Meterpreter

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

Summary

Meterpreter, short for Meta-Interpreter, is a versatile and stealthy payload integrated into the Metasploit Framework, designed for use during the post-exploitation phase of penetration testing. Developed by Matt Miller (a.k.a. Skape), Meterpreter provides an interactive command-line interface (CLI) that avoids detection by Intrusion Detection Systems (IDS) and antivirus software by operating exclusively in memory.

Unlike traditional shell processes, Meterpreter does not write to disk or require separate processes to run. Instead, it injects itself into an active process on the target system, enhancing its stealth capabilities. Its encrypted communications and runtime extensibility allow attackers to execute commands, load extensions, and run scripts without rebuilding sessions. As part of the Metasploit Framework, Meterpreter seamlessly integrates with numerous post-exploitation modules, enabling powerful and flexible exploitation workflows.

Meterpreter Basics

Meterpreter is supposed to give the attacker access to a command interpreter on the target machine that offers powerful post-exploitation tools and is also hard to detect with forensic tools. For this Meterpreter was designed with the three goals of being stealthy, powerful and extensible.

Meterpreter Design Goals

Stealthy

  • Meterpreter is designed to operate in working memory and never write to the physical disk.
  • Meterpreter operates inside running processes and can be migrated to other processes.
  • Meterpreter uses encrypted communication.

Powerful

  • Meterpreter utilizes a channelized communication system.
  • The TLV (Type-Length-Value) protocol has few limitations.

Extensible

  • Meterpreter can be augmented at runtime. Extensions, modules and scripts can be loaded over the network connection.
  • The Meterpreter session does not have to be rebuilt every time new features are added.

How does Meterpreter work?

Prerequisite: The target system is already exploited and remote access is established.

  1. Meterpreter payload, also called the initial stager, is sent to the target system.
  2. Compromised system executes the initial stager, usually bind_tcp, reverse_tcp, etc.
  3. The stager loads the needed libraries, the Meterpreter core initializes and established a TLS connection to the attacking system.
  4. Meterpreter sends a GET request which Metasploit receives and then configures the client.
  5. Meterpreter loads the default extensions (stdapi, priv). The extensions are loaded over the TLS connection using a TLV (Type-Length-Value) protocol.

Meterpreter Features

Meterpreter's CLI resembles standard shells like sh or zsh and supports common system, file, and networking commands (cd, cat, rm, pwd, etc.), making it intuitive for penetration testers.

Basic Commands

A selection of commonly used Meterpreter commands can be found in the table below.

Command Description
background Moves the current Meterpreter session to the background giving the user access to the Metasploit command line.
sessions -i ID Reactivates the specified session. Using the command without a switch displays all active sessions.
clearev Deletes all application, system and security logs on the victim machine. Only works for Windows systems.
execute Executes a command on the remote machine specified by the '-f' switch. The executed command can be supplied with arguments by using '-a'.
getsystem This attempts to elevate the current Meterpreter session to system administrator level of authorization.
getuid Displays the user identification of the user the current Meterpreter session is running as.
hashdump Prints all available usernames and their password hashes, making them available for further manipulation like password cracking using additional software or rainbow tables.
help Shows the Meterpreter help menu consisting of a comprehensive list of commands. This menu expands if more extensions are loaded.
ipconfig Prints the network configuration of the target machine in Windows display style.
migrate Migrates the Meterpreter session to the process given as a parameter. This allows further exploitation of the system from within the new process. This should be done to avoid getting thrown out by the user closing the process that served as entry point.
ps Prints a non-interactive list of the currently running processes on the target machine including process IDs, usernames of the process owners and the path to the executables.
search Searches the system for a file specified by the -f switch. The provided filename may contain wildcards.
sysinfo Prints the target machines name, operating system (including build and service pack if applicable), the architecture of the operating system, the system language, the domain name and the number of currently logged in users.

