Metasploit Meterpreter Cheat Sheet
What is a Meterpreter?
Well, if you are planning to hack like a pro, then you need to know some of the basic commands for Metepreter exploits, before you dive in below.
A Meterpreter is a dynamic and advanced extensible payload. It deploys in-memory DLL injection stagers. Moreover, it extends over the network during runtime. Nevertheless, t communicates over the stager sockets to provide a client-server Rubi API.
Written by Skape for Metasploit 2.x, there has been an overhaul of the standard extension, and the current one is Metasploit 3.3. Typically, the server side is implemented using plain C and is compiled using and MSVC; thus, making it portable. Besides, the client can be written in any language. However, it is worthy to note that the Metasploit has a full-featured Ruby client API.
How does Meterpreter Work?
-The target first executes the initial stager. Usually, this is one bind, findtag, passivex among others.
-The stager then loads the DLL prefixed with reflective. The reflective tub is responsible for loading or injection of the DLL.
-Next, the Meterpreter core initializes and establishes a TLS/1.0 link through the server socket and sends a GET message. When Metasploit receives the GET message, it configures the client.
-Lastly, the Meterpreter is involved in loading the extension. If the module gives administrative rights, it will load priv modules; otherwise, it loads stdpi. All the extensions are stacked over the TLS/1.0 through a TLV protocol.
Now that you have a clear glimpse of Metasploit Meterpreter. What are some of the Cheatsheet commands to use?
Step one: The Core Commands
Meterpreter is a Linux based terminal based on a victims PC. As such, most of the underlying Linux commands can still be used on the Meterpreter even if you are running on a Windows or other operating systems.
The core commands include:
-?: If you are not sure os nay command, you can use this to access the help menu. -Background: The control moves the current session to run on the background. -bglist: Allows you to access all the scripts running in the background. -bgkill: The command is used to kill any Meterpreter running on the background. -bgrun: You can use this to run a script as a background thread. -Close: Closes the terminal. -help: opens up the help menu. -irb: Used when you want to go intoRuby scripting mode. -quit: terminates the session. -write: Used to write data to a channel. -read: Reads data from a chain. -migrate: Used to move the active process to a specific PID.
Step two: The file system commands
The following are file system commands.
-mkdir: Used to make a directory on the victim system. -rmdir: Used to remove an index from the victim system. -del: Command for deleting a file on the victim. -getwd: If you want to print the local directory, then use this command. -ls: list all files in the current directory. -edit: Used when you want to edit a file using vim. -cd: change directory of the victim system. -cat: Command used to read and output the content of a file. -lcd: Change local directory. -download: Used to download a file from the victim systems to an attacker system.
Step Three: Network Commands.
If you want to find something on the network, then the following commands will be handy. -ipconfig: Used to display all the network interface key information including IP addresses. -route: Used to modify or view victims routing table. -portfwd: Command used to forward a victims port to a remote server.
Step four: System commands
Whenever you want to get the details of a victim PC, you can use the sysinfo command. It will display the operating system and the name of the PC. Other system commands include.
-shutdown: Shuts down victims computer. -reg: Allows you to interact with the victim's registry. -getpid: Shows the current process ID. -getuid: Provides information on the user on which the server is running. -drop_token: help drop the stolen token. -kill: terminates the PID process. -ps: Lists all running processes. -getprivs: Used when you want to get privileges. -shell: Opens command shell. -clearav: helps clear event logs on the victim machine.
Step five: Interface commands.
-set_desktop: Changes the Meterpreter desktop. -screeshot: Grabs screenshots on the victim desktop. -keyscan_dump: dumps the software keylogger -keyscan_stop: Stops the keylogger. -enumdesktops: Provides a list of all available desktops. -idletime: checks how long the victim system has been idle. -keyscan_start: Starts the keylogger software associated with a process. -uictl: Enables control of the UI components.
Step six: Privilege escalation
If you want to escalate the system privileges, you can use the gestsytem command. It uses a 15 built-in way to gain system administrator privileges.
Step Seven: How to dump passwords
You can use the hashdump command to grab the hashes in the password file. Notably, the command often trips AV software, although you can run more stealthy like “run smart_hashdump” or “run hashdump.” The above scripts will stop the AV from tripping.