Learn how to migrate to a different process on a target machine after establishing a Meterpreter shell.
Meterpreter is a Metasploit attack payload that provides an interactive shell to the attacker from which they can explore the target machine as well as execute code.
Kali Linux and Windows
You can use Kali Linux in a VM and a Windows machine for this lab.
This lab will continue on from the previous lab, where we use SET to create a payload and establish a Meterpreter shell on a Windows target. In this lab, we will be covering how to migrate to a different process on the Windows machine and some basic privilege escalation.
With your Meterpreter shell open, you should still be connected to yor Windows virtual machine. Type “sysinfo” to gather some information about the target system. In this lab, we will be migrating our Meterpreter shell from its current Meterpreter process to another process on the system. This is a common next step after establishing a shell on a target as it is makes it much easier to avoid detection.
We will begin by typing the following into the Meterpreter console:
This command will list every process running on our Windows machine. Look for the “explorer.exe” process running on the Windows machine. The reason we want to migrate to this process is because it is typically always running on Windows machines. This means that if the user checks their task manager and sees explorer.exe running, they will not be suspicious. However, if they see a process running called “edssddfkj.exe” they may become suspicious, run a malware scan, and we will be caught on the system. Type the following into your meterpreter shell:
ps | grep explorer.exe
This command will list all the processes running on the system and will then use grep to find the explorer.exe process for us. On our machine, it has a Process ID (PID) of 3228.
We will migrate to this process now by typing the following command:
We should see something like the following screenshot:
Great, we have successfully migrated to a different process on the Windows system! (2)
We will now attempt some very basic privilege escalation. Metasploit comes built in with a privilege escalation module. We can load this into Meterpreter by typing the following:
This will load the privilege escalation module. Once the module is loaded, type the following to attempt privilege escalation on the system (2):
This is unlikely to work, but should be tried in any case. If this process fails, your shell may die. If it does, simply run the listener again and execute the payload on the target machine to re-establish the shell.