Releases: r00t-3xp10it/meterpeter
v2.10.14.0
Quick Jump Links
- Project Home Page (GitHub)
- Install Under Linux Distros
- Install Under Windows Distros
- Project github WiKi Pages (Modules)
- Working with meterpeter dropper(s)
Project Description - codename: Betelgeuse - Remote Access Tool v2.10.14
This PS1 starts a listener server on a 'Windows|Linux' attacker machine and generates PS reverse tcp shell payloads obfuscated in 'BXOR' with a random secret key
and another layer of Characters/Variables Obfuscation to be executed on target machine. You can also recive the generated reverse tcp shell connection via 'netcat'.
(in that case you will lose C2 functionalities like screenshot, upload, download files, Keylogger, AdvInfo, PostExploit, Escalation-Of-Privileges, Stream Target Desktop,)
Executing the client (payload or the dropper) with administrator privileges, unlocks ALL C2 server modules (AMSI bypass + Execution_Policy bypass ).
Remark: Meterpeter payloads | droppers are FUD ( Please dont Test\Send samples to Virus_Total\similar_websites or to $Microsoft Cloud suspicious.amsi samples )
Meterpeter v2.10.14 codename: Betelgeuse Update Description
This update adds new modules, fixes modules being flagged by AMSI (Anti-Virus)
And review all Meterpeter C2 (server) indevidual modules for errors\bugs\fast_improvements.
List Of Updated-New Modules
| Meterpeter Prompt | Module Name | Module Description | Module Options | State |
|---|---|---|---|---|
| :meterpeter:Adv:Processes> | kill | kill process by is PID number | *** | new option |
| :meterpeter:Adv:Browser> | Clean | Clean major browsers temporary files | *** | new module |
| :meterpeter:Keylogger> | SocialMedia | capture keyboard keystrokes from fb and twitter | Start, Stop, Schedule, Delay Force, SendToPasteBin |
new module |
| :meterpeter:Post> | Msstore | Manage microsoft store programs | list,discover,install,uninstall | new module |
| :meterpeter:Post:Escalate> | Uacpriv | use RUNAS to spawn UAC dialogbox (user->admin) | *** | new module |
| :meterpeter:Post:Passwords> | DumpSam | Dump hashs from registry hives. | *** | new module |
| :meterpeter:Post:Passwords> | Browser | Dump stored credentials. | *** | *AMSI bypass* |
| :meterpeter:Post:Passwords> | Putty | Leak PUTTY session(s) credentials (regedit) | *** | new module |
| :meterpeter:Post:PhishCred> | Start | Phish for remote credentials | *** | new msgbox added |
| :meterpeter:Post:AMSIPatch> | Console | Disable AMS1 within current process | Console,,FilePath,PayloadUrl | *AMSI bypass* |
| :meterpeter:Pranks> | WindowsUpdate | Windows fake update full screen prank (browser) | *** | new module |
| :meterpeter:Pranks> | LabelDrive | Rename drive letter (C:) label (display name) | list,rename | new module |
| :meterpeter:Pranks> | criticalerror | fake a system critical error (bsod) | *** | *AMSI bypass* |
| :meterpeter:Pranks> | BallonTip | Show a ballon tip in the notification bar | Title,Text,IconType,AutoClose | new module |
Command & Control - Modules Structure
Module Name Module Description
----------------------- ----------------------
info Retrieve remote host system information
session Retrieve Meterpeter C2 connection status
advinfo Advanced system information sub-menu
|__ accounts List remote host accounts
|__ revshell List client rev tcp shell information
|__ ListAppl List remote host installed applications
|__ Processes Remote host processes sub-menu
|__ Check List remote processe(s) running
|__ Query Process name verbose information
|__ DllSearch List DLLs loaded by processes
|__ Kill Kill remote process from running (processname or pid)
