Post ExploitationUsing Meterpreter

• Who am I ?• Meterpreter• Meterpreter..why?• Meterpreter..how?• Command

Classification• Post Exploitation • Conclusion

Agenda

Shubham Mittal

Security Consultant @ Hackplanet TechnologiesPenetration Tester Areas Of Working

AV EvasionMalware AnalysisMetasploitSOC

MeterpreterMeterpreter

– Advance Multi Function payload.– Provides core complex and advanced features.– Injects itself into running process.– Meterpreter = Meta Interpreter, interprets commands from

one machine to another.

MeterpreterMeterpreter .. Why?

– Normal Payloads :– Creates a new Process at the target machine.– Don’t work in chroot’d environments.– Limited to commands available on the shell only.

– Meterpreter:– Everything goes into memory, No I/O operations to HDD, hence less

detectable.– Works in chroot’d environment [works in context of exploited process].– Different extensions can be loaded on the fly during post exploitation.– Plus Meterpreter Scripting

A handler is fired.

Remote Machine Enumeration

Vulnerability is triggered.

Payload delivered, using DLL injection

Payload reverts Back, pwning a shell

Meterpreter .. Why?

Command Classification

Meterpreter

Session

Core Commands

STDapi Commands

Priv Commands

Extension- Espia

Commands

Extension- Sniffer

Commands

Extention- Incognito

Commands

• Enumeration of Machine• Screenshots, keyloggers, VNC, etc.• Privilege Escalation• Back-dooring• Session Up gradation• Information Harvesting• Pivoting

Post Exploitation

Pivoting : The Network we will Follow

Conclusion

• Ideal stealth vector for process injection.• Can be a nice tool to integrate with future

exploits.• Meterpreter scripting will definitely give an

aid.• Expectations never ends

Got queries, suggestions, comments : shubham@hackplanet.in