Difference between revisions of "Meterpreter"

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search
 
(5 intermediate revisions by 2 users not shown)
Line 1: Line 1:
== Summary ==  
== Summary ==
Meterpreter is an abbreviation for Meta-Interpreter. It is an payload which is included in the Metasploit Framework. Originally it was developed for Metasploit 2.x by Matt Miller under the hacker moniker of Skape. It is used after an exploit was used to gain access to a system to further interact with it by providing an interactive shell. The way this payload operates makes it very hard to detect since it is no process itself but injected into processes which are already running on the target system. This also means that it is executed from memory only making it even harder to detect for Anti-Virus software. The payload itself is very flexible allowing for great customization for developers. Each may write their own extension in form of a shared object file (DLL-dynamic link library) which are then injected into memory.
Meterpreter, short for Meta-Interpreter, is a dynamically extendable attack payload included in the Metasploit penetration testing Framework. The payload was developed by Matt Miller under the hacker moniker of Skape and is used in the post-exploitation phase after gaining access to the targeted system. Meterpreter provides a powerful interactive command line interface (CLI) and avoids the risk of being exposed. Running it does not alert intrusion detection systems, like starting a standard shell process will, because it is strictly executed from working memory. Meterpreter does not need a separate process to execute because it is injected into a currently running process. This also means it is executed from memory only, which makes it even harder to detect for Anti-Virus software. Meterpreter provides a variety of commands, additional modules and scripts available to aid in further exploitation. Because it is integrated into the Metasploit Framework it can use its post-exploitation modules as well.


== Goals ==  
== Meterpreter Basics ==
The short version is that Meterpreter is supposed to give the attacker access to a command interpreter on the target machine which is very hard or ideally impossible to detect with forensic tools. To achieve this goal while designing Meterpreter, Miller had the following 3 requirements:
Meterpreter is supposed to give the attacker access to a command interpreter on the target machine that offers powerful post-exploitation tools and is also hard to detect with forensic tools. For this Meterpreter was designed with the three goals of being stealthy, powerful and extensible.


=== Stealthy ===
=== Meterpreter Design Goals ===
The payload has to be stealthy, or how he put it in the documentation:
==== Stealthy ====
Must not create a new process.
* Meterpreter is designed to operate in working memory and never write to the physical disk.  
It must be very hard to detect with forensic tool after Meterpreter was used on the target system. To reach this goal, 3 sub-criteria had to be met:
* Meterpreter operates inside running processes and can be migrated to other processes.
* It was designed to just reside in memory and never write on the disk.  
* Meterpreter uses encrypted communication.
* It resides inside other, already existing processes. Should the process in which it currently recides finish, Meterpreter 'hijacks' another one that is currently running.
* It uses encrypted communication.


=== Powerful ===
==== Powerful ====
Having access to a command line interface on the target device is useless if the priveleges are not sufficiently elevated.
Must work in chroot’d environments.
* Meterpreter utilizes a channelized communication system.
* Meterpreter utilizes a channelized communication system.
* The TLV (Type-Length-Value) protocol has few limitations.
* The TLV (Type-Length-Value) protocol has few limitations.


=== Extensible ===
==== Extensible ====
A useful tool does one thing and one thing well as we know. But a adaptable tool that can change, according to who uses it, what it is used for, and in what environment it is used, is arguably an excellent tool.
* Meterpreter can be augmented at runtime. Extensions, modules and scripts can be loaded over the network connection.
Must allow for robust extensibility.
* The Meterpreter session does not have to be rebuilt every time new features are added.
This goal lead to the following functions:
* Meterpreter can be augmented at runtime. This means for example that a library or extension can be loaded up to the server to gain more options.
* augmentation at runtime means that Meterpreter does not have to be rebuilt
This whole process takes a few seconds to complete.


