This document is our live wishlist of features and changes for the Metasploit Meterpreter payloads. The majority of this list came from a survey sent out to the community in early 2015. If you plan to work on one of these features, please add a note to the item, and reference any open tickets or pull requests that are relevant. This document only contains survey suggestions that were specific to Meterpreter. Duplicate and similar items have been combined.
Items currently in development have been marked [IN PROGRESS]
Items landed to master have been marked [DONE]
Related open tickets (slightly broader than Meterpreter):
Manage multiple Meterpreter processes as one session as described in #4715. Many times there have been situations where a keyscan, or sniffer was going and something else occurred that required migration or cancelling to perform an action. "Installing" jobs in processes less likely to die would allow a pentester to still move around as needed but also be able to have persistent tasks going. A pipe dream of this feature would be to install a "rev2system" jobs whereby I could migrate to a low priv status for accessing Cryptolib encrypted storage but also get back to SYSTEM when I'm done without needing to pop a shell again. Another pipe dream here would be to also have jobs that if the user logged out, then back in the next day and I had a shell come back then, I could re-attach to my running jobs and get their results
PrependTokenSteal / PrependEnvironmentSteal: Basically with proxies and other perimeter defenses being SYSTEM doesn't work well. This would be an addition to a payload that would work to execute as SYSTEM but would then locate a logged in user and steal their environment to call back to the handler. Very useful when pivoting around with PSEXEC
Binary installed death dates: A way putting a date in a binary where after that date the binary no longer functions would be useful and possibly even perform self-deletion. Time zones would be a tricky matter, but is something handled by many programmers already (probably just not in shellcode)
Allow Meterpreter sessions to resolve L3 addresses (#4793)
Track whether or not the current session has admin credentials (#4633)d
Support Metasploit-side zlib compression of sessions
Being able to use Meterpreter instances to easily forward commands & exfil
Automatic cleanup and removal of session and any recorded persistence after predetermined amount of time (server-side)
Change desktop/phone background
Remote mouse control
Play sound on the remote system
Read words outloud via text to speech on the remote system
Volume control
RSS feed from reverse_http(s) mult-handler that I can connect a RSS reader to (or something like IFTTT) and get notices when new sessions are created
MessageBox popups
Call the system "open" command easily (ShellExecute on windows, launch intent on Android)
Gather credentials from Google Chrome
LNK (binary) modification: Editing a LNK file's ICON location (for SMB capturing), "Starting Directory" (for DLL injection) or target binary would make some post exploitation tasks easier
"Pinned" app modification: Knowing which apps are pinned, and what they link to (be it taskbar or start menu) would be useful intelligence, but also being able to modify the target of these links would be better and a very easy user-land persistence. (Run this && the real thing you want)
Remote Registry automation: Remotely editing or reading the registry of a remote system works currently (sometimes) but it has no smarts about if the Remote Registry service is on or not. It would be nice to automate the starting and stopping of the remote registry service as well as possibly warning the user if they are attempting to do this as SYSTEM (probably going to fail). The use case for this is installing persistence on lots of systems quickly as well as reading user lists, MRUs and other intelligence important keys. (like finding a system with the puTTY keys)
"ps" and "kill" for remote systems: This would remove the need to drop to a shell and attempt to remember how to format "taskkill" and "tasklist"'s argument list. Tasklist also automatically removes the IPC$ connection after it's done so results in some annoying disconnected share viewing
Scheduled Tasks / AT: Many of the ways to pivot or stay persistent use AT or Scheduled Tasks, to do so. This functionality to do tasks both locally and on remote hosts would greatly decrease the number of times a pentester would need to drop to cmd.exe
[DONE] Execute with login credentials: When a user is no longer online it is overkill to PSEXEC (which would just net a SYSTEM shell anyways with MSF) and "RunAs" isn't supported since it requires a password at a prompt, so adding a simple CreateProcesWithLogon feature would help with reviving dead tokens #4649
ListDrives: Most of the time shares and other drives rather than just C:\ are where important files are stored. This feature would list local storage (plus USB) and network storage (SMB connected drives with where they are connected from and as what user) to start, but this feature would need to grow to support "Cloud" drives as well, like Dropbox, Box, Google Drive, and SkyDrive.
Enumerables support in Railgun: Windows is full of "Enumerables" like EnumWindows that would be nice to have the ability to create code for. That example is bad since ExtAPI has EnumWindows now but the argument doesn't go away for railgun
DACL / Permissions enumeration: This is just needed in general for privilege escalation enumeration, share permissions, and reporting ("Why did you have access to this share, it was only supposed to be for X")
Gina/SSP support: This would probably need to be an injected "job" but the basic premise is an in-memory load of a SSP or inject into Gina so when a new login happens against the system a set of clear text credentials are captured. 2 extremely use cases would be on a terminal server, or a server that no one is logged into at the time of infection due to time zone or operating hour differences
Websnapshot: Currently there isn't a way to weed out web applications once in a network. This feature would, using IE, or another method be able to generate a screenshot of what a page looks like in a browser (given a PROTOCOL/URL/PORT). Biggest requirement is auto-accepting any self signed SSL certs and showing when authentication is required.
On-target resource cloning: Allowing a pentester to drop a binary and clone the ICON (in particular) of a binary would add to the stealthiness of an operation and add attack opportunities that weren't previously thought plausible
Scatterbomb: Persistence is difficult, and making sure your session doesn't die because you chose the wrong process to migrate into or the user exited that process because the PDF looked hung. This would work by attempting OpenProcess on every process or a select list of processes and inject Meterpreter threads into them. But it would rely on the Mutex feature so that only one would be calling back at a time. Basically allowing for a resilient semi-persistent Meterpreter session that would save you from yourself when you accidentally type exit on the Meterpreter> prompt instead of your other terminal
Mutex checking binary exports: This follows up with the scatterbomb but essentially when installing persistence as a pentester I only install one because installing more than one would raise the noise level of a compromised host. If the binary/callback would check a mutex before doing anything and looping based on a timeout that even better.
OLE / Office Controls: This is basically an open ended feature request asking for support of for Office, mostly Outlook (like read newest emails, search email, etc).
Configurable character set conversation for Shell sessions and channels. When spawning a windows shell from meterpreter, on a host that uses a German version of windows, all the special characters (e.g. öäü) are broken, i.e. they are either not rendered at all, or replaced with that default "character not found" unicode character. Forcing the terminal emulator to use cp850 made it work for now.