Finding Meterpreter
In our recent post on the Command Line Kung Fu blog, Advanced Process Whack-a-Mole, we tried to find meterpreter using these two commands:
Windows command line:
Windows command line:
Windows command line:
C:\> tasklist /FI "modules eq metsrv.dll"PowerShell
PS C:\> Get-Process | ? { $_.Modules -like "*(metsrv.dll)*" }In version MetaSploit 3.3, and presumably future versions, the metsrv.dll is not visible due to Reflective DLL injection. It does work on v2 and v3.0-3.2. However, there are still footprints of meterpreter in v3.3. Two other dll's are loaded with meterpreter that many processes don't load.C:\WINDOWS\system32\rsaenh.dllWe can look for processes that have these two dll's loaded using either of these two commands.
C:\WINDOWS\system32\IPHLPAPI.DLL
Windows command line:
C:\> tasklist /fi "MODULES eq rsaenh.dll" /fi "MODULES eq iphlpapi.dll"PowerShell
PS C:\> Get-Process | ? { $_.Modules -like "*(rsaenh.dll)*"
-and $_.Modules -like "*(iphlpapi.dll)*"}The problem is, some processes load these dll's so it isn't a 100% sign of pwnage. The processes include:explorer.exeIf IE were compromised it wouldn't be obvious, but it is obvious if Icecast was.
iexplore.exe
lsass.exe
svchost.exe
winlogon.exe
PS C:\> Get-Process | ? { $_.Modules -like "*(rsaenh.dll)*"
-and $_.Modules -like "*(iphlpapi.dll)*"} | select ProcessName
ProcessName
—————-
explorer
Icecast2
IEXPLORE
lsass
svchost
svchost
svchost
winlogonIt is also apparent if meterpreter has been migrated to a process that doesn't normally load the dll's. In my testing I migrated to calc. Here are the results now.PS C:\> Get-Process | ? { $_.Modules -like "*(rsaenh.dll)*"
-and $_.Modules -like "*(iphlpapi.dll)*"} | select ProcessName
ProcessName
—————-
calc
explorer
Icecast2
IEXPLORE
lsass
svchost
svchost
svchost
winlogonIf we had a baseline of processes that load these dll's then we can use PowerShell to filter out processes that don't normally load the dll's.PS C:\> Get-Process | ? { $_.Modules -like "*(rsaenh.dll)*"
-and $_.Modules -like "*(iphlpapi.dll)*" -and
"explorer","iexplore","lsass","svchost","winlogon" -notcontains $_.ProcessName }
ProcessName
—————-
calc
Icecast2
In this example Icecast2 was the initial point of compromise and meterpreter has migrated to calc.
While this isn't a perfect way to find meterpreter it is better than nothing.
UPDATE:
According to Stephen Fewer, one of the MetaSploit developers:
iphlpapi.dll is imported by the meterpreters stdapi extension for the route and ipconfig commands.
rsaenh.dll (The Microsoft Enhanced Cryptographic Provider DLL) is being loaded via advapi32.dll after a call from the openssl subsystem within meterpreter calling advapi32!CryptAcquireContext[1]
Posted by Tim Medin at 1/31/2010 6:52 PM 
Categories: uncategorized
Tags: MetaSploit Command Line Kung Fu Meterpeter
Categories: uncategorized
Tags: MetaSploit Command Line Kung Fu Meterpeter
if you migrate into explorer.exe to you see that same results?
Reply to this
You would not be able to find it with this method since explorer already loads these dll's.
Reply to this
I know that when you migrate meterpreter to a different process, you can see the change in that processes memory usage (private bytes, working set, etc). I bet if you did enough measuring, you could come up with a ballpark size as a signature for meterpreter. The problem with this approach is that you would need a baseline for the memory usage of each process on the machine.
This was a very interesting article and showed some nice techniques. I was recently doing some experimentation with metasploit and wrote a blog entry on my findings. If you're interested, the url is: http://jah-internship.blogspot.com/2010/02/simwitty-internship-week-4.html
Reply to this
Interesting idea. I would imagine would difficult to implement with reasonable accuracy.
And great post.
Reply to this