=== How does Meterpreter work? ===
Prerequisite: The target system is already exploited and remote access is established.
# Meterpreter payload, also called the initial stager, is sent to the target system.
# Compromised system executes the initial stager, usually bind_tcp, reverse_tcp, etc.
# The stager loads the needed libraries, the Meterpreter core initializes and established a TLS connection to the attacking system.
# Meterpreter sends a GET request which Metasploit receives and then configures the client.
# Meterpreter loads the default extensions ('''stdapi''', '''priv'''). The extensions are loaded over the TLS connection using a TLV (Type-Length-Value) protocol.


== Usage ==  
== Meterpreter Features ==  
Meterpreter itself was developed for Metasploit. Unsurprisingly the easiest way to use it is via this framework. It was implemented on windows but since its design makes it fully portable it may be applied to a variety of other operating systems like Linux, or Android. If used via the Metasploit framework to use an exploit on a windows target machine, one of 3 payloads can be chosen. Each of which differ in the way they establish a connection between the client, on the machine of the attacker and the server, on the machine of the target.
The Meterpreter CLI is similar to standard shells (sh, zsh, etc.) and provides system, file system and networking commands identical to them (cd, cat, rm, pwd, etc.). Meterpreter also provides additional basic commands, some of which can be seen in the table below, additional commands provided by the default extensions and more commands can be added by loading other extensions.
* '''win32$\_$bind$\_$meterpreter''' :This payload establishes a connection from the attacking machine to the target machine. After this is done the server gets uploaded and the connection is further used.
* '''win32$\_$reverse$\_$meterperter''' : This payload establishes a connection from the target machine to the attacker. After this is done the server gets downloaded from the attacker machine and the connection is again used further.
* '''win32$\_$findrecv$\_$ord$\_$meterpreter''' : This last payload is the most stealthy since it does not establish new connections and can bypass firewalls that way. It looks for the file descriptor that the exploit was triggered from and uses it to upload the Meterpreter server. Afterwards the same connection is used as a means of communication.
Which payload is used depends on the exploit and conditions of the environment in which it is deployed like the configuration of the firewall of the target machine. After starting up the Metasploit framework and seeing the welcome screen, pick an exploit that uses Meterpreter as a post exploitation tool. After that, select the desired payload. You could for example use '''\textbf{win32$\_$reverse$\_$meterperter'''
After that it is required to define:
* '''RHOST''': which represents the IP of the host or client machine
* '''RPORT''': which represents the outgoing port of the host or client machine
* '''LHOST''': which represents the IP of the target or server machine
* '''LPORT''': which represent the incoming port of the target or server machine
Depending on what the attacker wants to achieve, additional libraries may be uploaded during deployment. After doing that, the help command lists the newly available commands as well.
== Functionality ==
For Meterpreter to be as expandable as it is, the underlying packet structure (parsing and transmission) had to be well defined. This lead to the choice of a Type-Length-Value structure, or TLV for short.
Another vital part of the Meterpreter payload is the connectivity and the encryption which go hand in hand. Connectivity is a base requirement since without a stable connection between attacker and target host, no exploitation can happen. It is furthermore also vital to have the possibility to encrypt the transmission to prevent the target host from identifying the outgoing transmission as something malicious.
And last but not least the libraries which are able to extend Meterpreters tool set during runtime are also a core functionality. They allow the hacker to extend the toolkit while in the middle of the exploitation process.