|__ Tasks Enumerate schedule tasks sub-menu
|__ Check Retrieve Schedule Tasks
|__ Query Retrieve single task information
|__ RunOnce Create new schedule task
|__ LoopExec Create new schedule task
|__ Delete Delete existing schedule task
|__ Drives List all remote host mounted drives
|__ Browser List remote host installed browsers sub-menu
|__ Start Enumerate remote browsers\versions installed
|__ Verbose Verbose enumerate remote browsers installed
|__ Addons Enumerate installed browsers addons installed
|__ Clean Clean major browsers temporary files
|__ Recent List remote host recent directory
|__ ListSMB List remote host SMB names\shares
|__ StartUp List remote host startUp directory
|__ ListRun List remote host startup run entrys
|__ AntiVirus Enumerate all EDR Products installed sub-menu
|__ Primary PrimaryAV + Security processes
|__ FastScan PrimaryAV + Security processes + EDR hunt
|__ Verbose Full scan module ( accurate\slower )
|__ FRManager Manage remote host firewall rules sub-menu
|__ Query Query 'active' firewall rules
|__ Create Block application\program rule
|__ Delete Delete sellected firewall rule
|__ OutLook Manage OutLook Exchange Email Objects sub-menu
|__ Folders Display outlook folder names
|__ Contacts Display outlook contacts info
|__ Emails Display outlook email objects
|__ SendMail Send Email using target domain
upload Upload from local host to remote host
|__ start Upload from lhost to rhost
download Download from remote host to local host
|__ start Download from rhost to lhost
Screenshot Capture remote host desktop screenshots sub-menu
|__ Snapshot Capture one desktop screenshot
|__ SpyScreen Capture multiple screenshots (background)
keylogger Install remote host keylogger sub-menu
|__ Mouse Start remote mouselogger
|__ Keystrokes Start\Stop remote keylogger
|__ Pastebin Send keystrokes to pastebin
|__ Browser Capture browsers active tab title
|__ SocialMedia Capture FB + Twitter + whatsup + instagram keyboard keystrokes
PostExploit Post Exploitation modules sub-menu
|__ Stream Stream remote host desktop live
|__ Start Stream target desktop live
|__ Camera Take snapshots with remote webcam sub-menu
|__ Device List all avail...
Contributors
Assets 2
v2.10.13 - Zaratustra
Quick Jump Links
- Project Home Page (GitHub)
- Install Under Linux Distros
- Install Under Windows Distros
- Project github WiKi Pages (Modules)
- Working with meterpeter dropper(s)
Project Description - codename: Zaratustra - Remote Access Tool v2.10.13
This PS1 starts a listener server on a 'Windows|Linux' attacker machine and generates PS reverse tcp shell payloads obfuscated in 'BXOR' with a random secret key
and another layer of Characters/Variables Obfuscation to be executed on target machine. You can also recive the generated reverse tcp shell connection via 'netcat'.
(in that case you will lose C2 functionalities like screenshot, upload, download files, Keylogger, AdvInfo, PostExploit, Escalation-Of-Privileges, Stream Target Desktop,)
Executing the client (payload or the dropper) with administrator privileges, unlocks ALL C2 server modules (AMSI bypass + Execution_Policy bypass ).
Remark: Meterpeter payloads | droppers are FUD ( Please dont Test\Send samples to Virus_Total\similar_websites or to $Microsoft Cloud suspicious.amsi samples )
Meterpeter v2.10.13 Update Description
This update fixes meterpeter.ps1 (server) and dropper (vbs format) flagging detection on execution (amsi).
A little bit of efford was put also on redesigning the server (meterpreter.ps1) menus \ submenus in a more
simplistic way. And review all Meterpeter C2 (server) indevidual modules for errors\bugs\fast_improvements.
