Metasploit: About Meterpreter

Meterpreter is a tool that is packaged together with the metasploit framework. The features of meterpreter are:

1. Does not create any files on the harddisk, it resides in memory and attaches itself to a process.

2. client-server communication is in the form of type-length-value (TLV) format.

3. client-server communication between attacker machine and victim machine is encrypted.

Data is encrypted. is the attacker and is the victim.

4. It provides a platform to write extensions.

How it works

Step 1: Apply exploit and 1st stage payload (such as reverse tcp binding) to the victim machine.

Step 2: Victim machine connects (using reverse tcp binding) back to attacker’s machine.

Step 3: Meterpreter on the attacker’s machine sends the 2nd stage payload that does DLL injection.

Step 4: Meterpreter on the attacker machine sends server DLL to the victim machine.

Step 5: Client-server communication establishes.


The victim machine is a Windows XP which is vulnerable to netapi exploit. Choose the exploit with the great ranking.
Use the ms08_067 exploit. The configurable options are shown.
meterpreter payload for windows dll injection.
remote host is the victim, local host is the attacker.
Start the exploit. Meterpreter sent 752KB of payload to the victim. No errors, and a meterpreter prompt appeared mean the exploit was successful.

For a list of meterpreter commands use help or ?.

As shown, meterpreter has attached itself to svchost.exe.
meterpreter can attach itself to another process using the migratecommand. For this demo, attacker migrated meterpreter from svchost.exe to winlogon.exe which is pid 540.

For some reason the keyscan_dump was not working….Meterpreter can do keylogging.

To know your user privilege level.
Obtain a screenshot of victim's machine.



3 thoughts on “Metasploit: About Meterpreter

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s