Meterpreter

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

Summary

Meterpreter, short for Meta-Interpreter, is a dynamically extendable attack payload included in the Metasploit penetration testing Framework. The payload was developed by Matt Miller under the hacker moniker of Skape and is used in the post-exploitation phase after gaining access to the targeted system. Meterpreter provides a powerful interactive command line interface (CLI) and avoids the risk of being exposed. Running it does not alert intrusion detection systems, like starting a standard shell process will, because it is strictly executed from working memory. Meterpreter does not need a separate process to execute because it is injected into a currently running process. This also means it is executed from memory only, which makes it even harder to detect for Anti-Virus software. Meterpreter provides a variety of commands, additional modules and scripts available to aid in further exploitation. Because it is integrated into the Metasploit Framework it can use its post-exploitation modules as well.

Meterpreter Basics

Meterpreter is supposed to give the attacker access to a command interpreter on the target machine that offers powerful post-exploitation tools and is also hard to detect with forensic tools. For this Meterpreter was designed with the three goals of being stealthy, powerful and extensible.

Meterpreter Design Goals

Stealthy

  • Meterpreter is designed to operate in working memory and never write to the physical disk.
  • Meterpreter operates inside running processes and can be migrated to other processes.
  • Meterpreter uses encrypted communication.

Powerful

  • Meterpreter utilizes a channelized communication system.
  • The TLV (Type-Length-Value) protocol has few limitations.

Extensible

  • Meterpreter can be augmented at runtime. Extensions, modules and scripts can be loaded over the network connection.
  • The Meterpreter session does not have to be rebuilt every time new features are added.

How does Meterpreter work?

Prerequisite: The target system is already exploited and remote access is established.

  1. Meterpreter payload, also called the initial stager, is sent to the target system.
  2. Compromised system executes the initial stager, usually bind_tcp, reverse_tcp, etc.
  3. The stager loads the needed libraries, the Meterpreter core initializes and established a TLS connection to the attacking system.
  4. Meterpreter sends a GET request which Metasploit receives and then configures the client.
  5. Meterpreter loads the default extensions (stdapi, priv). The extensions are loaded over the TLS connection using a TLV (Type-Length-Value) protocol.

Meterpreter Features

The Meterpreter CLI is similar to standard shells (sh, zsh, etc.) and provides system, file system and networking commands identical to them (cd, cat, rm, pwd, etc.). Meterpreter also provides additional basic commands, some of which can be seen in the table below, additional commands provided by the default extensions and more commands can be added by loading other extensions.

Basic Commands

A selection of commonly used Meterpreter commands can be found in the table below.

Command Description
background Moves the current Meterpreter session to the background giving the user access to the Metasploit command line.
sessions -i ID Reactivates the specified session. Using the command without a switch displays all active sessions.
clearev Deletes all application, system and security logs on the victim machine. Only works for Windows systems.
execute Executes a command on the remote machine specified by the '-f' switch. The executed command can be supplied with arguments by using '-a'.
getsystem This attempts to elevate the current Meterpreter session to system administrator level of authorization.
getuid Displays the user identification of the user the current Meterpreter session is running as.
hashdump Prints all available usernames and their password hashes, making them available for further manipulation like password cracking using additional software or rainbow tables.
help Shows the Meterpreter help menu consisting of a comprehensive list of commands. This menu expands if more extensions are loaded.
ipconfig Prints the network configuration of the target machine in Windows display style.
migrate Migrates the Meterpreter session to the process given as a parameter. This allows further exploitation of the system from within the new process. This should be done to avoid getting thrown out by the user closing the process that served as entry point.
ps Prints a non-interactive list of the currently running processes on the target machine including process IDs, usernames of the process owners and the path to the executables.
search Searches the system for a file specified by the -f switch. The provided filename may contain wildcards.
sysinfo Prints the target machines name, operating system (including build and service pack if applicable), the architecture of the operating system, the system language, the domain name and the number of currently logged in users.

Extensions

Meterpreter extensions are loaded by using the load-command. Two Extensions are loaded by default:

  • priv: This extension is used for privilege escalation
  • stdapi: This extension supplies core Meterpreter commands like getuid

Other frequently used extensions include:

  • kiwi: This extension is used to obtain user credentials and authentication tokens which are retrieved from system memory. This makes it possible for passwords to be displayed in cleartext. In the past the extension was named mimikatz.
  • python : This extension allows the execution of python scripts on the target machine.
  • powershell : This extension allows the execution of powershell scripts on the target machine.

Scripts & Modules

Meterpreter includes pre-made scripts for various purposes which are run by using the run-command. The payload includes scripts that can persist Meterpreter sessions, unlock the targets screen or disable Anti-Virus software. Part of the scripts seen in the figure below are now considered deprecated. This is because they are now integrated into the Metasploit Framework as post-exploitation modules. The Meterpreter session can be put into the background to run these modules.

Meterpreter Scripts

Sources