Difference between revisions of "Meterpreter"

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search
(re-design of article, added missing category tag)
Line 1: Line 1:
== Summary ==  
== Summary ==
Meterpreter is an abbreviation for Meta-Interpreter. It is an payload which is included in the Metasploit Framework. Originally it was developed for Metasploit 2.x by Matt Miller under the hacker moniker of Skape. It is used after an exploit was used to gain access to a system to further interact with it by providing an interactive shell. The way this payload operates makes it very hard to detect since it is no process itself but injected into processes which are already running on the target system. This also means that it is executed from memory only making it even harder to detect for Anti-Virus software. The payload itself is very flexible allowing for great customization for developers. Each may write their own extension in form of a shared object file (DLL-dynamic link library) which are then injected into memory.
Meterpreter, which is short for Meta-Interpreter, is an attack payload included in the Metasploit Framework. It was developed by Matt Miller under the hacker moniker of Skape. It is used in the post-exploitation phase after an exploit was already used to gain access to a system. It provides a more powerful interactive command line interface (CLI) than a regular shell and also avoids the risk of being exposed since starting a regular shell process could alert the system to intrusion. Meterpreter does not need a separate process to execute since it is injected into a process already running on the target system. This also means it is executed from memory only, which makes it even harder to detect for Anti-Virus software. Meterpreter has a wide variety of commands, additional modules and scripts available for further exploiting a system. Since it is integrated into the Metasploit Framework it can use its post-exploitation modules as well.


== Goals ==  
== Meterpreter Basics ==
The short version is that Meterpreter is supposed to give the attacker access to a command interpreter on the target machine which is very hard or ideally impossible to detect with forensic tools. To achieve this goal while designing Meterpreter, Miller had the following 3 requirements:
=== How does Meterpreter work? ===
# Target system is compromised using an exploit.
# Compromised system executes the initial Meterpreter payload also called stager (bind_tcp, reverse_tcp, ...)
# The stager loads the needed DLLs, the Meterpreter core initializes and established a TLS connection to the attacking system.
# Meterpreter sends a GET request which Metasploit receives and configures the client.
# Meterpreter loads the default extensions (stdapi and priv) over the TLS connection by using the TLV (Type-Length-Value) protocol.


=== Stealthy ===
=== Meterpreter Design Goals ===  
The payload has to be stealthy, or how he put it in the documentation:
Meterpreter is supposed to give the attacker access to a command interpreter on the target machine that offers powerful post-exploitation tools and is also hard to detect with forensic tools. To achieve this goal three requirements had to be met.
Must not create a new process.
It must be very hard to detect with forensic tool after Meterpreter was used on the target system. To reach this goal, 3 sub-criteria had to be met:
* It was designed to just reside in memory and never write on the disk.
* It resides inside other, already existing processes. Should the process in which it currently recides finish, Meterpreter 'hijacks' another one that is currently running.
* It uses encrypted communication.


=== Powerful ===
==== Stealthy ====
Having access to a command line interface on the target device is useless if the priveleges are not sufficiently elevated.
The payload had to be stealthy and hard to detect.
Must work in chroot’d environments.
* Meterpreter is designed to operate in working memory and never write to the physical disk.
* Meterpreter operates inside running processes and can be migrated to other processes.
* Meterpreter uses encrypted communication.
 
==== Powerful ====  
The user rights on the target system can be elevated using privilege escalation.
* Meterpreter utilizes a channelized communication system.
* Meterpreter utilizes a channelized communication system.
* The TLV (Type-Length-Value) protocol has few limitations.
* The TLV (Type-Length-Value) protocol has few limitations.


=== Extensible ===
==== Extensible ====
A useful tool does one thing and one thing well as we know. But a adaptable tool that can change, according to who uses it, what it is used for, and in what environment it is used, is arguably an excellent tool.
Meterpreter had to be extensible to adapt to different requirements.
Must allow for robust extensibility.
* Meterpreter can be augmented at runtime. Extensions, modules and scripts can be loaded over the network connection.
This goal lead to the following functions:
* The Meterpreter session does not have to be rebuilt every time new features are added.
* Meterpreter can be augmented at runtime. This means for example that a library or extension can be loaded up to the server to gain more options.
* augmentation at runtime means that Meterpreter does not have to be rebuilt
This whole process takes a few seconds to complete.
 