=== TLV or Type-Length-Value ===
=== Basic Commands ===
This packet structure allows packets to have arbitrary lengths, and does not require for the parsing code to understand the format of the data that is received which in turn allows for all sorts of data to be sent from the server to the client. The structure of the actual package is a little bit different than the name would suggest. The correct order would be Length-Type-Value. Figure shows a visual representation of a TLV-Package.
A selection of commonly used Meterpreter commands can be found in the table below.
{| class="wikitable"
|-
! Command
! Description
|-
| background
| Moves the current Meterpreter session to the background giving the user access to the Metasploit command line.
|-
| sessions -i ''ID''
| Reactivates the specified session. Using the command without a switch displays all active sessions.
|-
| clearev
| Deletes all application, system and security logs on the victim machine. Only works for Windows systems.
|-
| execute
| Executes a command on the remote machine specified by the '-f' switch. The executed command can be supplied with arguments by using '-a'.
|-
| getsystem
| This attempts to elevate the current Meterpreter session to system administrator level of authorization.
|-
| getuid
| Displays the user identification of the user the current Meterpreter session is running as.
|-
| hashdump
| Prints all available usernames and their password hashes, making them available for further manipulation like password cracking using additional software or rainbow tables.
|-
| help
| Shows the Meterpreter help menu consisting of a comprehensive list of commands. This menu expands if more extensions are loaded.
|-
| ipconfig
| Prints the network configuration of the target machine in Windows display style.
|-
| migrate
| Migrates the Meterpreter session to the process given as a parameter. This allows further exploitation of the system from within the new process. This should be done to avoid getting thrown out by the user closing the process that served as entry point.
|-
| ps
| Prints a non-interactive list of the currently running processes on the target machine including process IDs, usernames of the process owners and the path to the executables.
|-
| search
|  Searches the system for a file specified by the -f switch. The provided filename may contain wildcards.
|-
| sysinfo
| Prints the target machines name, operating system (including build and service pack if applicable), the architecture of the operating system, the system language, the domain name and the number of currently logged in users.
|}


[[File:TLVPacket.png]]
=== Extensions ===
Meterpreter extensions are loaded by using the '''load'''-command. Two Extensions are loaded by default:
* '''priv''': This extension is used for privilege escalation
* '''stdapi''': This extension supplies core Meterpreter commands like ''getuid''
Other frequently used extensions include:
* '''kiwi''': This extension is used to obtain user credentials and authentication tokens which are retrieved from system memory. This makes it possible for passwords to be displayed in cleartext. In the past the extension was named '''mimikatz'''.
* ''' python ''': This extension allows the execution of python scripts on the target machine.
* ''' powershell ''': This extension allows the execution of powershell scripts on the target machine.


* '''Length''' (32 bits, network byte order): The length field contains the length of the TLV including the Length, Type and Value fields
=== Scripts & Modules ===
* '''Type''' (32 bits, network byte order): The type field holds the arbitrary data type which is used to indicate the format of the value.
Meterpreter includes pre-made scripts for various purposes which are run by using the '''run'''-command. The payload includes scripts that can persist Meterpreter sessions, unlock the targets screen or disable Anti-Virus software. Part of the scripts seen in the figure below are now considered deprecated. This is because they are now integrated into the Metasploit Framework as post-exploitation modules. The Meterpreter session can be put into the background to run these modules.
* '''Value''' (0..n bits): The value field holds arbitrary data that is of the format specified in the Type field.
[[File:Meterpreter List Scripts.png|thumb|none|750px|Meterpreter Scripts]]
This structuring makes it possible to nest TLVs into one another to convey data that usually would be transmitted in some sort of header.


=== Structure ===
==Meterpreter-Skripting with Ruby==
One TLV may contain zero of more TLVs in its Value field, and there are four types of packets, which indicate what type of packet is currently being transmitted or received.


[[File:TLVStructure.png]]
The Metasploit Framework version 3.0 represents a significant advancement compared to the typical 2.x series. It is a complete overhaul of the previous versions, now entirely written in Ruby. The earlier versions were primarily written in Perl and included components from Python, C, and Assembly. Ruby is an interpreted, object-oriented language that combines the best elements of Perl and Smalltalk. Version 3.0 of the framework provides automation capabilities in every phase of the discovery and exploitation process. Almost every component of the framework can be extended, linked, and automated, enabling effective penetration testing and close integration with third-party products.


