreter Session<br />
Meterpreter is a powerful post-‐exploitation agent that runs on a compromised host. It has<br />
the most capabilities and the best support from <strong>Cortana</strong>. Windows Meterpreter is the most<br />
feature-‐complete of all Meterpreter implementations. Java Meterpreter is a close second.<br />
Meterpreter implementations also exist for Linux and PHP.<br />
Meterpreter sessions do not have the concept of a lock. The team server multiplexes<br />
meterpreter commands for you. Multiple humans and scripts may interact with a<br />
meterpreter session at the same time. This is an exciting technology as no "time on target"<br />
is wasted when human and automated actors may work at the same time.<br />
Both Meterpreter and shell sessions fire a session_open event. Meterpreter sessions also<br />
fire a session_sync event when they're ready for interaction.<br />
Meterpreter Commands<br />
To issue a meterpreter command, use the &m_cmd function. This function works much like<br />
its Meteasploit console equivalent, &cmd. The main difference is that you offer a session<br />
number to the &m_cmd function.<br />
m_cmd(1, "idletime");<br />
Meterpreter commands fire an event when they complete. This idletime example will fire<br />
meterpreter_idletime and meterpreter events. The meterpreter_command event form<br />
allows you to declare listeners that are more specific to your situation.<br />
on meterpreter_idletime {<br />
# $1 = session identifier<br />
# $2 = the command sent and its arguments<br />
# $3 = the output.<br />
println("User on session $1 was idle for: $3");<br />
}<br />
Remember though, that scripts do not have exclusive access to a Meterpreter session. To<br />
protect the interests of other scripts and actors using the session, some commands may<br />
timeout. Commands timeout after 10-‐20 seconds. When this happens a<br />
meterpreter_timeout event fires to the script that called &m_cmd.<br />
Parsing Meterpreter Output<br />
Through meterpreter you have access to a wealth of information about a compromised<br />
host. One challenge though is parsing this information. Meterpreter results are returned as<br />
one long string that you must parse. To aid this, <strong>Cortana</strong> offers several functions to parse<br />
the output of Meterpreter commands and turn this output into Sleep data structures, which<br />
are easier to work with.<br />
These functions are &parse_hashdump, &parse_ls, &parse_ps, &parse_route, and<br />
&parse_timestomp. The arguments you must pass to these functions vary.<br />
19