 
== Usage ==
Meterpreter itself was developed for Metasploit. Unsurprisingly the easiest way to use it is via this framework. It was implemented on windows but since its design makes it fully portable it may be applied to a variety of other operating systems like Linux, or Android. If used via the Metasploit framework to use an exploit on a windows target machine, one of 3 payloads can be chosen. Each of which differ in the way they establish a connection between the client, on the machine of the attacker and the server, on the machine of the target.
* '''win32$\_$bind$\_$meterpreter''' :This payload establishes a connection from the attacking machine to the target machine. After this is done the server gets uploaded and the connection is further used.
* '''win32$\_$reverse$\_$meterperter''' : This payload establishes a connection from the target machine to the attacker. After this is done the server gets downloaded from the attacker machine and the connection is again used further.
* '''win32$\_$findrecv$\_$ord$\_$meterpreter''' : This last payload is the most stealthy since it does not establish new connections and can bypass firewalls that way. It looks for the file descriptor that the exploit was triggered from and uses it to upload the Meterpreter server. Afterwards the same connection is used as a means of communication.
Which payload is used depends on the exploit and conditions of the environment in which it is deployed like the configuration of the firewall of the target machine. After starting up the Metasploit framework and seeing the welcome screen, pick an exploit that uses Meterpreter as a post exploitation tool. After that, select the desired payload. You could for example use '''\textbf{win32$\_$reverse$\_$meterperter'''
After that it is required to define:
* '''RHOST''': which represents the IP of the host or client machine
* '''RPORT''': which represents the outgoing port of the host or client machine
* '''LHOST''': which represents the IP of the target or server machine
* '''LPORT''': which represent the incoming port of the target or server machine
Depending on what the attacker wants to achieve, additional libraries may be uploaded during deployment. After doing that, the help command lists the newly available commands as well.
== Functionality ==
For Meterpreter to be as expandable as it is, the underlying packet structure (parsing and transmission) had to be well defined. This lead to the choice of a Type-Length-Value structure, or TLV for short.
Another vital part of the Meterpreter payload is the connectivity and the encryption which go hand in hand. Connectivity is a base requirement since without a stable connection between attacker and target host, no exploitation can happen. It is furthermore also vital to have the possibility to encrypt the transmission to prevent the target host from identifying the outgoing transmission as something malicious.
And last but not least the libraries which are able to extend Meterpreters tool set during runtime are also a core functionality. They allow the hacker to extend the toolkit while in the middle of the exploitation process.
 
=== TLV or Type-Length-Value ===
This packet structure allows packets to have arbitrary lengths, and does not require for the parsing code to understand the format of the data that is received which in turn allows for all sorts of data to be sent from the server to the client. The structure of the actual package is a little bit different than the name would suggest. The correct order would be Length-Type-Value. Figure shows a visual representation of a TLV-Package.
 
[[File:TLVPacket.png]]
 
* '''Length''' (32 bits, network byte order): The length field contains the length of the TLV including the Length, Type and Value fields
* '''Type''' (32 bits, network byte order): The type field holds the arbitrary data type which is used to indicate the format of the value.
* '''Value''' (0..n bits): The value field holds arbitrary data that is of the format specified in the Type field.
This structuring makes it possible to nest TLVs into one another to convey data that usually would be transmitted in some sort of header.
 
=== Structure ===
One TLV may contain zero of more TLVs in its Value field, and there are four types of packets, which indicate what type of packet is currently being transmitted or received.
 
[[File:TLVStructure.png]]
 
The only difference between the 2 packet types with 'PLAIN' in their name ist, that even if encryption is enabled, which is optional for the other two packet types, those packets will be transmitted in plain text.
 
=== Defined TLVs ===
The technique of nesting TLVs in one another is also used to replace the header field of a standard IP packet. The information which is usually conveyed in such a field is still required for communication. So it is simply put into a TLV packet which is in turn nested into another TLV's 'Value' Field. This leads to a number of predefined TLVs which are used by Meterpreter. This feature may also be used for building extensions for Meterpreter. These predefined TLV's can be uniquely identified by their least, and most significant bytes. The most significant holds the meta-type information, and the least significant the unique identifier.
The meta-type information is used to validate an argument, like verifying that an argument supplied as a string is null-terminated. It is also used for parameter decoding. All meta-types are listed in table


[[File:TLVMetaTypes.png]]
== Meterpreter Features ==
The Meterpreter CLI offers standard commands that are also used in shells like '''sh''' and '''zsh'''. Additional commands are loaded by default and can be added by loading extensions.