Extensions

Meterpreter extensions are loaded by using the load-command. Two Extensions are loaded by default:

  • priv: This extension is used for privilege escalation
  • stdapi: This extension supplies core Meterpreter commands like getuid

Other frequently used extensions include:

  • kiwi: This extension is used to obtain user credentials and authentication tokens which are retrieved from system memory. This makes it possible for passwords to be displayed in cleartext. In the past the extension was named mimikatz.
  • python : This extension allows the execution of python scripts on the target machine.
  • powershell : This extension allows the execution of powershell scripts on the target machine.

Scripts & Modules

Meterpreter includes pre-made scripts for various purposes which are run by using the run-command. The payload includes scripts that can persist Meterpreter sessions, unlock the targets screen or disable Anti-Virus software. Part of the scripts seen in the figure below are now considered deprecated. This is because they are now integrated into the Metasploit Framework as post-exploitation modules. The Meterpreter session can be put into the background to run these modules.

Meterpreter Scripts

Meterpreter-Skripting with Ruby

Version 3.0 of the Metasploit Framework marked a major leap forward from its 2.x predecessors, introducing a complete rewrite in Ruby. This transition replaced the earlier mix of Perl, Python, C, and Assembly with a unified, interpreted, object-oriented language. Ruby’s simplicity, extensibility, and object-oriented features made it an ideal choice for enhancing the framework's flexibility and performance.

This overhaul enabled automation at every stage of the penetration testing process, from discovery to exploitation. Version 3.0 allows for seamless extension, integration, and automation of nearly all components, making it more effective for penetration testing and highly compatible with third-party tools. This adaptability solidified Metasploit's role as a cornerstone in modern cybersecurity workflows.

The Ruby programming language by Yukihiro Matsumoto

Yukihiro Matsumoto created Ruby, a straightforward and powerful object-oriented programming language. Everything in Ruby follows the Smalltalk style, treating everything as an object, and it includes features like blocks, iterators, metaclasses, and more. Ruby is versatile, suitable for everyday tasks, prototyping, and server development. It is a fully integrated, easily scalable object-oriented language.

Ruby is characterized by the following features:

  • Simple syntax
  • Basic object-oriented functionalities (such as classes, methods, objects, ...)
  • Special object-oriented functionalities (such as mixins, singleton methods, renaming, ...)
  • Operator overloading
  • Exception handling
  • Iterators and closures
  • Dynamic loading (dependent on the architecture)
  • High portability (runs on various UNIX, Windows, DOS, and OS platforms, ...)

Reasons for using Ruby

What was the reason behind the Metasploit team's decision to use Ruby in the development of version 3.0? The decision is clarified by the following arguments:

  • Ruby's simple and powerful approach as an interpreted language.
  • Ruby's high introspection level and object-oriented elements meeting framework requirements.
  • Ruby being more suitable than Perl for automated class construction and code reuse.
  • Ruby providing platform-independent threading support, leading to improved performance.
  • Usability and performance issues in integrating Perl with ActiveState Perl, resolved by the natively compiled Ruby interpreter for Windows.

Sources

  • D. Kennedy, J. O’Gorman, D. Kearns, and M. Aharoni. Metasploit: The Penetration Tester’s Guide. No Starch Press Series. No Starch Press, 2011.
  • James McGuffee, Jay Blanco, and Franz Wambach. Try ruby! tutorial presentation. J. Comput. Sci. Coll., 23(6):117, jun 2008.
  • Michael Messner. Hacking mit Metasploit. dpunkt.verlag, 3rd edition, 2017.
  • David Maynor and Thomas Wilhelm. Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research. Syngress Publishing, 1st edition, 2007.
  • M. Miller. Meterpreter specifications. http://www.hick.org/code/skape/papers/meterpreter.pdf, 2004. Accessed: 2022-09-14.
  • Metasploit Unleashed free ethical hacking course. https://www.offensive-security.com/metasploit-unleashed/. Accessed: 2022-11-05.
  • Benjamin Pharr. Getting to know ruby. J. Comput. Sci. Coll., 21(5):181–182, may 2006.
Retrieved from "https://wiki.elvis.science/index.php?title=Meterpreter&oldid=17829"