Metasploit Post Exploitation — Sessions, Stations & Desktop.

Kapil Verma
3 min readJun 3, 2019

--

Sessions:
Sessions basically signifies a single user’s logon session.
Stations:
Security boundaries to contain desktops and processes for that logged on user.
Desktop:
A desktop is what the user actually sees on the screen.
There are four types of desktops:

Default desktop the one we work on, it is also referred to as the active desktop.

Logon Desktop: The desktop on which the user enters his credentials when interactively logging on to a machine. When we press ‘Window key + L’ the Logon Desktop comes up.

Secure Screen Saver: When a screen saver is protected by password it runs in secure server Desktop. A screen saver which is not protected runs on the default desktop.

Secure Desktop: used by the UAC prompt that asks you to approve of a transaction;which is a dimmed version of the interactive desktop’s background. It assures the user that no malicious application is asking for any information.


Now, Why is it important to understand the basics of Sessions, Stations, and desktop?
See, Whenever you want to control anything on the user’s active desktop, you need to be on the interactive windows station or we can call it winSta0.

Okay, let’s go ahead with an example:

For this example I am assuming that you have already compromised a windows machine and done UAC bypass.

If you haven’t gone through my previous post, on how to compromise a windows machine and bypass UAC to get escalated privileges, I would recommend you to go to https://medium.com/@kapilvermarbl/windows-7-privilege-escalation-using-uac-bypass-b08f5523b7de .

However let’s start:

At first a quick compromise of Windows followed by UAC bypass

Okay so we are ready with our meterpreter session, now let’s get the interactive station, using getdesktop:

Here it says Session 1\W\D :

Here 1 means session 1 of meterpreter,
W : winSta0
D : Default

Here we are listing a lot of modules which you can take a look seperately, I will take example of just 1:
let’s load espia.
It has a lot of function like mic recording, Screenshot, keystrokes capturing etc.

Now some interesting ones:

we can do webcam recording, play any audio file, elevate privilege(Already show in last post).

Let’s go ahead and try to take screenshot of the comromised window machine using screengrab.

Let’s take a look at the screenshot:

Similarly we can do bunch of things using the espia and there are many other modules as well to take a look.

--

--

Kapil Verma

Security researcher, Blogger, Bug Bounty hunter