Off of those 7 meta-types, a list of predefined TVLs have been developed which provide core functionality to Meterpreter.
=== Basic Commands ===
Commonly used Meterpreter commands can be found in the table below.
{| class="wikitable"
|-
! Command
! Description
|-
| background
| Moves the current Meterpreter session to the background letting the user use the Metasploit command line.
|-
| sessions -i ID
| Reactivates the specified session. Using the command without a switch shows all active sessions.
|-
| clearev
| Deletes all Application, System and Security logs on the victim machine. Only works for Windows systems.
|-
| execute
| Executes a command on the remote machine specified by the -f switch. The executed command can be supplied with arguments by using -a
|-
| getsystem
| This attempts to elevate the current Meterpreter session to system administrator level of authorization.
|-
| getuid
| Displays the user identification of the user the current Meterpreter session is running as.
|-
| hashdump
| Prints all available usernames and their password hashes, making them available for further manipulation like password cracking using additional software or rainbow tables.
|-
| help
| Shows the Meterpreter help menu consisting of a comprehensive list of commands. This menu expands if more extensions are loaded.
|-
| ipconfig
| Prints the network configuration of the target machine in Windows display style.
|-
| migrate
| Migrates the Meterpreter session to the process given as a parameter. This allows further exploitation of the system from within the new process. This should be done to avoid getting thrown out by the user closing the process that served as entry point.
|-
| ps
| Prints a non-interactive list of the currently running processes on the target machine including process IDs, usernames of the process owners and the path to the executables.
|-
| search
|  Searches the system for a file specified by the -f switch. The provided filename may contain wildcards.
|}


=== Connectivity ===
=== Extensions ===
The connection between server and client is initiated by the server (i.e. the target machine), after the Metasploit framework used an exploit to gain access to the system, which then sends a banner message to the client to signal the established connection.
Meterpreter extensions are loaded by using the '''load'''-command. Some Extensions are loaded by default like the '''priv'''-extension which is used for privilege escalation and the '''stdapi'''-extension which supplies basic Meterpreter commands like '''getuid'''. Frequently used extensions include:
* '''kiwi''' (formerly mimikatz): This extension is used to obtain user credentials and authentication tokens. These are retrieved directly from target systems memory. Passwords can even be displayed directly in cleartext.
* ''' python ''': This extensions allows the execution of python scripts on the target machine.
* ''' powershell ''': This extensions allows the execution of powershell scripts on the target machine.


[[File:MeterpreterConectivity.png]]
=== Scripts & Modules ===
Source:www.javatpoint.com
Meterpreter includes pre-made scripts that can be used for various purposes and are run by using the '''run'''-command. It includes scripts that can persist Meterpreter sessions, unlock the targets screen or disable Anti-Virus software. Some of the script seen in the figure below are considered deprecated. Some of those, like the persistence script were integrated directly into the Metasploit Framework. A Meterpreter session can be put into the background to run these post-exploitation modules supplied by Metasploit.
 
[[File:Meterpreter Scripts.png|thumb|none|500px|Meterpreter Scripts]]
=== Encryption ===
At this point it is possible to enable encryption of the communication by issuing the command
$ initcrypt
on the client machine. This command needs to be supplied with a cypher which the client then sends as a plaintext packet to the server via the method 'core$\_$crypto$\_$negotiate'. This includes a unique request identifier since a response is expected. This packet also needs to contain the TLV$\_$TYPE$\_$CYPHER$\_$NAME and optionally the \newline TLV$\_$TYPE$\_$CYPHER$\_$PARAMETERS.
If everything works as expected the server responds with the 'core$\_$crypto$\_$negotiate' method back including the optional parameters if provided.\cite{meterpreter_documentation}
=== Libraries ===
Loading a new library is very similar in complexity and method to enabling encryption. Depending on the parameters of the
$ loadbib
command, the employed mechanism varies. In a situation where the library is loaded from a path on the remote machine, and no uploading is taking place, the packet flow looks like this:
* The Client transmits the request with the method 'core$\_$loadbib' which includes a TLV$\_$TYPE$\_$LIBRARY$\_$PATH TLV with the location of the remote server where the library is located.
* The Server transmits the response 'core$\_$loadbib' back to the client. If the library was loaded successfully, the TLV$\_$TYPE$\_$RESULT parameter will be set to zero. In the other case, the response contains the exception and its data.