The only difference between the 2 packet types with 'PLAIN' in their name ist, that even if encryption is enabled, which is optional for the other two packet types, those packets will be transmitted in plain text.
===The Ruby programming language by Yukihiro Matsumoto===
Yukihiro Matsumoto created Ruby, a straightforward and powerful object-oriented programming language. Everything in Ruby follows the Smalltalk style, treating everything as an object, and it includes features like blocks, iterators, metaclasses, and more. Ruby is versatile, suitable for everyday tasks, prototyping, and server development. It is a fully integrated, easily scalable object-oriented language.


=== Defined TLVs ===
Ruby is characterized by the following features:
The technique of nesting TLVs in one another is also used to replace the header field of a standard IP packet. The information which is usually conveyed in such a field is still required for communication. So it is simply put into a TLV packet which is in turn nested into another TLV's 'Value' Field. This leads to a number of predefined TLVs which are used by Meterpreter. This feature may also be used for building extensions for Meterpreter. These predefined TLV's can be uniquely identified by their least, and most significant bytes. The most significant holds the meta-type information, and the least significant the unique identifier.
* Simple syntax
The meta-type information is used to validate an argument, like verifying that an argument supplied as a string is null-terminated. It is also used for parameter decoding. All meta-types are listed in table
* Basic object-oriented functionalities (such as classes, methods, objects, ...)
* Special object-oriented functionalities (such as mixins, singleton methods, renaming, ...)
* Operator overloading
* Exception handling
* Iterators and closures
* Dynamic loading (dependent on the architecture)
* High portability (runs on various UNIX, Windows, DOS, and OS platforms, ...)


[[File:TLVMetaTypes.png]]
===Reasons for using Ruby===
 
What was the reason behind the Metasploit team's decision to use Ruby in the development of version 3.0? The decision is clarified by the following arguments:
Off of those 7 meta-types, a list of predefined TVLs have been developed which provide core functionality to Meterpreter.
* Ruby's simple and powerful approach as an interpreted language.
 
* Ruby's high introspection level and object-oriented elements meeting framework requirements.
=== Connectivity ===
* Ruby being more suitable than Perl for automated class construction and code reuse.
The connection between server and client is initiated by the server (i.e. the target machine), after the Metasploit framework used an exploit to gain access to the system, which then sends a banner message to the client to signal the established connection.
* Ruby providing platform-independent threading support, leading to improved performance.
 
*Usability and performance issues in integrating Perl with ActiveState Perl, resolved by the natively compiled Ruby interpreter for Windows.
[[File:MeterpreterConectivity.png]]
Source:www.javatpoint.com
 
=== Encryption ===
At this point it is possible to enable encryption of the communication by issuing the command
$ initcrypt
on the client machine. This command needs to be supplied with a cypher which the client then sends as a plaintext packet to the server via the method 'core$\_$crypto$\_$negotiate'. This includes a unique request identifier since a response is expected. This packet also needs to contain the TLV$\_$TYPE$\_$CYPHER$\_$NAME and optionally the \newline TLV$\_$TYPE$\_$CYPHER$\_$PARAMETERS.
If everything works as expected the server responds with the 'core$\_$crypto$\_$negotiate' method back including the optional parameters if provided.\cite{meterpreter_documentation}
=== Libraries ===
Loading a new library is very similar in complexity and method to enabling encryption. Depending on the parameters of the
$ loadbib
command, the employed mechanism varies. In a situation where the library is loaded from a path on the remote machine, and no uploading is taking place, the packet flow looks like this:
* The Client transmits the request with the method 'core$\_$loadbib' which includes a TLV$\_$TYPE$\_$LIBRARY$\_$PATH TLV with the location of the remote server where the library is located.
* The Server transmits the response 'core$\_$loadbib' back to the client. If the library was loaded successfully, the TLV$\_$TYPE$\_$RESULT parameter will be set to zero. In the other case, the response contains the exception and its data.