List Of Updated-New Modules
| Meterpeter Prompt | Module Name | Module Description | Module Options | State |
|---|---|---|---|---|
| :meterpeter:Adv> | Tasks | Manage remote schedule tasks | Check, Query, RunOnce LoopExec, Delete |
new module (amsi bypass) |
| :meterpeter:Adv:Processes> | kill | Kill processes | by processname or pid | new option added (pid) |
| :meterpeter:Post> | Exclusions | Manage Windows Defender exclusions | Query, Create, UrlExec, Delete | new module |
| :meterpeter:Post:Camera> | WebCamAvi | Capture video (AVI) using default webcam | RecTime (record time in seconds) | new module |
| :meterpeter:Post> | passwords | Search for creds inside files recursive | Start | new module |
| :meterpeter:Post> | DumpSAM | Dump LSASS, System, Security, Sam | Storage | new lsass dump technic |
| :meterpeter:Post> | HiddenDir | Super\hidden directorys manager | Search, Super, Create, Delete | Server Sub-Menu missing fix |
| :meterpeter:Netscanner> | PingScan | List devices ip addr\ports\dnsnames on Lan | Enum, PortScan, AddrScan | PingSendAsync() bugfix |
| :meterpeter:Keylogger> | Mouse | record mouse clicks (psr) | *** | psr /output switch bugfix |
| :meterpeter:Post> | dnsSpoof | Manage remote host file | *** | deleted - obsolect |
| :meterpeter:Post> | SmbSpray | Smb password spray tool | start | deleted - amsi detected |
Command & Control - Modules Structure
Module Name Module Description
----------------------- ----------------------
info Retrieve remote host system information
session Retrieve Meterpeter C2 connection status
advinfo Advanced system information sub-menu
|__ accounts List remote host accounts
|__ revshell List client rev tcp shell information
|__ ListAppl List remote host installed applications
|__ Processes Remote host processes sub-menu
|__ Check List remote processe(s) running
|__ Query Process name verbose information
|__ DllSearch List DLLs loaded by processes
|__ Kill Kill remote process from running (processname or pid)
|__ Tasks Enumerate schedule tasks sub-menu
|__ Check Retrieve Schedule Tasks
|__ Query Retrieve single task information
|__ RunOnce Create new schedule task
|__ LoopExec Create new schedule task
|__ Delete Delete existing schedule task
|__ Drives List all remote host mounted drives
|__ Browser List remote host installed browsers sub-menu
|__ Start Enumerate remote browsers\versions installed
|__ Verbose Verbose enumerate remote browsers installed
|__ Addons Enumerate installed browsers addons installed
|__ Recent List remote host recent directory
|__ ListSMB List remote host SMB names\shares
|__ StartUp List remote host startUp directory
|__ ListRun List remote host startup run entrys
|__ AntiVirus Enumerate all EDR Products installed sub-menu
|__ Primary PrimaryAV + Security processes
|__ FastScan PrimaryAV + Security processes + EDR hunt
|__ Verbose Full scan module ( accurate\slower )
|__ OutLook Manage OutLook Exchange Email Objects sub-menu
|__ Folders Display outlook folder names
|__ Contacts Display outlook contacts info
|__ Emails Display outlook email objects
|__ Filter SenderName objects <Info|Body>
|__ SendMail Send Email using target domain
|__ FRManager Manage remote host firewall rules sub-menu
|__ Query Query 'active' firewall rules
|__ Create Block application\program rule
|__ Delete Delete sellected firewall rule
upload Upload from local host to remote host
|__ start Upload from lhost to rhost
download Download from remote host to local host
|__ start Download from rhost to lhost
Screenshot Capture remote host desktop screenshots sub-menu
|__ Snapshot Capture one desktop screenshot
|__ SpyScreen Capture multiple screenshots (background)
keylogger Install remote host keylogger sub-menu
|__ Mouse Start remote mouselogger
|__ Keystrokes Start\Stop remote keylogger
|__ Pastebin Send keystrokes to pastebin
|__ Browser Capture browsers active tab title
|__ Clipboard Capture strings\files copy to clipboard
PostExploit Post Exploitation modules sub-menu
|__ Stream Stream remote host desktop live
|__ Start Stream target desktop live
|__ Camera Take snapshots with remote webcam sub-menu
|__ Device List all available WebCamera Devices
|__ Snapshot Auto use of default webcam to take snapshot
|__ WebCamAvi Capture video (AVI) using default webcam
|__ FindEop Search for EOP possible entry points sub-menu
|__ Check Retrieve directory permissions
|__ Service Search for Unquoted Service Paths
|__ RottenP Search For rotten potato vuln
|__ Agressive Search for all EOP possible entrys
|__ Escalate Esca...
Contributors
Assets 2
v2.10.12 - Diógenes de Sinope
Quick Jump Links
- Project Home Page (GitHub)
- Install Under Linux Distros
- Install Under Windows Distros
- Project github WiKi Pages (Modules)
- Working with meterpeter dropper(s)
- Special Thanks (Contributions)
Project Description - codename: Diógenes de Sinope - Remote Access Tool v2.10.12
This PS1 starts a listener server on a 'Windows|Linux' attacker machine and generates PS reverse tcp shell payloads obfuscated in 'BXOR' with a random secret key
and another layer of Characters/Variables Obfuscation to be executed on target machine. You can also recive the generated reverse tcp shell connection via 'netcat'.
