While I’m connected to Meterpreter, Metasploit presents me with a list of options. Some, like the ability to dump the contents of the memory or disable the mouse, are designed to let an attacker get further into the target network. The latter is a particularly cunning mix of electronic and human methods: disabling the mouse makes the user call IT support, who may then log in to the computer remotely or in person. Where you originally only had a user account, suddenly you have taken control of an administrator.
Others let you make the most of the access you already have. I can take a screenshot, record audio with a webcam, or livestream video. I can also set up a keylogger, and record everything the target types. If I want to, I don’t have to stop at Meterpreter; I can install further software, to sniff for credit card numbers, or permanently slave the computer to my own — perfect if I need to gather a few thousand together to bring down another site with a distributed denial of service attack, where a server is overwhelmed by the sheer weight of connections and breaks.
How to protect yourself
The scariest thing about it all isn’t what I can do. It’s that it’s me doing it. The software really is that simple. But a certain extent, that can be reassuring. The vast majority of the hackers we’re all so afraid of are actually doing little more than running a program which does the heavy lifting for them.
Protecting yourself against them is easy enough:
‧ Keep your computer up to date
‧ Try not to fall prey to phishing attempts
‧ And don’t run programs from untrusted sources
When it comes to drive-by hacks like the one I pulled off, you don’t have to be perfectly secure; just more secure than the poor sap who does fall prey. ‘’I don’t have to outrun the bear. I only have to outrun you.’’