Difference between revisions of "Meterpreter"
(Created page with "== Summary == Meterpreter is an abbreviation for Meta-Interpreter. It is an payload which is included in the Metasploit Framework. Originally it was developed for Metasploit...") |
|||
| Line 1: | Line 1: | ||
== Summary == | == Summary == | ||
Meterpreter is an abbreviation for Meta-Interpreter. It is an payload which is included | Meterpreter is an abbreviation for Meta-Interpreter. It is an payload which is included in the Metasploit Framework. Originally it was developed for Metasploit 2.x by Matt Miller under the hacker moniker of Skape. It is used after an exploit was used to gain access to a system to further interact with it by providing an interactive shell. The way this payload operates makes it very hard to detect since it is no process itself but injected into processes which are already running on the target system. This also means that it is executed from memory only making it even harder to detect for Anti-Virus software. The payload itself is very flexible allowing for great customization for developers. Each may write their own extension in form of a shared object file (DLL-dynamic link library) which are then injected into memory. | ||
in the Metasploit Framework. Originally it was developed for Metasploit 2.x by Matt | |||
Miller under the hacker moniker of Skape. It is used after an exploit was used to gain | |||
access to a system to further interact with it by providing an interactive shell. The | |||
way this payload operates makes it very hard to detect since it is no process itself | |||
but injected into processes which are already running on the target system. This also | |||
means that it is executed from memory only making it even harder to detect for Anti- | |||
Virus software. The payload itself is very | |||
for developers. Each may write their own extension in form of a shared object | |||
(DLL-dynamic link library) which are then injected into memory. | |||
== Goals == | == Goals == | ||
The short version is that Meterpreter is supposed to give the attacker access to a command interpreter on the target machine which is very hard or ideally impossible to detect with forensic tools. To achieve this goal while designing Meterpreter, Miller had the following 3 requirements: | |||
The short version is that Meterpreter is supposed to give the attacker access to a | |||
command interpreter on the target machine which is very hard or ideally impossible | |||
to detect with forensic tools. To achieve this goal while designing Meterpreter, Miller | |||
had the following 3 requirements: | |||
=== Stealthy === | === Stealthy === | ||
The payload has to be stealthy, or how he put it in the documentation: | The payload has to be stealthy, or how he put it in the documentation: | ||
Must not create a new process. | Must not create a new process. | ||
It must be very hard to detect with forensic tool after Meterpreter was used on the | It must be very hard to detect with forensic tool after Meterpreter was used on the target system. To reach this goal, 3 sub-criteria had to be met: | ||
target system. To reach this goal, 3 sub-criteria had to be met: | * It was designed to just reside in memory and never write on the disk. | ||
* It was designed to just reside in memory and never write on the disk. | * It resides inside other, already existing processes. Should the process in which it currently recides finish, Meterpreter 'hijacks' another one that is currently running. | ||
* It resides inside other, already existing processes. Should the process in which | |||
it currently recides | |||
* It uses encrypted communication. | * It uses encrypted communication. | ||
=== Powerful === | === Powerful === | ||
Having access to a command line interface on the target device is useless if the priveleges are not sufficiently elevated.\cite{offensivesecurity}\par | |||
Must work in chroot’d environments. | |||
* Meterpreter utilizes a channelized communication system. | |||
* The TLV (Type-Length-Value) protocol has few limitations. | |||
=== Extensible === | === Extensible === | ||
A useful tool does one thing and one thing well as we know. But a adaptable tool that can change, according to who uses it, what it is used for, and in what environment it is used, is arguably an excellent tool. | |||
Must allow for robust extensibility. | |||
This goal lead to the following functions: | |||
* Meterpreter can be augmented at runtime. This means for example that a library or extension can be loaded up to the server to gain more options. | |||
* augmentation at runtime means that Meterpreter does not have to be rebuilt | |||
This whole process takes a few seconds to complete. | |||
Revision as of 17:57, 16 January 2022
Summary
Meterpreter is an abbreviation for Meta-Interpreter. It is an payload which is included in the Metasploit Framework. Originally it was developed for Metasploit 2.x by Matt Miller under the hacker moniker of Skape. It is used after an exploit was used to gain access to a system to further interact with it by providing an interactive shell. The way this payload operates makes it very hard to detect since it is no process itself but injected into processes which are already running on the target system. This also means that it is executed from memory only making it even harder to detect for Anti-Virus software. The payload itself is very flexible allowing for great customization for developers. Each may write their own extension in form of a shared object file (DLL-dynamic link library) which are then injected into memory.
Goals
The short version is that Meterpreter is supposed to give the attacker access to a command interpreter on the target machine which is very hard or ideally impossible to detect with forensic tools. To achieve this goal while designing Meterpreter, Miller had the following 3 requirements:
Stealthy
The payload has to be stealthy, or how he put it in the documentation: Must not create a new process. It must be very hard to detect with forensic tool after Meterpreter was used on the target system. To reach this goal, 3 sub-criteria had to be met:
- It was designed to just reside in memory and never write on the disk.
- It resides inside other, already existing processes. Should the process in which it currently recides finish, Meterpreter 'hijacks' another one that is currently running.
- It uses encrypted communication.
Powerful
Having access to a command line interface on the target device is useless if the priveleges are not sufficiently elevated.\cite{offensivesecurity}\par Must work in chroot’d environments.
- Meterpreter utilizes a channelized communication system.
- The TLV (Type-Length-Value) protocol has few limitations.
Extensible
A useful tool does one thing and one thing well as we know. But a adaptable tool that can change, according to who uses it, what it is used for, and in what environment it is used, is arguably an excellent tool. Must allow for robust extensibility. This goal lead to the following functions:
- Meterpreter can be augmented at runtime. This means for example that a library or extension can be loaded up to the server to gain more options.
- augmentation at runtime means that Meterpreter does not have to be rebuilt
This whole process takes a few seconds to complete.