(in that case you will lose C2 functionalities like screenshot, upload, download files, Keylogger, AdvInfo, PostExploit, Escalation-Of-Privileges, Stream Target Desktop,)
Executing the client (payload) with admin privileges, unlocks ALL C2 server modules (AMSI + Execution_Policy bypasses). Droppers mimic a 'fake KB Security Update'
If executed, while in background downloads\executes the client.ps1 in '$Env:TMP' trusted location, with the intent of evading Windows Defender + Exploit Guard.
Remark: Meterpeter payloads | droppers are FUD ( Please dont Test\Send samples to Virus_Total\similar_websites or to $Microsoft Cloud suspicious.amsi samples )
Meterpeter v2.10.12 Update Description
This version release update fixes AMSI detection in meterpeter main script ( meterpeter.ps1 ) , in payload source code ( reverse tcp shell - Update-KB5005101.ps1 )
and in some of meterpeter modules, it also comes with a redesigned menu style ( more user friendly ) and many of the existing modules have also been updated
Either to bypass AV detection, to update module (functions) or simple to improve module console output displays.
List Of Updated-New Modules
| Meterpeter Prompt | Module Name | Module Description | Module Options | State |
|---|---|---|---|---|
| :meterpeter> | Session | Meterpeter C2 connection status report updated | Session | updated |
| :meterpeter:adv> | Browser | Safari\Brave browsers added to browsers list |
Start | updated |
| :meterpeter:adv> | Browser | verbose enumeration added to module | verbose | updated |
| :meterpeter:adv> | Browser | Enumerate installed browsers addons | addons | new |
| :meterpeter:adv> | Drives | List remote host mounted drives updated | Start | updated |
| :meterpeter:adv> | AntiVirus | Enumerate EDR products + Security processes running | Primary | FastScan | Verbose | updated |
| :meterpeter:adv> | OutLook | Manage remote host OutLook Exchange Email Objects | Folders | Contacts | Emails | Filter | SendMail | new |
| :meterpeter:post> | DumpLsass | temporary AMSI bypass => Delete lsass dump function | Dumps Sam,System,Security metadata | bypass av |
| :meterpeter:post> | AMSIpatch | Disable AMS1 within current process | Console | FilePath | PayloadUrl | new |
| :meterpeter:post> | SMBspray | Local LAN SMB protocol password spray attack | Start | new |
| :meterpeter:post> | Camera | Capture remote webcam snapshots | snapshot | device | bypass av |
| :meterpeter:post> | Allprivs | EnableAllParentPrivileges to exec cmdline | demo | cmdline | new |
| :meterpeter:pranks> | Criticalerror | Prank that fakes a critical system error (BSOD) | Criticalerror | new |
| :meterpeter:pranks> | Googelx | New google-space easter egg added to list | googlespace | updated |
| :meterpeter:keylogger> | Start | Capture remote host keystrokes in background | Start | Stop | bypass av |
| :meterpeter:keylogger> | PasteBin | Send keylogger keystrokes to sellected pastebin account | PasteBin | new |
Command & Control - Modules Structure
Module Name Module Description
----------------------- ----------------------
info Retrieve remote host system information
session Retrieve Meterpeter C2 connection status
advinfo Advanced system information sub-menu
|__ accounts List remote host accounts
|__ revshell List client rev tcp shell information
|__ ListAppl List remote host installed applications
|__ Processes Remote host processes sub-menu
|__ Check List remote processe(s) running
|__ Query Process name verbose information
|__ DllSearch List DLLs loaded by processes
|__ Kill Kill remote process from running
