Meterpreter

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

Summary

Meterpreter, short for Meta-Interpreter, is a dynamically extendable attack payload included in the Metasploit penetration testing Framework. The payload was developed by Matt Miller under the hacker moniker of Skape and is used in the post-exploitation phase after gaining access to the targeted system. Meterpreter provides a powerful interactive command line interface (CLI) and avoids the risk of being exposed. Running it does not alert intrusion detection systems, like starting a standard shell process will, because it is strictly executed from working memory. Meterpreter does not need a separate process to execute because it is injected into a currently running process. This also means it is executed from memory only, which makes it even harder to detect for Anti-Virus software. Meterpreter provides a variety of commands, additional modules and scripts available to aid in further exploitation. Because it is integrated into the Metasploit Framework it can use its post-exploitation modules as well.

Meterpreter Basics

Meterpreter is supposed to give the attacker access to a command interpreter on the target machine that offers powerful post-exploitation tools and is also hard to detect with forensic tools. For this Meterpreter was designed with the three goals of being stealthy, powerful and extensible.

Meterpreter Design Goals

Stealthy

  • Meterpreter is designed to operate in working memory and never write to the physical disk.
  • Meterpreter operates inside running processes and can be migrated to other processes.
  • Meterpreter uses encrypted communication.

Powerful

  • Meterpreter utilizes a channelized communication system.
  • The TLV (Type-Length-Value) protocol has few limitations.

Extensible

  • Meterpreter can be augmented at runtime. Extensions, modules and scripts can be loaded over the network connection.
  • The Meterpreter session does not have to be rebuilt every time new features are added.

How does Meterpreter work?

Prerequisite: The target system is already exploited and remote access is established.

  1. Meterpreter payload, also called the initial stager, is sent to the target system.
  2. Compromised system executes the initial stager, usually bind_tcp, reverse_tcp, etc.
  3. The stager loads the needed libraries, the Meterpreter core initializes and established a TLS connection to the attacking system.
  4. Meterpreter sends a GET request which Metasploit receives and then configures the client.
  5. Meterpreter loads the default extensions (stdapi, priv). The extensions are loaded over the TLS connection using a TLV (Type-Length-Value) protocol.

Meterpreter Features

The Meterpreter CLI is similar to standard shells (sh, zsh, etc.) and provides system, file system and networking commands identical to them (cd, cat, rm, pwd, etc.). Meterpreter also provides additional basic commands, some of which can be seen in the table below, additional commands provided by the default extensions and more commands can be added by loading other extensions.

Basic Commands

A selection of commonly used Meterpreter commands can be found in the table below.

Command Description
background Moves the current Meterpreter session to the background giving the user access to the Metasploit command line.
sessions -i ID Reactivates the specified session. Using the command without a switch displays all active sessions.
clearev Deletes all application, system and security logs on the victim machine. Only works for Windows systems.
execute Executes a command on the remote machine specified by the '-f' switch. The executed command can be supplied with arguments by using '-a'.
getsystem This attempts to elevate the current Meterpreter session to system administrator level of authorization.
getuid Displays the user identification of the user the current Meterpreter session is running as.
hashdump Prints all available usernames and their password hashes, making them available for further manipulation like password cracking using additional software or rainbow tables.
help Shows the Meterpreter help menu consisting of a comprehensive list of commands. This menu expands if more extensions are loaded.
ipconfig Prints the network configuration of the target machine in Windows display style.
migrate Migrates the Meterpreter session to the process given as a parameter. This allows further exploitation of the system from within the new process. This should be done to avoid getting thrown out by the user closing the process that served as entry point.
ps Prints a non-interactive list of the currently running processes on the target machine including process IDs, usernames of the process owners and the path to the executables.
search Searches the system for a file specified by the -f switch. The provided filename may contain wildcards.
sysinfo Prints the target machines name, operating system (including build and service pack if applicable), the architecture of the operating system, the system language, the domain name and the number of currently logged in users.

