Skip to content

Instantly share code, notes, and snippets.

@rahuldhawan291
Last active June 3, 2019 13:17
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save rahuldhawan291/23e0432a9d8725dcc5b33d9239ad979c to your computer and use it in GitHub Desktop.
Adding features to a Metasploit Framework that allows the meterpreter console to have Graphical User Interface that includes a visual listing of commands available and post modules that can be used in an active session.

This gist includes my work summary and my experience during Google Summer of Code'18 with Metasploit

The Problem statements

When interacting with a Meterpreter session in Metasploit Framework, the user is either in direct control of the session prompt or has backgrounded the sessions. To execute post modules the user must background the session and then interact with the console to find modules they wish to run.

The proposed solution

The aim is to enhance the user experience by making it easier for them to navigate through the list of available Post Exploitation modules and available extension commands for the active session. By launching a separate interaction as a web console, the user gains the flexibility of having module lists available in a point and click context driven menu, while still being able to have a quick interaction directly with the session. Also, creating a view that is associated to an individual session the context of the menu can filter modules and extension that do not apply to the specific session.

Efforts made on the project

Front-end

The motive of the project is to create a simple, lightweight Web App equipped with the click context-driven menu of all the feature that exists within the meterpreter console. In order to achieve this goal, the front end is designed in the following manner.

  • All the animation that exists on a web page is created by using Bootstrap 4.1 and jquery 3.2.1.
  • The content on the web page is updated by using AJAX XML library so that there is no need to reload the page on every HTTP request.
  • In order to provide the user with meterpreter console-like experience on the browser, I have used Xterm.js library which is connected to the server via WebSocket. This way the user can gain the flexibility of having modules list, session commands and other fun features available as a context-driven menu along with a quick interaction with the meterpreter console
  • The Session information, post exploitation module and extension commands are making the HTTP request to retrieve data from the server whereas Xterm.js is using WebSocket to establish a bidirectional communication channel with the server.
  • Since the server is giving out data in Json format, I had to make use of DOM manipulation in JavaScript to dynamically create an interactive list of post-exploitation modules, Extension Commands and session information menu.
  • The Web Console shows the entire dump of post modules that are available in msfconsole but in case of extension commands list, it shows only those commands that are available depending upon the type of payload used to launch meterpreter session.

Links :

Back-end

  • The BackEnd of the Web Console is build using Sinatra framework (which is an alternative to Rails framework). The thin server is used within Sinatra framework to host the Web Console in a local network.

  • The backend is designed in such a way that it can be instantiated easily and launched from the MSF console by using a simple command line option i.e.sessions -w <session_id>

  • There were certain significant challenges that were needed to be resolved in order to achieve such flexibility. Some of them are listed below:

    • In a classical Sinatra application, there exists no feasible method to instantiate the application, for that I had to create Sinatra modular application and use Helper/Extension method to achieve this goal. The implementation of helper method can be found here
    • Another hurdle was to run a Sinatra Server application within a console in such a way that it does not block the user interaction in the console. To rectify this issue, I had to run the Sinatra server app on a single thread and manage it by Msf::ThreadManager class. This way it is possible to run the server as a background process within msfconsole.You can look for the code here
    thr = []
    thr << framework.threads.spawn("ConsoletoBrowser",true) do
    WebConsoleServer.run!(:bind=>server_bind,:port=>server_port)
    end
    • The next challenge was to open the browser from within the console just after starting the server. It is inconvenient for the user to manually open the browser and type the URL to where WebConsole is being hosted, to solve this issue I created another thread and called Rex:Compat.open_webrtc_browser(URL) method within it to open the browser for the desired address.You can look for the code here
    thr << framework.threads.spawn("OpenBrowser",true) do
    print_status("Opening WebConsole on host http://#{server_bind} on port #{server_port} for session #{sessions.sid}")
    Rex::Compat.open_webrtc_browser("http://#{server_bind}:#{server_port}")
    end
    • Another challenge was to run HTTP server and WebSocket server in the same process and on the same port. To achieve this goal, I have used Sinatra-WebSocket gem which makes it easy to upgrade any request to a WebSocket connection. Implementation of Sinatra-websocket can be found here
  • The next step was to get a dump of all the post-exploitation module that is present inside the framework and convert it into a suitable json format so that the browser could use it to make a sidebar dynamically. On digging into the source code, I found out that Msf::Ui::Console::CommandDispatcher::core uses an object framework.post that stores a list of post modules. Initially, the individual post mod was in “post/Linux/gather/checkvm” format. So I had to write a suitable glue code to convert it into json format and send it to the browser. Again I had to write DOM manipulation JavaScript code that dynamically creates an interactive, event-driven list on the browser. This code can be found here

{
“linux” => {
    “gather” => ["checkvm","enum_network",...] 
    }
 }
  • To gather the list of extension commands, digging into Rex library to find an object that gives out the dump of extension commands was required. For that, I found an object dispatcher_stack which give out a list of extension commands. After that, I had to convert the data into suitable json format and return it to the front end. The implementation of this concept can be found here
client=framework.sessions[1]
client.console.dispatcher_stack.each {|ds|
 ds.commands.keys
 }
  • The Next step was to somehow connect Input/Output of meterpreter console to the WebTerminal in the front end via Sinatra-WebSocket gem. Presently, I am using a method defined in msf/base/sessions/meterpreter.rb i.e. run_cmd(cmd,IOinstance) to execute cmds on the console and get back the output on the browser. It still requires a lot of effort to achieve real-time interaction of meterpreter console on the browser. The implementation can be found here

Links :

Current status of work

The PR can be found here.

  • working of Post Exploitation Modules

Preview of Post Exploitation Module List

  • working of Extension Commands

Prview Extension Command List

What is working
  • Dynamically creating an interactive list of Post Exploitation Modules and Extension Commands for a current running session.
  • Dynamically Retrieving information of every single Post Module from the server and displaying them on the HTML modal.
  • Display session information
  • Implementing Xterm.js Library on the frontend
  • Establishing a WebSocket connection to Sinatra server in the same process and on the identical port number.
  • Launching WebConsole from a session commands i.e. (sessions -w <session_id>)
  • Running the server in a background thread within msfconsole.

All the above-listed features are in the working as per the expectation.

What is Left
  • Connecting Input/output stream of the WebConsole to the meterpreter console using WebSocket.
  • Managing multiple threads spawned on passing more than one session_id.
  • Extending the xterm.js functionality by adding more features (like tab-completion, tracking command history etc.) that exist within meterpreter console.

Scope of Improvement

Meterpreter WebConsole is a work in progress. At the current stage, a lot of refactoring of code is required. When it is connected to the meterpreter console, then we can have a fully featured interactive meterpreter WebConsole.

Future Work

I am planning to work on extending this project by allowing WebConsole to open on a different machine within the same network so that it can act as a collaborative tool in a team. Also, planning to work on adding video and audio playback functionality on the front end so that users can have better live stream experience of the victim’s activities.

My Mentor

I would like to give a shout-out to the coolest mentor, Op3n4M3 (Jeffery Martin). I wouldn't have been able to complete this project without the guidance from him. Thank you for finding out time from your hectic schedule to solve my silliest doubts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment