Difference between revisions of "MSF: meterpreter"

From OnnoWiki
Jump to navigation Jump to search
(Created page with "sumber: https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/ What is Meterpreter? Meterpreter is an advanced, dynamically extensible payload that...")
 
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
sumber: https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/
 
sumber: https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/
 
 
 
 
 
 
What is Meterpreter?
 
  
 
Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.
 
Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.
  
 
Metepreter was originally written by skape for Metasploit 2.x, common extensions were merged for 3.x and is currently undergoing an overhaul for Metasploit 3.3. The server portion is implemented in plain C and is now compiled with MSVC, making it somewhat portable. The client can be written in any language but Metasploit has a full-featured Ruby client API.
 
Metepreter was originally written by skape for Metasploit 2.x, common extensions were merged for 3.x and is currently undergoing an overhaul for Metasploit 3.3. The server portion is implemented in plain C and is now compiled with MSVC, making it somewhat portable. The client can be written in any language but Metasploit has a full-featured Ruby client API.
Contents
+
 
+
==How Meterpreter Works==
    1 How Meterpreter Works
 
    2 Meterpreter Design Goals
 
        2.1 Stealthy
 
        2.2 Powerful
 
        2.3 Extensible
 
    3 Adding Runtime Features
 
  
 +
* The target executes the initial stager. This is usually one of bind, reverse, findtag, passivex, etc.
 +
* The stager loads the DLL prefixed with Reflective. The Reflective stub handles the loading/injection of the DLL.
 +
* The Metepreter core initializes, establishes a TLS/1.0 link over the socket and sends a GET. Metasploit receives this GET and configures the client.
 +
* Lastly, Meterpreter loads extensions. It will always load stdapi and will load priv if the module gives administrative rights. All of these extensions are loaded over TLS/1.0 using a TLV protocol.
 
   
 
   
How Meterpreter Works
+
==Meterpreter Design Goals==
  
        The target executes the initial stager. This is usually one of bind, reverse, findtag, passivex, etc.
+
===Stealthy===
        The stager loads the DLL prefixed with Reflective. The Reflective stub handles the loading/injection of the DLL.
 
        The Metepreter core initializes, establishes a TLS/1.0 link over the socket and sends a GET. Metasploit receives this GET and configures the client.
 
        Lastly, Meterpreter loads extensions. It will always load stdapi and will load priv if the module gives administrative rights. All of these extensions are loaded over TLS/1.0 using a TLV protocol.
 
  
+
* Meterpreter resides entirely in memory and writes nothing to disk.
Meterpreter Design Goals
+
* No new processes are created as Meterpreter injects itself into the compromised process and can migrate to other running processes easily.
Stealthy
+
* By default, Meterpreter uses encrypted communications.
 +
* All of these provide limited forensic evidence and impact on the victim machine.
  
        Meterpreter resides entirely in memory and writes nothing to disk.
+
===Powerful===
        No new processes are created as Meterpreter injects itself into the compromised process and can migrate to other running processes easily.
 
        By default, Meterpreter uses encrypted communications.
 
        All of these provide limited forensic evidence and impact on the victim machine.
 
  
+
* Meterpreter utilizes a channelized communication system.
Powerful
+
* The TLV protocol has few limitations.
 
 
        Meterpreter utilizes a channelized communication system.
 
        The TLV protocol has few limitations.
 
  
+
===Extensible===
Extensible
 
  
        Features can be augmented at runtime and are loaded over the network.
+
* Features can be augmented at runtime and are loaded over the network.
        New features can be added to Meterpreter without having to rebuild it.
+
* New features can be added to Meterpreter without having to rebuild it.
  
+
===Adding Runtime Features===
Adding Runtime Features
 
  
 
New features are added to Meterpreter by loading extensions.
 
New features are added to Meterpreter by loading extensions.
  
        The client uploads the DLL over the socket.
+
* The client uploads the DLL over the socket.
        The server running on the victim loads the DLL in-memory and initializes it.
+
* The server running on the victim loads the DLL in-memory and initializes it.
        The new extension registers itself with the server.
+
* The new extension registers itself with the server.
        The client on the attackers machine loads the local extension API and can now call the extensions functions.
+
* The client on the attackers machine loads the local extension API and can now call the extensions functions.
  
 
This entire process is seamless and takes approximately 1 second to complete.
 
This entire process is seamless and takes approximately 1 second to complete.
 
In the next Metasploit Unleashed tutorial we’ll discuss some of the various Meterpreter Commands available to us in this new environment.
 
 
 
  
 
==Referensi==
 
==Referensi==
Line 70: Line 47:
  
 
==Pranala Menarik==
 
==Pranala Menarik==
 +
 +
* [[Metasploit]]

Latest revision as of 10:16, 9 December 2018

sumber: https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/

Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.

Metepreter was originally written by skape for Metasploit 2.x, common extensions were merged for 3.x and is currently undergoing an overhaul for Metasploit 3.3. The server portion is implemented in plain C and is now compiled with MSVC, making it somewhat portable. The client can be written in any language but Metasploit has a full-featured Ruby client API.

How Meterpreter Works

  • The target executes the initial stager. This is usually one of bind, reverse, findtag, passivex, etc.
  • The stager loads the DLL prefixed with Reflective. The Reflective stub handles the loading/injection of the DLL.
  • The Metepreter core initializes, establishes a TLS/1.0 link over the socket and sends a GET. Metasploit receives this GET and configures the client.
  • Lastly, Meterpreter loads extensions. It will always load stdapi and will load priv if the module gives administrative rights. All of these extensions are loaded over TLS/1.0 using a TLV protocol.

Meterpreter Design Goals

Stealthy

  • Meterpreter resides entirely in memory and writes nothing to disk.
  • No new processes are created as Meterpreter injects itself into the compromised process and can migrate to other running processes easily.
  • By default, Meterpreter uses encrypted communications.
  • All of these provide limited forensic evidence and impact on the victim machine.

Powerful

  • Meterpreter utilizes a channelized communication system.
  • The TLV protocol has few limitations.

Extensible

  • Features can be augmented at runtime and are loaded over the network.
  • New features can be added to Meterpreter without having to rebuild it.

Adding Runtime Features

New features are added to Meterpreter by loading extensions.

  • The client uploads the DLL over the socket.
  • The server running on the victim loads the DLL in-memory and initializes it.
  • The new extension registers itself with the server.
  • The client on the attackers machine loads the local extension API and can now call the extensions functions.

This entire process is seamless and takes approximately 1 second to complete.

Referensi

Pranala Menarik