Sunday, January 31, 2010

Finding Meterpreter

In our recent post on the Command Line Kung Fu blog, Advanced Process Whack-a-Mole, we tried to find meterpreter using these two commands:

Windows command line:
C:\> tasklist /FI "modules eq metsrv.dll"
PowerShell
PS C:\> Get-Process | ? { $_.Modules -like "*(metsrv.dll)*" }
In version MetaSploit 3.3, and presumably future versions, the metsrv.dll is not visible due to Reflective DLL injection. It does work on v2 and v3.0-3.2. However, there are still footprints of meterpreter in v3.3. Two other dll's are loaded with meterpreter that many processes don't load.
C:\WINDOWS\system32\rsaenh.dll
C:\WINDOWS\system32\IPHLPAPI.DLL
We can look for processes that have these two dll's loaded using either of these two commands.

Windows command line:
C:\> tasklist /fi "MODULES eq rsaenh.dll" /fi "MODULES eq iphlpapi.dll"
PowerShell
PS C:\> Get-Process | ? { $_.Modules -like "*(rsaenh.dll)*" 
-and $_.Modules -like "*(iphlpapi.dll)*"}
The problem is, some processes load these dll's so it isn't a 100% sign of pwnage. The processes include:
explorer.exe
iexplore.exe
lsass.exe
svchost.exe
winlogon.exe
If IE were compromised it wouldn't be obvious, but it is obvious if Icecast was.
PS C:\> Get-Process | ? { $_.Modules -like "*(rsaenh.dll)*" 
-and $_.Modules -like "*(iphlpapi.dll)*"} | select ProcessName

ProcessName
-----------
explorer
Icecast2
IEXPLORE
lsass
svchost
svchost
svchost
winlogon
It is also apparent if meterpreter has been migrated to a process that doesn't normally load the dll's. In my testing I migrated to calc. Here are the results now.
PS C:\> Get-Process | ? { $_.Modules -like "*(rsaenh.dll)*" 
-and $_.Modules -like "*(iphlpapi.dll)*"} | select ProcessName

ProcessName
-----------
calc
explorer
Icecast2
IEXPLORE
lsass
svchost
svchost
svchost
winlogon
If we had a baseline of processes that load these dll's then we can use PowerShell to filter out processes that don't normally load the dll's.
PS C:\> Get-Process | ? { $_.Modules -like "*(rsaenh.dll)*" 
-and $_.Modules -like "*(iphlpapi.dll)*" -and
"explorer","iexplore","lsass","svchost","winlogon" -notcontains  $_.ProcessName }

ProcessName
-----------
calc
Icecast2

In this example Icecast2 was the initial point of compromise and meterpreter has migrated to calc.

While this isn't a perfect way to find meterpreter it is better than nothing.

UPDATE:
According to Stephen Fewer, one of the MetaSploit developers:
iphlpapi.dll is imported by the meterpreters stdapi extension for the route and ipconfig commands.


rsaenh.dll (The Microsoft Enhanced Cryptographic Provider DLL) is being loaded via advapi32.dll after a call from the openssl subsystem within meterpreter calling advapi32!CryptAcquireContext[1]

No comments:

Post a Comment