|__ ListTasks Enumerate schedule tasks sub-menu
|__ Check Retrieve Schedule Tasks
|__ Query Retrieve single task information
|__ Create Create new schedule task
|__ Delete Delete existing schedule task
|__ Drives List all remote host mounted drives
|__ Browser List remote host installed browsers sub-menu
|__ Start Enumerate remote browsers\versions installed
|__ Verbose Verbose enumerate remote browsers installed
|__ Addons Enumerate installed browsers addons installed
|__ Recent List remote host recent directory
|__ ListSMB List remote host SMB names\shares
|__ StartUp List remote host startUp directory
|__ ListRun List remote host startup run entrys
|__ AntiVirus Enumerate all EDR Products installed sub-menu
|__ Primary PrimaryAV + Security processes
|__ FastScan PrimaryAV + Security processes + EDR hunt
|__ Verbose Full scan module ( accurate\slower )
|__ OutLook Manage OutLook Exchange Email Objects sub-menu
|__ Folders Display outlook folder names
|__ Contacts Display outlook contacts info
|__ Emails Display outlook email objects
|__ Filter SenderName objects <Info|Body>
|__ SendMail Send Email using target domain
|__ FRManager Manage remote host firewall rules sub-menu
|__ Query Query 'active' firewall rules
|__ Create Block application\program rule
|__ Delete Delete sellected firewall rule
upload Upload from local host to remote host
|__ start Upload from lhost to rhost
download Download from remote host to local host
|__ start Download from rhost to lhost
Screenshot Capture remote host desktop screenshots sub-menu
|__ Snapshot Capture one desktop screenshot
|__ SpyScreen Capture multiple screenshots (background)
keylogger Install remote host keylogger sub-menu
|__ Mouse Start remote mouselogger
|__ Start Start remote keylogger
|__ Pastebin Send keystrokes to pastebin
|__ Stop Stop keylogger Process(s)
PostExploit Post Exploitation modules sub-menu
|__ Stream Stream remote host desktop live
|__ Start Stream target desktop live
|__ Camera Take snapshots with remote webcam sub-menu
|__ Device List all available WebCamera Devices
|__ Snapshot Auto use of default webcam to take snapshot
|__ FindEop Search for EOP possible entry points sub-menu
|__ Agressive Search for all EOP possible entrys
|__ Check Retrieve directory permissions
|__ WeakDir Search weak permissions recursive
|__ Service Search for Unquoted Service Paths
|__ RottenP Search For rotten potato vuln
...
Contributors
Assets 2
meterpeter C2 - v2.10.11 - Sagittarius A*
Quick Jump Links
- Project Home Page (GitHub)
- Install Under Linux Distros
- Install Under Windows Distros
- Project github WiKi Pages (Modules)
- Working with meterpeter dropper(s)
- Special Thanks (Contributions)
Project Description - Sagittarius_A* - Remote Access Tool v2.10.11
This PS1 starts a listener server on a 'Windows|Linux' attacker machine and generates PS reverse tcp shell payloads obfuscated in 'BXOR' with a random secret key
and another layer of Characters/Variables Obfuscation to be executed on target machine. You can also recive the generated reverse tcp shell connection via 'netcat'.
(in that case you will lose C2 functionalities like screenshot, upload, download files, Keylogger, AdvInfo, PostExploit, Escalation-Of-Privileges, Stream Target Desktop,)
Executing the client (payload) with admin privileges, unlocks ALL C2 server modules (AMSI + Execution_Policy bypasses). Droppers mimic a 'fake KB Security Update'
If executed, while in background downloads\executes the client.ps1 in '$Env:TMP' trusted location, with the intent of evading Windows Defender + Exploit Guard.