Extensions

Meterpreter extensions are loaded by using the load-command. Two Extensions are loaded by default:

  • priv: This extension is used for privilege escalation
  • stdapi: This extension supplies core Meterpreter commands like getuid

Other frequently used extensions include:

  • kiwi: This extension is used to obtain user credentials and authentication tokens which are retrieved from system memory. This makes it possible for passwords to be displayed in cleartext. In the past the extension was named mimikatz.
  • python : This extension allows the execution of python scripts on the target machine.
  • powershell : This extension allows the execution of powershell scripts on the target machine.

Scripts & Modules

Meterpreter includes pre-made scripts for various purposes which are run by using the run-command. The payload includes scripts that can persist Meterpreter sessions, unlock the targets screen or disable Anti-Virus software. Part of the scripts seen in the figure below are now considered deprecated. This is because they are now integrated into the Metasploit Framework as post-exploitation modules. The Meterpreter session can be put into the background to run these modules.

Meterpreter Scripts

Meterpreter-Skripting with Ruby

The Metasploit Framework version 3.0 represents a significant advancement compared to the typical 2.x series. It is a complete overhaul of the previous versions, now entirely written in Ruby. The earlier versions were primarily written in Perl and included components from Python, C, and Assembly. Ruby is an interpreted, object-oriented language that combines the best elements of Perl and Smalltalk. Version 3.0 of the framework provides automation capabilities in every phase of the discovery and exploitation process. Almost every component of the framework can be extended, linked, and automated, enabling effective penetration testing and close integration with third-party products.

The Ruby programming language by Yukihiro Matsumoto

Yukihiro Matsumoto created Ruby, a straightforward and powerful object-oriented programming language. Everything in Ruby follows the Smalltalk style, treating everything as an object, and it includes features like blocks, iterators, metaclasses, and more. Ruby is versatile, suitable for everyday tasks, prototyping, and server development. It is a fully integrated, easily scalable object-oriented language.

Ruby is characterized by the following features:

  • Simple syntax
  • Basic object-oriented functionalities (such as classes, methods, objects, ...)
  • Special object-oriented functionalities (such as mixins, singleton methods, renaming, ...)
  • Operator overloading
  • Exception handling
  • Iterators and closures
  • Dynamic loading (dependent on the architecture)
  • High portability (runs on various UNIX, Windows, DOS, and OS platforms, ...)

Reasons for using Ruby

What was the reason behind the Metasploit team's decision to use Ruby in the development of version 3.0? The decision is clarified by the following arguments:

  • Ruby's simple and powerful approach as an interpreted language.
  • Ruby's high introspection level and object-oriented elements meeting framework requirements.
  • Ruby being more suitable than Perl for automated class construction and code reuse.
  • Ruby providing platform-independent threading support, leading to improved performance.
  • Usability and performance issues in integrating Perl with ActiveState Perl, resolved by the natively compiled Ruby interpreter for Windows.

Sources

  • D. Kennedy, J. O’Gorman, D. Kearns, and M. Aharoni. Metasploit: The Penetration Tester’s Guide. No Starch Press Series. No Starch Press, 2011.
  • James McGuffee, Jay Blanco, and Franz Wambach. Try ruby! tutorial presentation. J. Comput. Sci. Coll., 23(6):117, jun 2008.
  • Michael Messner. Hacking mit Metasploit. dpunkt.verlag, 3rd edition, 2017.
  • David Maynor and Thomas Wilhelm. Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research. Syngress Publishing, 1st edition, 2007.
  • M. Miller. Meterpreter specifications. http://www.hick.org/code/skape/papers/meterpreter.pdf, 2004. Accessed: 2022-09-14.
  • Metasploit Unleashed free ethical hacking course. https://www.offensive-security.com/metasploit-unleashed/. Accessed: 2022-11-05.
  • Benjamin Pharr. Getting to know ruby. J. Comput. Sci. Coll., 21(5):181–182, may 2006.