== Sources ==
== Sources ==
@INPROCEEDINGS{APTCS_TBP,
* D. Kennedy, J. O’Gorman, D. Kearns, and M. Aharoni. Metasploit: The Penetration Tester’s Guide. No Starch Press Series. No Starch Press, 2011.
author={Bhatnagar, Dev and Som, Subhranil and Khatri, Sunil Kumar}, 
* M. Miller. Meterpreter specifications. http://www.hick.org/code/skape/papers/meterpreter.pdf, 2004. Accessed: 2022-09-14.
booktitle={2019 Amity International Conference on Artificial Intelligence (AICAI)}, 
* Metasploit Unleashed free ethical hacking course. https://www.offensive-security.com/metasploit-unleashed/. Accessed: 2022-11-05.
title={Advance Persistant Threat and Cyber Spying - The Big Picture, Its Tools, Attack Vectors and Countermeasures}, 
* Michael Messner. Hacking mit Metasploit. dpunkt.verlag, 3rd edition, 2017.
year={2019}, 
volume={}, 
number={}, 
pages={828-839}, 
doi={10.1109/AICAI.2019.8701329}}
 
@INPROCEEDINGS{CAIwBH, 
author={Adarsh, S and Jain, Kurunandan}, 
booktitle={2021 International Conference on System, Computation, Automation and Networking (ICSCAN)}, 
title={Capturing Attacker Identity with Biteback Honeypot}, 
year={2021},
volume={}, 
number={}, 
pages={1-7}, 
doi={10.1109/ICSCAN53069.2021.9526371}}
 
@INPROCEEDINGS{ESBASUCRSE, 
author={Johnson, Andrew and Haddad, Rami J.}, 
booktitle={SoutheastCon 2021}, 
title={Evading Signature-Based Antivirus Software Using Custom Reverse Shell Exploit}, 
year={2021}, 
volume={}, 
number={}, 
pages={1-6}, 
doi={10.1109/SoutheastCon45413.2021.9401881}}
 
@misc{mathias_2021,
title={Metasploit / Meterpreter - Zugriff auf Android: Mattionline},
url={https://mattionline.de/metasploit-meterpreter-android-smartphone/},
journal={mattionline.de},
author={Mathias, About The Author mattionline},
year={2021},
month={Mar}}
@misc{edwardgately_2021,
title={Facebook Ou  tage Worst in More than 10 Years, Could Be Cyberattack},
url={https://www.channelfutures.com/security/facebook-service-outage-worst-in-more-than-10-years-could-be-cyberattack},
journal={Channel Futures},
author={Edward Gately},
year={2021},
month={Oct}}
 
@manual{Metasploit_Developers_Guide,
title={Metasploit 3.0 Developer’s Guide},
url={http://index-of.co.uk/INFOSEC/developers_guide.pdf},
author={The Metasploit Staff},
year={2007},
month={Feb},
day={25}
}
 
@technical{meterpreter_documentation,
title={Metasploit's Meterpreter},
author={skape, mmiller@hick.org},
url={http://hick.org/code/skape/papers/meterpreter.pdf},
year={2004},
month={Dec},
day={26}
}
 
@technical{metasploit_framework_user_guide,
title={Metasploit Framework User Guide},
url={http://cs.uccs.edu/~cs591/metasploit/users_guide3_1.pdf},
}
 
@misc{javatpoint,
title={Meterpreter - javatpoint},
url={https://www.javatpoint.com/meterpreter-in-ethical-hacking},
journal={www.javatpoint.com}
}


@misc{offensivesecurity,
[[Category:Documentation]]
title={Metasploit Unleashed},
url={https://www.offensive-security.com/metasploit-unleashed/},
journal={Offensive Security}
}

Revision as of 13:31, 18 November 2022

Summary

Meterpreter, which is short for Meta-Interpreter, is an attack payload included in the Metasploit Framework. It was developed by Matt Miller under the hacker moniker of Skape. It is used in the post-exploitation phase after an exploit was already used to gain access to a system. It provides a more powerful interactive command line interface (CLI) than a regular shell and also avoids the risk of being exposed since starting a regular shell process could alert the system to intrusion. Meterpreter does not need a separate process to execute since it is injected into a process already running on the target system. This also means it is executed from memory only, which makes it even harder to detect for Anti-Virus software. Meterpreter has a wide variety of commands, additional modules and scripts available for further exploiting a system. Since it is integrated into the Metasploit Framework it can use its post-exploitation modules as well.