Remark: Meterpeter payloads | droppers are FUD ( Please dont Test\Send samples to Virus_Total\similar_websites or to $Microsoft Cloud suspicious.amsi samples )
List Of Updated Modules
| Module Name | Issue | Update |
|---|---|---|
| Info | Get more information about target system (UserAccouts,RegisteredUser,BootUpTime,etc) | Automated Internal Function Update |
| Meterpeter C2 Attack Vector | TinyUrl API implementation ( obfuscate the url dropper link ) | Automated Internal Function Update |
| Meterpeter C2 sub-menus | Sub-menus displays redesigned ( more clean console outputs ) | Sub-Menus displays redesigned |
| Advinfo -> PingSweep | Enumerate \ Scan active ip address on Local Lan \ Simple Port Scanner | New Module |
| Advinfo -> GetBrowsers | AMSI string flagging detection on cmdlet auto-download \ execution | AMSI string detection bypass |
| AdvInfo -> FRManager | Silencing microsoft defender using firewall rules (SilenceDefender_ATP.ps1) | New Module |
| AdvInfo -> GeoLocate | Client (payload-target) geo location and public ip address resolver | New Module |
| PostExploit -> Sherlock | Added to PostExploit -> FindEop ( search for escalation of privileges entrys ) | New Module |
| PostExploit -> GetAdmin | Replaced old (CMSTP) AMSI DLL bypass technic by (@Oddvar_Moe) SendKeys | AMSI string detection bypass |
| PostExploit -> Escalate | Post -> Escalate -> CmdLine ( Spawn UAC gui to run cmdline elevated ) | New Module |
| PostExploit -> CleanTracks | LNK artifacts search updated to include even more locations | LNK artifacts search updated |
| PostExploit -> hiddendir | Query \ Create \ Delete super hidden system folders | New Module |
| Dropper Id 2 ( HTA ) | AMSI string flagging detection on hta Build \ Download | AMSI string detection bypass |
| Dropper Id 3 ( EXE ) | Auto-set-PS-execution-policy-to-unrestricted \ Binary.exe suspicious.amsi bypass | Source Code Updated |
Meterpeter v2.10.11 release - Research - $For reverse engineerings$
- Working with meterpeter payload droppers - exec time \ msgboxs
- Enumerate active IP Address in Lan - PingSweep.ps1 simple port scanner
- UAC Bypass POC using SendKeys! (@Oddvar_Moe) - UACBypassCMSTP.ps1 auxiliary module
- Hunting for Escalation Of Privileges possible entrys - @Meterpeter post-exploit findeop.ps1 auxiliary module
- Hunting for Escalation Of Privileges possible entrys - @Meterpeter post-exploit ACLMitreT1574.ps1auxiliary module
meterpeter C2 - v2.10.11 - screenshots
Stream Target Desktop Live
Elevate session from UserLand to Adminstrator
Enumerating remote host installed browsers\versions
Simple ICMP\TCP builtin port scanner
Searching for Escalation Of privileges possible entrys ( Sherlock.ps1 + findEop.bat + ACLMitreT1574.ps1 )
Enumerating remote host running tasks
Cleanning attacker system tracks ( anti-forensic )
URL's
☠ Suspicious Shell Activity (RedTeam @2022) ☠
Contributors
Assets 2
meterpeter C2 - v2.10.10 - Sagittarius A*
Quick Jump Links
- Project Home Page (GitHub)
- Install Under Linux Distros
- Install Under Windows Distros
- Project github WiKi Pages (Modules)
- Working with meterpeter dropper(s)
- Special Thanks (Contributions)
Project Description - Sagittarius_A*
This PS1 starts a listener server on a 'Windows|Linux' attacker machine and generates PS reverse tcp shell payloads obfuscated in 'BXOR' with a random secret key and another layer of Characters/Variables Obfuscation to be executed on target machine (The payload executes AMSI reflection bypass in current session to evade detection while working) You can also recive the generated reverse tcp shell connection via 'netcat'. ( in that case you will lose the C2 functionalities like screenshot, upload, download files, Keylogger, AdvInfo, PostExploit, etc ).
Meterpeter payloads/droppers can be executed with 'User' or 'Administrator' privileges, depending of the cenario ( executing the client as administrator will unlock ALL server modules, AMSI + ExecutionPolicy bypasses, etc. ) Droppers mimic a 'fake KB Security Update' while in background download\executes client.ps1 in '$Env:TMP' trusted location, with the intent of evading Windows Defender + Exploit Guard.
Remark: Meterpeter payloads | droppers are FUD ( please dont test\send samples to virustotal\similar_websites or $microsoft team )
Version v2.10.10 - Update Description
This version update fixes anti-virus windows defender 'AMSI' flagging detection on 'meterpeter.ps1' main script, fixes script internal bugs
and presents two new payload droppers ( HTA | EXE ) to chose from when running the meterpeter (server) to build the reverse tcp shell.