== Sources ==
== Sources ==
@INPROCEEDINGS{APTCS_TBP, 
author={Bhatnagar, Dev and Som, Subhranil and Khatri, Sunil Kumar}, 
booktitle={2019 Amity International Conference on Artificial Intelligence (AICAI)}, 
title={Advance Persistant Threat and Cyber Spying - The Big Picture, Its Tools, Attack Vectors and Countermeasures}, 
year={2019}, 
volume={}, 
number={}, 
pages={828-839}, 
doi={10.1109/AICAI.2019.8701329}}
@INPROCEEDINGS{CAIwBH, 
author={Adarsh, S and Jain, Kurunandan}, 
booktitle={2021 International Conference on System, Computation, Automation and Networking (ICSCAN)}, 
title={Capturing Attacker Identity with Biteback Honeypot}, 
year={2021}, 
volume={}, 
number={}, 
pages={1-7}, 
doi={10.1109/ICSCAN53069.2021.9526371}}
@INPROCEEDINGS{ESBASUCRSE, 
author={Johnson, Andrew and Haddad, Rami J.}, 
booktitle={SoutheastCon 2021}, 
title={Evading Signature-Based Antivirus Software Using Custom Reverse Shell Exploit}, 
year={2021}, 
volume={}, 
number={}, 
pages={1-6}, 
doi={10.1109/SoutheastCon45413.2021.9401881}}
@misc{mathias_2021,
title={Metasploit / Meterpreter - Zugriff auf Android: Mattionline},
url={https://mattionline.de/metasploit-meterpreter-android-smartphone/},
journal={mattionline.de},
author={Mathias, About The Author mattionline},
year={2021},
month={Mar}}
@misc{edwardgately_2021,
title={Facebook Ou  tage Worst in More than 10 Years, Could Be Cyberattack},
url={https://www.channelfutures.com/security/facebook-service-outage-worst-in-more-than-10-years-could-be-cyberattack},
journal={Channel Futures},
author={Edward Gately},
year={2021},
month={Oct}}
@manual{Metasploit_Developers_Guide,
title={Metasploit 3.0 Developer’s Guide},
url={http://index-of.co.uk/INFOSEC/developers_guide.pdf},
author={The Metasploit Staff},
year={2007},
month={Feb},
day={25}
}
@technical{meterpreter_documentation,
title={Metasploit's Meterpreter},
author={skape, mmiller@hick.org},
url={http://hick.org/code/skape/papers/meterpreter.pdf},
year={2004},
month={Dec},
day={26}
}


@technical{metasploit_framework_user_guide,
* D. Kennedy, J. O’Gorman, D. Kearns, and M. Aharoni. Metasploit: The Penetration Tester’s Guide. No Starch Press Series. No Starch Press, 2011.
title={Metasploit Framework User Guide},
* James McGuffee, Jay Blanco, and Franz Wambach. Try ruby! tutorial presentation. J. Comput. Sci. Coll., 23(6):117, jun 2008.
url={http://cs.uccs.edu/~cs591/metasploit/users_guide3_1.pdf},
* Michael Messner. Hacking mit Metasploit. dpunkt.verlag, 3rd edition, 2017.
}
* David Maynor and Thomas Wilhelm. Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research. Syngress Publishing, 1st edition, 2007.
* M. Miller. Meterpreter specifications. http://www.hick.org/code/skape/papers/meterpreter.pdf, 2004. Accessed: 2022-09-14.
* Metasploit Unleashed free ethical hacking course. https://www.offensive-security.com/metasploit-unleashed/. Accessed: 2022-11-05.
* Benjamin Pharr. Getting to know ruby. J. Comput. Sci. Coll., 21(5):181–182, may 2006.


