An Introduction to Metasploit Meterpreter Backdoor

What is Meterpreter?

Meterpreter is an extension module in the Metasploit framework that is used as an attack after a successful overflow. The attack returns a control channel after the overflow attack succeeds. Meterpreter session as a penetration module has a lot of useful features, such as adding a user, hide some things, open the shell, get the user password, upload and download remote host files, run cmd.exe, capture the screen, get remote control, capture key information, clear the application, display the remote host system information, display the remote machine’s network interface and IP address and other information. In addition Meterpreter to avoid intrusion detection system. Hidden in the remote host, it does not change the system hard disk file, so HIDS is difficult to detect it. In addition, when it is running, the system time is changing, so it is very difficult to track it or terminate it for an experienced person. Finally, Meterpreter can also simplify the task to create multiple sessions. Can use these sessions to penetrate.
Metasploit provides the Meterpreter versions of the major platforms, including Windows, Linux, and x86 and x64 platforms. Meterpreter also provides implementations based on PHP and Java. Meterpreter work mode is pure memory, the advantage is to start hidden, it is difficult to be anti-virus software to monitor. Do not need to access the target host disk, so there is no traces of invasion. In addition to the above, Meterpreter also supports the expansion of Ruby scripting. So the Ruby language is still necessary.

Metasploit Meterpreter Backdoor

Metasploit have two backdoor moudle for maintaining access.

  • metsvc
    Metsvc module is actually Meterpreter system services to conduct the form of backdoor installation to the target host, it will upload three files:
    Metsvc.dll
    Metsvc-service.exe
    Metsvc.exe
    On the target machine, we can find the Meterpreter service, which is opening the monitor and waiting for the connection.
  • persistence
    Once we’ve initially exploited the host, we run the persistence script with the ‘-h’ switch to see which options are available:
    meterpreter > run persistence -h
    
    OPTIONS:
    
        -A        Automatically start a matching multi/handler to connect to the agent
        -U        Automatically start the agent when the User logs on
        -X        Automatically start the agent when the system boots
        -h        This help menu
        -i   The interval in seconds between each connection attempt
        -p   The port on the remote host where Metasploit is listening
        -r   The IP of the system running Metasploit listening for the connect back

     

    You can view this video

    https://www.youtube.com/watch?v=ghejCEQZUKU

     

Share