Meterpreter Basics

How does Meterpreter work?

  1. Target system is compromised using an exploit.
  2. Compromised system executes the initial Meterpreter payload also called stager (bind_tcp, reverse_tcp, ...)
  3. The stager loads the needed DLLs, the Meterpreter core initializes and established a TLS connection to the attacking system.
  4. Meterpreter sends a GET request which Metasploit receives and configures the client.
  5. Meterpreter loads the default extensions (stdapi and priv) over the TLS connection by using the TLV (Type-Length-Value) protocol.

Meterpreter Design Goals

Meterpreter is supposed to give the attacker access to a command interpreter on the target machine that offers powerful post-exploitation tools and is also hard to detect with forensic tools. To achieve this goal three requirements had to be met.

Stealthy

The payload had to be stealthy and hard to detect.

  • Meterpreter is designed to operate in working memory and never write to the physical disk.
  • Meterpreter operates inside running processes and can be migrated to other processes.
  • Meterpreter uses encrypted communication.

Powerful

The user rights on the target system can be elevated using privilege escalation.

  • Meterpreter utilizes a channelized communication system.
  • The TLV (Type-Length-Value) protocol has few limitations.

Extensible

Meterpreter had to be extensible to adapt to different requirements.

  • Meterpreter can be augmented at runtime. Extensions, modules and scripts can be loaded over the network connection.
  • The Meterpreter session does not have to be rebuilt every time new features are added.

Meterpreter Features

The Meterpreter CLI offers standard commands that are also used in shells like sh and zsh. Additional commands are loaded by default and can be added by loading extensions.

Basic Commands

Commonly used Meterpreter commands can be found in the table below.

Command Description
background Moves the current Meterpreter session to the background letting the user use the Metasploit command line.
sessions -i ID Reactivates the specified session. Using the command without a switch shows all active sessions.
clearev Deletes all Application, System and Security logs on the victim machine. Only works for Windows systems.
execute Executes a command on the remote machine specified by the -f switch. The executed command can be supplied with arguments by using -a
getsystem This attempts to elevate the current Meterpreter session to system administrator level of authorization.
getuid Displays the user identification of the user the current Meterpreter session is running as.
hashdump Prints all available usernames and their password hashes, making them available for further manipulation like password cracking using additional software or rainbow tables.
help Shows the Meterpreter help menu consisting of a comprehensive list of commands. This menu expands if more extensions are loaded.
ipconfig Prints the network configuration of the target machine in Windows display style.
migrate Migrates the Meterpreter session to the process given as a parameter. This allows further exploitation of the system from within the new process. This should be done to avoid getting thrown out by the user closing the process that served as entry point.
ps Prints a non-interactive list of the currently running processes on the target machine including process IDs, usernames of the process owners and the path to the executables.
search Searches the system for a file specified by the -f switch. The provided filename may contain wildcards.

Extensions

Meterpreter extensions are loaded by using the load-command. Some Extensions are loaded by default like the priv-extension which is used for privilege escalation and the stdapi-extension which supplies basic Meterpreter commands like getuid. Frequently used extensions include:

  • kiwi (formerly mimikatz): This extension is used to obtain user credentials and authentication tokens. These are retrieved directly from target systems memory. Passwords can even be displayed directly in cleartext.
  • python : This extensions allows the execution of python scripts on the target machine.
  • powershell : This extensions allows the execution of powershell scripts on the target machine.

Scripts & Modules

Meterpreter includes pre-made scripts that can be used for various purposes and are run by using the run-command. It includes scripts that can persist Meterpreter sessions, unlock the targets screen or disable Anti-Virus software. Some of the script seen in the figure below are considered deprecated. Some of those, like the persistence script were integrated directly into the Metasploit Framework. A Meterpreter session can be put into the background to run these post-exploitation modules supplied by Metasploit.

Meterpreter Scripts

Sources

Retrieved from "https://wiki.elvis.science/index.php?title=Meterpreter&oldid=10434"