migrating to another process

[trklisted at networksamurai.org (mOses)]

Jun,


On May 28, 2009, at 12:28 AM, Jun Koi wrote:

> hi mOses,
>
> On Thu, May 28, 2009 at 12:27 PM, mOses  
> <trklisted at networksamurai.org> wrote:
> > In the meterpreter you will want to use the migrate <PID> command  
> > to migrate
> > from one process to another. meterpreter > migrate PID
> >
> > Within the Meterpreter itself you can use the ps command to list  
> > out all
> > processes. meterpreter > ps
> >
> > You also use getpid to get the processid you are in: meterpreter >   
> > getpid
> > <PID>
>
> Excellent!
>
> The whole point is that after migrating, I will get the new privilege
> as the privilege of the new process (where I migrated in), right?

That is correct when you inject the meterpreter library (DLL) into the  
running process you can take the privilege of the account you are  
running under. Because you are running with this users account you can  
run commands and perform actions on his behalf (i.e. impersonation).  
Some of the things like the token hijacking attack where you can take  
the user account that you have migrated to and impersonate that users  
credentials on a domain (Wouldn't it be nice to hijack a domain admin  
at that point?)

> > A few things to note however.
> >
> > Within a process running as the SYSTEM account. Although you have a  
> > high
> > level of privelege you do not have any access to the GUI (like  
> > explorer)
> > since you are not a 'user'.
>
> Could you explain we care about GUI? Since we are inside metepreter, I
> suppose that we have no access to GUI anyway, no??

Sometimes when doing a test, it may be beneficial to express how much  
access you have by taking screenshots, or maybe you want to use the  
keystroke logger. Both those meterpreter scripts will require the  
access to possibly the explorer.exe process or a process running  
within the explorer.exe process such as the user running 'calc.exe'.

> Thanks!
> J

mosesRENEGADE