Meterpreter Stealthier than Ever

In the development version of Metasploit 3.3 the Meterpreter payload now uses SSL encryption for all of its TLV (Type-Length-Value) formatted commands and for the loading of modules. In addition to this, it now uses Reflective DLL injection to load itself and modules making it now stealthier than ever!

The Meterpreter payload is currently very stealthy being a payload injected into a current process in memory not writing any of its function to disk. Everything is done in memory so a forensic analysis of what happened tends to be difficult unless the memory is dumped and analyzed for the presence of the code.  I typically use it in Windows API mode so the detection of the calls are also difficult.  Now with the addition of Reflective DLL Injection its detection is even more difficult.  To top it all off, SLL is now used for all connections, this means detection via traffic analysis also becomes more difficult.

Meterpreter is now encrypting of all of its traffic using the OpenSSL Library this includes:

      1. Loading of Modules (stdapi, incognito, priv, sniffer …etc)
      2. TLV Commands
      3. Session Traffic
      4. Migration


Meterpreter as of this writing uses a 1024-bit RSA + SHA1 for the initial keying, then AES-256 or similar once the session key is negotiated. The initial stages of the loading of Meterpreter are not encrypted and susceptible to detection by an IPS or IDS but once loaded, all traffic is secure with TLSv1. Current work is being done to encode the initial stages and modules to make the loading even harder to detect. The traffic can still be MITM since no check for certificate is implemented but the chances for an attacker to be listening on the specific port at the time of the exploit are low, but still possible. This gives the advantage of reducing chances of detection by a IPS/IDS system and secures data in transit which is of great importance for a Pentester since the data of a client is transmitted in encrypted form.

All Meterpreter payload use the Reflecive DLL injection technique as default.  Under the Windows platform, library injection techniques both local and remote have been around for many years.  The original technique as introduced in Meterpreter by Skape employs shellcode to patch the host processes ntdll library at run time and forces the native Windows loader to load a Dynamic Link Library (DLL) image from memory, this DLL is registered with the process so a query for loaded modules of each process will show the loaded DLL. By using programs such as Process Explorer from Winternals or even the tasklist command with the /m switch to show modules one was able to detect the Meterpreter DLL in memory. Reflective  DLL   injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process. As such, the library is responsible for loading itself by implementing a minimal Portable Executable (PE) file loader.   The main advantage of the Meterpreter library  and its modules loading itself is that it is not registered in any way with the host system and as a result is largely undetectable at both a system and process level. For a defender to detect the presence of Meterpreter, they would have to do an examination of the host memory looking for a piece of memory marked as readable, writable, and executable and then check this memory address for the presence of Meterpreter which it is not a fast and resource light task.  Another method of detection is through the network traffic, but a crafty attacker can inject itself into a process where the traffic patter will not be seen out of the ordinary and with the addition of SSL encryption this becomes a even harder task.

Meterpreter has really come a long way and it keeps improving, making it one of the best payloads for use as exploit or trojan during penetration tests.

Carlos Perez

Carlos is currently the Principal Consultant, Team Lead for Research at TrustedSec and well-known for his research on both Metasploit and Windows Powershell. His blog carries the tag line: “Shell Is Only The Beginning”.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.