In the previous recipe, we saw the use of the Meterpreter API to run Ruby scripts. Let's take that a step further. Suppose we want to make remote API calls on the victim machine; what is the simplest method? Railgun is the obvious answer. It is a Meterpreter extension that allows an attacker to call DLL functions directly. Most often, it is used to make calls to the Windows API, but we can call any DLL on the victim's machine.
To start using Railgun, we will require an active Meterpreter session on our target machine. To start the Ruby interpreter, we will use the irb
command, as discussed in the previous recipe:
meterpreter > irb [*] Starting IRB shell [*] The "client" variable holds the meterpreter client >>
Before we move on to calling DLLs, let's first see what the essential steps to follow are in order to get the best out of Railgun:
- Identify the function(s) you wish to call.
- Locate the function on https://msdn.microsoft...