Introduction
In penetration testing, after gaining initial access to a target system with a tool like Metasploit, the established connection (or "session") often resides within the process that was initially exploited. This could be a web browser, a document reader, or another user application. These processes can be unstable or may be closed by the user at any time, which would terminate your session.
Process migration is the technique of moving your session from this initial, potentially unstable process into a more stable and long-running one, such as a core system process. This greatly increases the stability and persistence of your access. It can also help in evading detection, as your malicious code will be hidden within a legitimate and trusted process.
In this lab, you will learn the fundamental workflow of migrating a Meterpreter process. Although we are in a Linux environment, we will simulate the steps you would take on a compromised system to understand this crucial post-exploitation technique.
Get a list of running processes with the ps command
In this step, your first task after gaining a shell is to survey the system. You need to see what processes are currently running to identify potential targets for migration. In a real Meterpreter session, you would use the ps command directly within the Meterpreter prompt.
Since we are simulating this in a standard Linux terminal, we will use the Linux ps command with the aux flags to get a detailed list of all running processes. This will give you an output similar to what you would see in a real scenario.
Execute the following command in your terminal to list all running processes:
ps aux
You will see a long list of processes. Pay attention to these columns:
USER: The user who owns the process.PID: The Process ID, a unique number that identifies the process.COMMAND: The command that started the process.
Here is a truncated example of the output:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 169444 13136 ? Ss 01:23 0:02 /sbin/init
labex 10121 0.1 0.2 886980 89284 ? Sl 01:25 0:05 /usr/lib/firefox/firefox
labex 10345 0.0 0.0 243356 25980 ? S 01:26 0:00 /usr/lib/xfce4/panel/wrapper-2.0
...
This list gives you the necessary information to start looking for a suitable process to migrate into.
Identify a stable process to migrate into like explorer.exe
In this step, you will analyze the process list from the previous step to select a suitable target for migration. A good target process should be:
- Stable: It should be a process that runs for the entire user session or system uptime.
- Appropriate Privileges: It should run with the same or higher privileges as your current session.
- Correct Architecture: It must match the architecture (32-bit or 64-bit) of your Meterpreter payload.
On a compromised Windows system, a classic example of a stable process is explorer.exe, which manages the graphical shell (desktop, taskbar, etc.) and is almost always running when a user is logged in. Another common target is svchost.exe.
In our Linux lab environment, we will simulate this by identifying a similar stable, user-owned process. Looking at the ps aux output, a process like xfce4-panel (the XFCE desktop panel) is a good candidate.
Let's use grep to filter the process list and find the xfce4-panel process easily. This helps you pinpoint its Process ID (PID).
ps aux | grep xfce4-panel
Your output should look something like this. The second column contains the PID.
labex 10345 0.0 0.0 243356 25980 ? S 01:26 0:00 /usr/lib/xfce4/panel/wrapper-2.0
labex 12345 0.0 0.0 12345 1234 pts/0 S+ 01:30 0:00 grep --color=auto xfce4-panel
In this example, the PID for xfce4-panel is 10345. Your PID will be different. You have now identified a target for migration.
Use the migrate command with the target process ID
In this step, you will use the core Meterpreter command for process migration: migrate. The command's syntax is straightforward: migrate <PID>. You simply provide the PID of the process you want to move into.
Since we are in a simulated environment and don't have an active Meterpreter session, we cannot execute the migrate command directly. Instead, we will simulate this action by finding the PID of our target process (xfce4-panel) and writing the corresponding migrate command into a text file.
First, let's get the PID of the xfce4-panel process and store it in a variable. The pgrep command is perfect for this.
PID=$(pgrep xfce4-panel | head -n 1)
This command finds the PID of xfce4-panel and stores it in the PID variable. Now, simulate the migrate command by echoing it into a file named simulated_command.txt.
echo "migrate $PID" > simulated_command.txt
Let's view the file to confirm our simulated command is correct.
cat simulated_command.txt
The output should show the migrate command followed by the PID of the xfce4-panel process.
migrate 10345
You have now successfully simulated the execution of the migrate command.
Verify the migration was successful
In this step, you will learn how to confirm that the process migration was successful. After running the migrate command in a real Meterpreter session, you need to verify that your session is now running inside the new target process.
The command for this is getpid. Before migration, getpid returns the PID of the original, vulnerable process. After a successful migration, getpid will return the PID of the new, stable process you migrated into.
To simulate this verification, we will first display what the output of getpid would be. We can do this by printing the PID of our target process, xfce4-panel, which we identified earlier.
Run the following command to simulate the verification check:
echo "Verification: If migration were real, 'getpid' would now return $(pgrep xfce4-panel | head -n 1)"
The output will be a confirmation message showing the target PID:
Verification: If migration were real, 'getpid' would now return 10345
By comparing the output of getpid before and after the migration, a penetration tester can be confident that their session is now more stable and secure within the new process.
Discuss why process migration is important
In this final step, we will summarize the critical reasons why process migration is a fundamental technique in post-exploitation. Understanding the "why" is just as important as knowing the "how."
There are two primary motivations for migrating the Meterpreter process:
Stability and Persistence: This is the most common reason. The initial exploit often targets a user-level application like a web browser or PDF reader. If the user closes this application, your Meterpreter session is immediately terminated. By migrating to a core, long-running system process (like
explorer.exeon Windows), your session becomes tied to the user's login session or even the system's uptime, making it far more persistent and reliable.Stealth and Evasion: A compromised process like
firefox.exemaking unusual network connections can be a red flag for firewalls, intrusion detection systems (IDS), and security analysts. However, a process likesvchost.exe(the Service Host process on Windows) is expected to make network connections. By hiding your session inside such a process, your network traffic is less likely to be scrutinized, allowing you to operate with greater stealth.
A secondary benefit can sometimes be privilege escalation. If you can migrate from a process running as a standard user to a process running with SYSTEM or root privileges, you effectively escalate your own permissions on the target machine.
Mastering process migration is a key step in moving from simply gaining access to maintaining stable, long-term control over a target system.
Summary
In this lab, you have walked through the essential concepts and workflow of Meterpreter process migration. Although conducted in a simulated Linux environment, you learned the universal steps involved in this critical post-exploitation technique.
You learned how to:
- List running processes to survey the target system using the
pscommand. - Identify the characteristics of a stable process suitable for migration.
- Simulate the use of the Meterpreter
migrate <PID>command to move the session. - Understand how the
getpidcommand is used to verify a successful migration.
Most importantly, you now understand that process migration is crucial for ensuring the stability and stealth of your access during a penetration test, transforming a fragile foothold into a persistent presence.
