Meterpreter

From Embedded Lab Vienna for IoT & Security
Revision as of 17:57, 16 January 2022 by SDoiber (talk | contribs)
Jump to navigation Jump to search

Summary

Meterpreter is an abbreviation for Meta-Interpreter. It is an payload which is included in the Metasploit Framework. Originally it was developed for Metasploit 2.x by Matt Miller under the hacker moniker of Skape. It is used after an exploit was used to gain access to a system to further interact with it by providing an interactive shell. The way this payload operates makes it very hard to detect since it is no process itself but injected into processes which are already running on the target system. This also means that it is executed from memory only making it even harder to detect for Anti-Virus software. The payload itself is very flexible allowing for great customization for developers. Each may write their own extension in form of a shared object file (DLL-dynamic link library) which are then injected into memory.

Goals

The short version is that Meterpreter is supposed to give the attacker access to a command interpreter on the target machine which is very hard or ideally impossible to detect with forensic tools. To achieve this goal while designing Meterpreter, Miller had the following 3 requirements:

Stealthy

The payload has to be stealthy, or how he put it in the documentation: Must not create a new process. It must be very hard to detect with forensic tool after Meterpreter was used on the target system. To reach this goal, 3 sub-criteria had to be met:

  • It was designed to just reside in memory and never write on the disk.
  • It resides inside other, already existing processes. Should the process in which it currently recides finish, Meterpreter 'hijacks' another one that is currently running.
  • It uses encrypted communication.

Powerful

Having access to a command line interface on the target device is useless if the priveleges are not sufficiently elevated.\cite{offensivesecurity}\par Must work in chroot’d environments.

  • Meterpreter utilizes a channelized communication system.
  • The TLV (Type-Length-Value) protocol has few limitations.

Extensible

A useful tool does one thing and one thing well as we know. But a adaptable tool that can change, according to who uses it, what it is used for, and in what environment it is used, is arguably an excellent tool. Must allow for robust extensibility. This goal lead to the following functions:

  • Meterpreter can be augmented at runtime. This means for example that a library or extension can be loaded up to the server to gain more options.
  • augmentation at runtime means that Meterpreter does not have to be rebuilt

This whole process takes a few seconds to complete.