Meterpreter is a powerful, in-memory payload used within the Metasploit Framework. It’s designed to provide an interactive shell with extended post-exploitation capabilities after a system is compromised. Unlike normal shells, it doesn’t create new processes, making it stealthier and harder to detect.

Flavors of Meterpreter

Meterpreter comes in different types depending on the target system and architect. Each flavor has unique capabilities/commands and is suited for specific environments.

Flavor	Target Platform	Notes
windows/meterpreter	Windows	Most common, rich feature set
linux/x86/meterpreter	Linux	Fewer features than Windows
python/meterpreter	Cross-platform (needs Python)	Good for quick testing
php/meterpreter	Web servers using PHP	Often used in web exploits
java/meterpreter	Any system with Java	Useful for cross-platform payloads
android/meterpreter	Android phones	For mobile exploitation

• Flavors depend on the target system.
• Windows version has the most features.
• All use encrypted communication by default.

Encrypted Communication

Meterpreter sessions are encrypted using SSL or AES, preventing data from being easily sniffed on the network.

• Commands and responses are encrypted before transmission.
• Helps evade network-based detection tools.

Meterpreter Help & Command Types

Typing help in a Meterpreter session lists available commands. These commands are grouped into several categories:

Category	Example Commands	Description
Core	getuid, sysinfo	System info, session basics
File System	ls, cd, upload	File browsing and manipulation
Networking	portfwd, ipconfig	Interact with network settings
System	migrate, execute	Run or shift to other processes
Privilege Esc.	getsystem, hashdump	Try to elevate privileges
Scripting	run, load	Load or run Meterpreter scripts

Commonly Used Commands

Here are a few important and commonly used commands across flavors:

Command	Purpose
getuid	Shows the user the Meterpreter session is running as
sysinfo	Displays system details
migrate	Moves Meterpreter into another process (helps with persistence or stealth)
hashdump	Dumps password hashes (Admin needed)
execute	Runs a command or program on the target
upload/download	Transfers files to/from the victim
screenshot	Captures a screenshot from the victim system

Migrating Processes

The migrate command is used to shift Meterpreter into another process. This is often done to:

• Gain access to a process running with higher privileges.
• Stay hidden by injecting into trusted system processes (e.g., explorer.exe).
• Avoid crashing if the current process is unstable.

Example usage:

meterpreter > ps
meterpreter > migrate 1234

The load Command

The load command is used to load Meterpreter extensions, which add specialized functionality to your session. These extensions allow you to use additional commands that are not available by default.

For example, loading the kiwi extension adds Mimikatz-like features for credential dumping, and stdapi adds standard functions like filesystem interaction, webcam access, and more.

Syntax:

meterpreter > load <extension_name>

Common Extensions:

Extension Name	Purpose
stdapi	Core functionality like file system, webcam, and networking commands
priv	Privilege escalation tools (e.g., getsystem)
kiwi	Integrates Mimikatz for dumping credentials, tickets, etc.
sniffer	Allows packet sniffing from the victim’s machine
espia	Spy tools like microphone and webcam capture (less commonly used)

Example Usage

meterpreter > load kiwi
meterpreter > creds_all

This would load Kiwi and then dump all available credentials using one of its commands.

Dumping Hashes: hashdump

Used to extract password hashes from the target, mainly on Windows.

• Requires SYSTEM privileges.
• Hashes can be cracked offline using tools like John the Ripper or Hashcat.

Example:

meterpreter > hashdump

Visual Overview: Meterpreter Flow

[ Exploit Sent ]
        ↓
[ Payload Delivered ]
        ↓
[ Meterpreter Session Established ]
        ↓
[ Encrypted Communication ]
        ↓
[ Post-Exploitation Actions ]