Meterpreter
Summary
Meterpreter is an abbreviation for Meta-Interpreter. It is an payload which is included in the Metasploit Framework. Originally it was developed for Metasploit 2.x by Matt Miller under the hacker moniker of Skape. It is used after an exploit was used to gain access to a system to further interact with it by providing an interactive shell. The way this payload operates makes it very hard to detect since it is no process itself but injected into processes which are already running on the target system. This also means that it is executed from memory only making it even harder to detect for Anti- Virus software. The payload itself is very exible allowing for great customization for developers. Each may write their own extension in form of a shared object �le (DLL-dynamic link library) which are then injected into memory.
Goals
The short version is that Meterpreter is supposed to give the attacker access to a command interpreter on the target machine which is very hard or ideally impossible to detect with forensic tools. To achieve this goal while designing Meterpreter, Miller had the following 3 requirements:
Stealthy
The payload has to be stealthy, or how he put it in the documentation: Must not create a new process. It must be very hard to detect with forensic tool after Meterpreter was used on the target system. To reach this goal, 3 sub-criteria had to be met:
- It was designed to just reside in memory and never write on the disk.
- It resides inside other, already existing processes. Should the process in which
it currently recides �nish, Meterpreter 'hijacks' another one that is currently running.
- It uses encrypted communication.