Metasploit mailing list archives
migrating to another process
From: trklisted at networksamurai.org (mOses)
Date: Thu, 28 May 2009 11:43:26 -0400
Jun, On May 28, 2009, at 12:28 AM, Jun Koi wrote:
hi mOses, On Thu, May 28, 2009 at 12:27 PM, mOses <trklisted at networksamurai.org> wrote:In the meterpreter you will want to use the migrate <PID> command to migrate from one process to another. meterpreter > migrate PID Within the Meterpreter itself you can use the ps command to list out all processes. meterpreter > ps You also use getpid to get the processid you are in: meterpreter > getpid <PID>Excellent! The whole point is that after migrating, I will get the new privilege as the privilege of the new process (where I migrated in), right?
That is correct when you inject the meterpreter library (DLL) into the running process you can take the privilege of the account you are running under. Because you are running with this users account you can run commands and perform actions on his behalf (i.e. impersonation). Some of the things like the token hijacking attack where you can take the user account that you have migrated to and impersonate that users credentials on a domain (Wouldn't it be nice to hijack a domain admin at that point?)
A few things to note however. Within a process running as the SYSTEM account. Although you have a high level of privelege you do not have any access to the GUI (like explorer) since you are not a 'user'.Could you explain we care about GUI? Since we are inside metepreter, I suppose that we have no access to GUI anyway, no??
Sometimes when doing a test, it may be beneficial to express how much access you have by taking screenshots, or maybe you want to use the keystroke logger. Both those meterpreter scripts will require the access to possibly the explorer.exe process or a process running within the explorer.exe process such as the user running 'calc.exe'.
Thanks! J
mosesRENEGADE
Current thread:
- migrating to another process Jun Koi (May 27)
- migrating to another process mOses (May 28)