From the course: Metasploit Essential Training
What is Meterpreter?
From the course: Metasploit Essential Training
What is Meterpreter?
- [Instructor] What is Meterpreter? Meterpreter is a command interpreter for Metasploit that acts as a payload and also works by using in-memory DLL injections and a native shared object. The exploited process does not create any new processes. This makes it more stealthy and powerful. Meterpreter is also a Metasploit attack payload that provides an interactive shell from which an attacker can explore the target machine and execute code. Meterpreter itself was designed to circumvent the drawbacks of using specific payloads, and it also enables the writing of commands and ensures encrypted communication. So how does Meterpreter work? Well, in the first step, the exploit and first stage payload are sent to the target machine. After exploitation the stage establishes a TCP connection back to the MSFconsole on a given address and port. Next the MSFconsole sends the second-stage DLL injection payload. After a successful injection it then sends the Meterpreter DLL to establish a proper communication channel. Lastly, Meterpreter loads extensions such as the STAD API and PRIV, and all these extensions are loaded over TLS protocol. Meterpreter then uses encrypted communication with the target, which is another major advantage of using it. Some of the advantages of Meterpreter over specific payloads are, it works in context with the exploited process so it doesn't create any further or new processes, it can migrate easily among existing processes, it resides completely in memory, so it writes nothing to the disk, it uses encrypted communications, it uses channelized communication system so that you can work with several channels at a time, and it also provides a platform to write extensions quickly and easily. Meterpreter uses a reverse TCP shell, which means it connects to a listener on the attackers machine. There are two main types of shells, there's bind and reverse. A bind shell opens a new service on the target machine and requires the attacker to connect to it in order to start a new session. A reverse shell, also known as a connect back, requires the attacker to first set up a listener to which the target machine can then connect. As an example, if we wanted to utilize the PsExec exploit, that's in Metasploit, we would have to set various properties. The first will be what's called the RHOST, which is an IP address. Then we have the SMBUSER, so the user account along with its password. Then we can define the payload, which in this example is the reverse_tcp, and then we have what's called the LHOST. So those two IP addresses, LHOST and RHOST are determining one is the attack machine and the other is the machine that's being attacked, or the target. The LHOST is the hack machine. The RHOST is the attack machine. And then we can simply run exploit. At this point, it will utilize the PsExec exploit. Once it's successful passing the credentials and gaining access the payload is then injected. Meterpreter works like any command interpreter. It is designed to understand and respond to various parameter calls through commands. It resides in the context of an exploited or compromised process and creates a client server communication system with the attackers machine.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.