@misc{javatpoint,
title={Meterpreter - javatpoint},
url={https://www.javatpoint.com/meterpreter-in-ethical-hacking},
journal={www.javatpoint.com}
}


@misc{offensivesecurity,
[[Category:Documentation]]
title={Metasploit Unleashed},
url={https://www.offensive-security.com/metasploit-unleashed/},
journal={Offensive Security}
}

Latest revision as of 22:20, 8 January 2024

Summary

Meterpreter, short for Meta-Interpreter, is a dynamically extendable attack payload included in the Metasploit penetration testing Framework. The payload was developed by Matt Miller under the hacker moniker of Skape and is used in the post-exploitation phase after gaining access to the targeted system. Meterpreter provides a powerful interactive command line interface (CLI) and avoids the risk of being exposed. Running it does not alert intrusion detection systems, like starting a standard shell process will, because it is strictly executed from working memory. Meterpreter does not need a separate process to execute because it is injected into a currently running process. This also means it is executed from memory only, which makes it even harder to detect for Anti-Virus software. Meterpreter provides a variety of commands, additional modules and scripts available to aid in further exploitation. Because it is integrated into the Metasploit Framework it can use its post-exploitation modules as well.

Meterpreter Basics

Meterpreter is supposed to give the attacker access to a command interpreter on the target machine that offers powerful post-exploitation tools and is also hard to detect with forensic tools. For this Meterpreter was designed with the three goals of being stealthy, powerful and extensible.

Meterpreter Design Goals

Stealthy

  • Meterpreter is designed to operate in working memory and never write to the physical disk.
  • Meterpreter operates inside running processes and can be migrated to other processes.
  • Meterpreter uses encrypted communication.

Powerful

  • Meterpreter utilizes a channelized communication system.
  • The TLV (Type-Length-Value) protocol has few limitations.

Extensible

  • Meterpreter can be augmented at runtime. Extensions, modules and scripts can be loaded over the network connection.
  • The Meterpreter session does not have to be rebuilt every time new features are added.

How does Meterpreter work?

Prerequisite: The target system is already exploited and remote access is established.

  1. Meterpreter payload, also called the initial stager, is sent to the target system.
  2. Compromised system executes the initial stager, usually bind_tcp, reverse_tcp, etc.
  3. The stager loads the needed libraries, the Meterpreter core initializes and established a TLS connection to the attacking system.
  4. Meterpreter sends a GET request which Metasploit receives and then configures the client.
  5. Meterpreter loads the default extensions (stdapi, priv). The extensions are loaded over the TLS connection using a TLV (Type-Length-Value) protocol.

Meterpreter Features

The Meterpreter CLI is similar to standard shells (sh, zsh, etc.) and provides system, file system and networking commands identical to them (cd, cat, rm, pwd, etc.). Meterpreter also provides additional basic commands, some of which can be seen in the table below, additional commands provided by the default extensions and more commands can be added by loading other extensions.

Basic Commands

A selection of commonly used Meterpreter commands can be found in the table below.

Command Description
background Moves the current Meterpreter session to the background giving the user access to the Metasploit command line.
sessions -i ID Reactivates the specified session. Using the command without a switch displays all active sessions.
clearev Deletes all application, system and security logs on the victim machine. Only works for Windows systems.
execute Executes a command on the remote machine specified by the '-f' switch. The executed command can be supplied with arguments by using '-a'.
getsystem This attempts to elevate the current Meterpreter session to system administrator level of authorization.
getuid Displays the user identification of the user the current Meterpreter session is running as.
hashdump Prints all available usernames and their password hashes, making them available for further manipulation like password cracking using additional software or rainbow tables.
help Shows the Meterpreter help menu consisting of a comprehensive list of commands. This menu expands if more extensions are loaded.
ipconfig Prints the network configuration of the target machine in Windows display style.
migrate Migrates the Meterpreter session to the process given as a parameter. This allows further exploitation of the system from within the new process. This should be done to avoid getting thrown out by the user closing the process that served as entry point.
ps Prints a non-interactive list of the currently running processes on the target machine including process IDs, usernames of the process owners and the path to the executables.
search Searches the system for a file specified by the -f switch. The provided filename may contain wildcards.
sysinfo Prints the target machines name, operating system (including build and service pack if applicable), the architecture of the operating system, the system language, the domain name and the number of currently logged in users.

Extensions

Meterpreter extensions are loaded by using the load-command. Two Extensions are loaded by default:

  • priv: This extension is used for privilege escalation
  • stdapi: This extension supplies core Meterpreter commands like getuid

Other frequently used extensions include:

  • kiwi: This extension is used to obtain user credentials and authentication tokens which are retrieved from system memory. This makes it possible for passwords to be displayed in cleartext. In the past the extension was named mimikatz.
  • python : This extension allows the execution of python scripts on the target machine.
  • powershell : This extension allows the execution of powershell scripts on the target machine.

Scripts & Modules

Meterpreter includes pre-made scripts for various purposes which are run by using the run-command. The payload includes scripts that can persist Meterpreter sessions, unlock the targets screen or disable Anti-Virus software. Part of the scripts seen in the figure below are now considered deprecated. This is because they are now integrated into the Metasploit Framework as post-exploitation modules. The Meterpreter session can be put into the background to run these modules.

Meterpreter Scripts

Meterpreter-Skripting with Ruby

The Metasploit Framework version 3.0 represents a significant advancement compared to the typical 2.x series. It is a complete overhaul of the previous versions, now entirely written in Ruby. The earlier versions were primarily written in Perl and included components from Python, C, and Assembly. Ruby is an interpreted, object-oriented language that combines the best elements of Perl and Smalltalk. Version 3.0 of the framework provides automation capabilities in every phase of the discovery and exploitation process. Almost every component of the framework can be extended, linked, and automated, enabling effective penetration testing and close integration with third-party products.

The Ruby programming language by Yukihiro Matsumoto

Yukihiro Matsumoto created Ruby, a straightforward and powerful object-oriented programming language. Everything in Ruby follows the Smalltalk style, treating everything as an object, and it includes features like blocks, iterators, metaclasses, and more. Ruby is versatile, suitable for everyday tasks, prototyping, and server development. It is a fully integrated, easily scalable object-oriented language.

Ruby is characterized by the following features:

  • Simple syntax
  • Basic object-oriented functionalities (such as classes, methods, objects, ...)
  • Special object-oriented functionalities (such as mixins, singleton methods, renaming, ...)
  • Operator overloading
  • Exception handling
  • Iterators and closures
  • Dynamic loading (dependent on the architecture)
  • High portability (runs on various UNIX, Windows, DOS, and OS platforms, ...)

Reasons for using Ruby

What was the reason behind the Metasploit team's decision to use Ruby in the development of version 3.0? The decision is clarified by the following arguments:

  • Ruby's simple and powerful approach as an interpreted language.
  • Ruby's high introspection level and object-oriented elements meeting framework requirements.
  • Ruby being more suitable than Perl for automated class construction and code reuse.
  • Ruby providing platform-independent threading support, leading to improved performance.
  • Usability and performance issues in integrating Perl with ActiveState Perl, resolved by the natively compiled Ruby interpreter for Windows.

Sources

  • D. Kennedy, J. O’Gorman, D. Kearns, and M. Aharoni. Metasploit: The Penetration Tester’s Guide. No Starch Press Series. No Starch Press, 2011.
  • James McGuffee, Jay Blanco, and Franz Wambach. Try ruby! tutorial presentation. J. Comput. Sci. Coll., 23(6):117, jun 2008.
  • Michael Messner. Hacking mit Metasploit. dpunkt.verlag, 3rd edition, 2017.
  • David Maynor and Thomas Wilhelm. Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research. Syngress Publishing, 1st edition, 2007.
  • M. Miller. Meterpreter specifications. http://www.hick.org/code/skape/papers/meterpreter.pdf, 2004. Accessed: 2022-09-14.
  • Metasploit Unleashed free ethical hacking course. https://www.offensive-security.com/metasploit-unleashed/. Accessed: 2022-11-05.
  • Benjamin Pharr. Getting to know ruby. J. Comput. Sci. Coll., 21(5):181–182, may 2006.