Finding Mapped Drives with Meterpreter

This post written by Matt Gardenghi
This is going to be a series of short "how to" articles so that I have a resource when I forget how I did something. Your benefit from this post is incidental to my desire to have a resource I can reach when I've had a brain cloud.

When cracking into a computer via Metasploit, I often (OK, usually) install meterpreter.  It just makes life simpler.  Well, the other day, I was chatting with @jcran about my inability to get access to network drives on a Novell network.  The problem is that Novell maps drives in a sorta funny method compared to Active Directory. At least that was my thought.  The problem generally is that Novell handles things extremely differently then AD, that I assumed that things would be different.  #facepalm

Anyhow, @jcran pointed out the following things to me:

1) If you are SYSTEM, you won't have the credentials of the logged in user.

2) The drives are mapped to the user and SYSTEM isn't a user with mapped drives.

3) The process is the same for finding mapped drives in both Novell and AD.

The procedure for accessing the user's drives goes like this for the SYSTEM user at the Meterpreter prompt:

1) run migrate explorer.exe (this migrates you to the explorer process and gives you the logged in user's privileges.)

2) getuid (verify that you are now the user)

3) run get_env (this dumps the environmental variables including the mapped drives)

4) cd <drive letter> (browse the drives at your leisure)

Simple enough.  Now if only I'd thought it out first....
example of file browsing

3 thoughts on “Finding Mapped Drives with Meterpreter

  1. Reply

    Darrell Rinehart

    The insight gleaned from this is applicable to more than mapped drives. I often find that I have to migrate between different pids/privileges to obtain a complete picture and effectively pivot. If something is not working properly (or improperly by design), try a different priv level by migrating between different processes (system, user, domain admin, etc.).

    1. Reply

      Matt Gardenghi Post author

      Do you ever have problems getting back to System privs once you migrate to an end user's privs? Or does one spawn a new process for that? I'd think that the limited user wouldn't allow meterpreter to revert back to a SYSTEM level.

  2. Reply

    Darrell Rinehart

    Migrating between pids running with different privs can produce varying results depending on what you are trying to do. You need not run getsystem or rev2self, simply migrate to a pid running as a local user rather than system.

    Unless I am mistaken, getsystem uses a variety of methods of elevating privs, so running between non-priv accounts and priv accounts should be a non-issue.

    That being said, if a system is not vulnerable to any of the methods that getsystem uses to obtain elevated privs, then you would likely have to exploit the box again, or set up a meterpreter back door on the system (should probably have one anyway) that will remain running as system and spawn new connections as needed.

Leave a Reply

Your email address will not be published.