| Dropper FileName | Format | AV Detection | Execution |
|---|---|---|---|
| Update-KB5005101.bat | Batch | Undetected | PS ExecutionPolicy bypass + Social Engineering cmdline (mimimized prompt) |
| Update-KB5005101.hta | HTA | Undetected | PS ExecutionPolicy bypass + Social Engineering msgbox (background prompt) |
| Update-KB5005101.exe | EXE | Suspicious | uac (admin) \ nouac (user) + Social Engineering msgbox (background prompt) |
Repairing bugs \ New Modules ( server )
| Module | Description | issue | Status | issue |
|---|---|---|---|---|
| meterpeter.ps1 | Main script execution | Flagged by AMSI string detection | Fixed | ******** |
| Post -> Escalate | Escalation of privileges using SLUI.exe | Flagged by AMSI string detection | _NEW_EOP_ |
SLUI.exe |
| Post -> Browsers | Enumerate browsers installed | does not diplay outputs + opera add | Fixed | ******** |
| Post -> ListDir | Recursive search for hidden directorys | Query search function updated | update |
******** |
| Post -> SetMace | Change RemoteHost File TimeStamp | missing function in sourcecode | Fixed | ******** |
| Post -> Pthash | Pass-The-Hash (Lateral Movement) | missing function in sourcecode | Fixed | ******** |
| Post -> Stream | Stream target desktop (MJPEG) | new post-exploitation module | _NEW_ |
******** |
| Post -> OpenUrl | Open URL in default browser | new post-exploitation module | _NEW_ |
******** |
| Post -> Artifacts | Delete target system artifacts + eventvwr | new post-exploitation module | _NEW_ |
******** |
| Post -> MsgBox | Spawn remote msgbox that exec cmdline | new post-exploitation module | _NEW_ |
******** |
| Post -> HideUser | Hidden accounts manager (Workstation) | new post-exploitation module | _NEW_ |
******** |
| keylogger-> Mouse | Capture mouse clicks screenshots | new post-exploitation module | _NEW_ |
******** |
| AdvInfo -> CredPhi | leak user account creds (LanManServer) | validation againts DC bug | workaround |
******** |
| AdvInfo -> ListAcc | List user accouts | does not display outputs (stdout) | Fixed | ******** |
| AdvInfo -> ListSID | List user accouts SID | does not display outputs (stdout) | Fixed | ******** |
| AdvInfo -> ListSMB | List SMB accouts | does not display outputs (stdout) | Fixed | ******** |
| AdvInfo -> Task | search for schedule tasks running | does not display outputs (stdout) | Fixed | schtasks |
| webserver | fake update download webpage | new meterpeter download method | _NEW_ |
******** |
Final Notes
meterpeter v2.10.10 auto-stores all files in meterpeter webroot and delivers droppers\payloads using a fake software update webpage that spawn 'Update-KB5005101.ZIP' before redirect us to the real catalog microsoft webpage. Attackers can also deliver 'dropper.ZIP' insted of using the fake software webpage (default).
For that just send the follow URL to target: http://<attacker-ipaddr>:8087/Update-KB5005101.zip to trigger meterpeter dropper\payload silent download\execution.
meterpeter C2 - v2.10.10 - screenshots
URL's
☠ Suspicious Shell Activity (RedTeam @2021) ☠
Contributors
Assets 2
meterpeter v2.10.8 - Amsi String Detection Bypasses
Project Description
meterpeter - This PS1 starts a listener Server on a Windows|Linux attacker machine and generates oneliner PS reverse shell payloads obfuscated in ASCII | BXOR with a random secret key and another layer of Characters-Variables Obfuscation to be executed on the victim machine (The payload will also execute AMSI reflection bypass in current session to evade AMSI detection while working). You can also receive the generated oneliner reverse shell connection via netcat. (in this case you will lose the C2 functionalities like screenshot, upload, download files, Keylogger, AdvInfo, PostExploitation, etc)
Version v2.10.8 - Update Description
This update fixes anti-virus windows defender AMSI String flagging detection on 'meterpeter.ps1' main script and in 'Screenshot function'.
The follow modules have been modified to bypass detection: 'CredsPhish.ps1', 'DarkRcovery.exe', 'Keylogger.ps1' and 'GetBrowsers.ps1'.
Project Quick Jump Links
- Project Home Page (GitHub)
- Project WiKi Pages (Modules)
- Project Bug Reports (Issues)
- Install Under Windows Distros
- Install Under Linux Distros
- Special Thanks (Contributions)
Repairing Bug Reports (issues)
| Module | Description | issue | Status |
|---|---|---|---|
| meterpeter.ps1 | Main script | Flagged by AMSI String Detection | Fixed |
| Keylogger.ps1 | Capture system keystrokes | Flagged by AMSI String Detection | Fixed |
| GetBrowsers.ps1 | Enumerate Installed Browsers | Flagged by AMSI String Detection | Fixed |
| CredsPhish.ps1 | Spawn user for valid credentials | Flagged by AMSI String Detection | Fixed |
| DarkRcovery.exe | Dump browsers credentials | Flagged by AMSI String Detection | Still Flagging Detection |
meterpeter v2.10.3 Video tutorial
📟 ⚡ meterpeter - v2.10.3 release - Video Tutorial (Under Windows Distro) ⚡ 📟
☠ Suspicious Shell Activity (RedTeam @2021) ☠
meterpeter - v2.10.3 - Dev Release
Project Description
meterpeter - This PS1 starts a listener Server on a Windows|Linux attacker machine and generates oneliner PS reverse shell payloads obfuscated in ASCII | BXOR with a random secret key and another layer of Characters-Variables Obfuscation to be executed on the victim machine (The payload will also execute AMSI reflection bypass in current session to evade AMSI detection while working). You can also recive the generated oneliner reverse shell connection via netcat. (in this case you will lose the C2 functionalities like screenshot, upload, download files, Keylogger, AdvInfo, PostExploitation, etc)
Project Quick Jump Links
- Project Home Page (GitHub)
- Project WiKi Pages (Modules)
- Project Bug Reports (Issues)
- Install Under Windows Distros
- Install Under Linux Distros
- Special Thanks (Contributions)
Source Code Updates {Version 2.10.3 Dev Release}
Server Automatic Completion Of Settings
meterpeter C2 Now allow users to skip most of Server inputs, We just need to leave the 'input empty'
[press enter] that meterpeter will auto-compleat the Inputs with 'recomended' settings (If Available).
Improving (Server) Output Displays
| Module | Description | Wiki Pages |
|---|---|---|
| CamSnap | Manipulate Remote WebCam Function Output Displays Review/Improved | wiki CamSnap |
| GetSystem | Escalate Privileges Function Output Displays Review/Improved | wiki GetSystem |
| Beacon | Beacon Persistence Function Output Displays Review/Improved | wiki Beacon |
| Dnspoof | Dnspoof Sub-Menu Function Output Displays Review/Improved | wiki Dnspoof |
| ListPriv | ListPriv Sub-Menu Function Output Displays Review/Improved | wiki ListPriv |
| ListTask | ListTask Sub-Menu Function Output Displays Review/Improved | wiki ListTask |
Repairing Bug Reports (issues)
| Module | Description | issue | Wiki |
|---|---|---|---|
| Beacon | Persistence Module now beacons home from xx to xx sec (set by attacker) This allow attacker to have a better change to grab the rev connection |
issue 2 | wiki |
| Download | Function Review/Improved to allow empty spaces in remote path inputs The use of single quotes its a requirement for this fix to work remotelly |
issue 3 | |
| Upload | Function Review/Improved to allow empty spaces in remote path inputs The use of single quotes its a requirement for this fix to work remotelly |
issue 3 |
Recent Updates to New|Existing Modules
| Module | Description | Commit |
|---|---|---|
| Settings | New module to help attacker to remember active Server/Client settings |
commit |
| DumpSam | Function Review/Improved to dump also security LSA secrets (Remote) |
commit |
| Beacon | Persistence function updated to write Server/Client settings logfile (Locally) This allows the attacker to store the settings from the previous day(s) |
commit |
| RegACL | Search for weak Service Permissions on Registry added to ListPriv (Menu) |
commit |
| ListDriv | Module Updated to Display also the drives found Used and Free space |
commit |
| CredPhi | Module for phishing remote credentials using Windows PromptForCredential |
commit |
| Manual | Manual sellection of target webcam device Name | commit |
meterpeter v2.10.3 Video tutorial
📟 ⚡ meterpeter - v2.10.3 Dev release - Video Tutorial (Under Windows Distro) ⚡ 📟