The Secret Security Wiki

Categories

Home > Wikis > Threats and Tools > Meterpreter

Categories

Meterpreter

Meterpreter is a Metasploit attack payload that provides an interactive shell from which an attacker can explore the target machine and execute code. Meterpreter is deployed using in-memory DLL injection. As a result, Meterpreter resides entirely in memory and writes nothing to disk. No new processes are created as Meterpreter injects itself into the compromised process, from which it can migrate to other running processes. As a result, the forensic footprint of an attack is very limited.

Meterpreter was designed to circumvent the drawbacks of using specific payloads, while enabling the writing of commands and ensuring encrypted communication. The disadvantage of using specific payloads is that alarms may be triggered when a new process starts in the target system.

Metepreter was originally written for Metasploit 2.x by Skape, a hacker moniker used by Matt Miller. Common extensions were merged for 3.x and is currently undergoing an overhaul for Metasploit 3.3.

  • How does Meterpreter work?

    Meterpreter is a Metasploit attack payload that provides an interactive shell to the attacker from which to explore the target machine and execute code. Meterpreter is deployed using in-memory DLL injection. As a result, Meterpreter resides entirely in memory and writes nothing to disk. No new processes are created as Meterpreter injects itself into the compromised process, from which it can migrate to other running processes.

  • What are Meterpreter goals?

    Meterpreter was designed to circumvent the drawbacks of using specific payloads, while enabling the writing of commands and ensuring encrypted communication. The disadvantage of using specific payloads is that alarms may be triggered when a new process starts in the target system. Ideally, a payload should avoid creation of a new process, containing all activity within the scope of the payload itself. It should allow for writing scripts, but without creating new files on disk, since this could trigger the antivirus software.

  • What is Meterpreter Reverse_tcp?

    Meterpreter uses a reverse_tcp shell, which means it connects to a listener on the attacker’s machine. There are two popular types of shells: bind and reverse. A bind shell opens up a new service on the target machine, and requires the attacker to connect to it in order to start a session. A reverse shell (also known as a connect-back) requires the attacker to first set up a listener to which the target machine can connect.

  • What Does Payload Mean?

    An exploit module, one of the three types (singles, stagers, stages) used by the Metasploit framework.