How to Meterpreter: Interactive Ruby Shell (A Quick Introduction)
First of all, Merry Christmas and Happy New Year to all Null-Byters that learn and teach in this wonderful site. In this article we will explore the basics of the meterpreter's IRB (Interactive Ruby Shell).
We will be using Kali version 1 as the attacker machine and Windows 8.1 Professional as the victim system. I'm going to skip the process of owning a system and obtain a meterpreter session because there are thousands of posts here about that.
IRB is a Read-Eval-Print-Loop for Ruby. It offers top-level interaction with systems among other things such as command history and job control. It's similar to the Python interpreter explained here in Defalt's articles, but it's based on the object-oriented Ruby.
In a meterpreter session, you usually run scripts that are written in Ruby. Meterpreter's IRB let you interact directly with the system API (and the metasploit API) and use your mind to perform hacking tasks. There are a lot of scripts that can be useful for us (Why reinvent the wheel?) for example getpid, getuid, idletime, etc... but there are specific tasks that we have to do on our own with patience and imagination.
At this step you need a meterpreter session opened on your system. Inside the session, simply type:
When you are greeted with this screen, you can start interacting with the victim machine, let's go to the fun part!
Within the session, we can look for system information as usual in a meterpreter session, type:
client (gives us information about the actual meterpreter session)
client.sys.config.sysinfo (info about the system)
You see that it gives us specific information about the version, architecture, language, etc. We can know the process where we are allocated typing:
As you can see we can recover wonderful information for hacking tasks, in future tutorials we will explore it in-depth, as the title says this is simply an introduction.
Railgun is a meterpreter extension designed for compromised systems running Windows. It lets you invoke the API directly among other things such as load DLL libraries and execute code inside them. Let's take a quick look to what it can do, the basic syntax is:
client.railgun.<dll library>.<function>(<function args>)
In this example we've called the function "MessageBoxA" included in "user32.dll".
The powerful of this extension is that the more you know the Windows API the better you can hack Windows based systems. You can search the Windows API Index for a list of libraries and functions with explanations.
I'm planning to continue this series on Meterpreter, actually I have in mind:
- Obtain meterpreter sessions from IRB.
- Capture user credentials without cracking hashes (social engineering).
- Execute processes and manipulate memory in order to inject payloads in it.
- Write our own scripts to have a customized metasploit.
If you have any suggestions (or questions) feel free to PM me or put them on the comment section. Thanks for reading!