Metasploit: Post-Exploitation

In the previous room, Metasploit: Scanning and Exploitation, you exploited STRATFORD-WS01 using EternalBlue and landed in an interactive session. The prompt said meterpreter >, you typed getuid, and the target responded with NT AUTHORITY\SYSTEM. It felt like a command shell, but it clearly was not cmd.exe or /bin/bash. So what exactly is Meterpreter, and why does Metasploit treat it as the default payload for most exploits?

What Meterpreter Is

Meterpreter (short for "Meta-Interpreter") is an advanced, multi-function payload that runs on the target system and acts as an agent in a command-and-control (C2) architecture. Unlike a basic command shell that simply relays OS commands back and forth, Meterpreter provides a purpose-built environment with dozens of specialized commands for post-exploitation: file system navigation, credential harvesting, process manipulation, privilege escalation, pivoting, and more.

Consider the difference this way. A basic reverse shell gives you a pipe to the target's operating system. You type dir, the OS runs dir, and the output comes back. Meterpreter gives you a toolkit that runs inside the target's memory. It can do things that no sequence of OS commands could accomplish on its own, like migrating from one running process to another, injecting DLLs, or capturing keystrokes without writing a keylogger to disk.

How Meterpreter Works: Three Design Principles

Meterpreter was designed with stealth and flexibility in mind. Understanding its architecture helps explain both its strengths and its limitations.

1. In-Memory Execution

Meterpreter runs entirely in the target's RAM (Random Access Memory). It does not write itself to disk as a file like meterpreter.exe. Instead, the payload is injected into an existing running process through a technique called reflective DLL injection, which loads a DLL directly into process memory without registering it through the operating system's normal module-loading API.

Why does this matter? Traditional antivirus software primarily scans files on disk. When you download a file, create a new executable, or extract an archive, the AV engine inspects the new file against its signature database. Since Meterpreter never creates a file on disk, it bypasses this specific detection mechanism.

Imagine the following example. We've exploited STRATFORD-WS01; the getpid command shows the process ID that Meterpreter is running inside:

meterpreter > getpid

Current pid: 1304

If we list the running processes with ps, PID 1304 is spoolsv.exe (the Windows Print Spooler service), not anything called "meterpreter":

           meterpreter > ps

Process List
============

 PID   PPID  Name               Arch  Session  User                          Path
 ---   ----  ----               ----  -------  ----                          ----
 0     0     [System Process]
 4     0     System             x64   0
 692   596   services.exe       x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\services.exe
 716   596   lsass.exe          x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\lsass.exe
 1304  692   spoolsv.exe        x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\spoolsv.exe
 [...]
        

To anyone examining the process list, PID 1304 looks like a legitimate print spooler. There is no meterpreter.exe, no suspicious process name, and no file on disk to scan.

2. Encrypted Communication

All traffic between Meterpreter and your attacking machine is encrypted. Depending on the payload variant, this may use TLS (for HTTPS-based Meterpreters) or AES encryption (for TCP-based variants). This means that network-based Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) cannot inspect the payload's command traffic without first decrypting it.

If the target organization does not perform TLS inspection on outbound traffic (and many do not), the communication between your Meterpreter session and your attacking machine will appear as ordinary encrypted web traffic to network monitoring tools.

3. Extensibility Through Loading

Meterpreter is modular. Its core is deliberately small; additional capabilities are loaded on demand through the load command. When you type load kiwi (to load the Mimikatz-based credential harvesting extension), the extension is transferred to the target and loaded into Meterpreter's memory space, again without writing to disk.

This design means Meterpreter's initial footprint is minimal. Only the features you actually need are transferred to the target, reducing both detection surface and network traffic.

Honest Limitations

Meterpreter is powerful, but it is not invisible. Modern Endpoint Detection and Response (EDR) solutions go far beyond simple file scanning:

• Behavioral detection monitors process activity patterns. Reflective DLL injection, process migration, and credential dumping are well-known behaviors that EDR products actively flag.
• Memory scanning examines process memory for known malicious signatures, catching injected payloads that never touched disk.
• AMSI (Antimalware Scan Interface) on modern Windows systems can inspect scripts and payloads at runtime, even when they are loaded in memory.

In a well-defended enterprise environment, a default Meterpreter payload will likely be detected. The techniques we cover in this room are essential foundations, but real-world engagements against mature security programs require additional evasion strategies that go beyond this module's scope.

For our Stratford Systems engagement, the lab environment does not have EDR deployed, so Meterpreter will work without interference. This lets us focus on learning the commands and techniques without fighting detection at the same time.