The Ultimate Command Cheat Sheet for Metasploit's Meterpreter

 By occupytheweb
 05/27/2016 12:42 am
 Metasploit Basics

Welcome back, my hacker novitiates!

I've done numerous tutorials in Null Byte demonstrating the power of Metasploit's meterpreter. With the
meterpreter on the target system, you have nearly total command of the victim!
As a result, several of you have asked me for a complete list of commands available for the meterpreter
because there doesn't seem to be a complete list anywhere on the web. So here it goes! Hack a system
and have fun testing out these commands!

Step 1Core Commands

At its most basic use, meterpreter is a Linux terminal on the victim's computer. As such, many of our basic
Linux commands can be used on the meterpreter even if it's on a Windows or other operating system.

Here are some of the core commands we can use on the meterpreter.

 ? - help menu
 background - moves the current session to the background
 bgkill - kills a background meterpreter script
 bglist - provides a list of all running background scripts
 bgrun - runs a script as a background thread
 channel - displays active channels
 close - closes a channel
 exit - terminates a meterpreter session
 help - help menu
 interact - interacts with a channel
 irb - go into Ruby scripting mode
 migrate - moves the active process to a designated PID
 quit - terminates the meterpreter session
 read - reads the data from a channel
 run - executes the meterpreter script designated after it
 use - loads a meterpreter extension
 write - writes data to a channel

Step 2File System Commands

 cat - read and output to stdout the contents of a file

 cd - change directory on the victim
 del - delete a file on the victim
 download - download a file from the victim system to the attacker system
 edit - edit a file with vim
 getlwd - print the local directory
 getwd - print working directory
 lcd - change local directory
  lpwd - print local directory
 ls - list files in current directory
 mkdir - make a directory on the victim system
 pwd - print working directory
 rm - delete a file
 rmdir - remove directory on the victim system
 upload - upload a file from the attacker system to the victim

Step 3Networking Commands

 ipconfig - displays network interfaces with key information including IP address, etc.
 portfwd - forwards a port on the victim system to a remote service
 route - view or modify the victim routing table

Step 4System Commands


clearav - clears the event logs on the victim's computer
 drop_token - drops a stolen token
 execute - executes a command
 getpid - gets the current process ID (PID)
 getprivs - gets as many privileges as possible
 getuid - get the user that the server is running as
 kill - terminate the process designated by the PID
 ps - list running processes
 reboot - reboots the victim computer
 reg - interact with the victim's registry
 rev2self - calls RevertToSelf() on the victim machine
 shell - opens a command shell on the victim machine
 shutdown - shuts down the victim's computer
 steal_token - attempts to steal the token of a specified (PID) process
 sysinfo - gets the details about the victim computer such as OS and name

Step 5User Interface Commands


enumdesktops - lists all accessible desktops
 getdesktop - get the current meterpreter desktop
 idletime - checks to see how long since the victim system has been idle
 keyscan_dump - dumps the contents of the software keylogger
 keyscan_start - starts the software keylogger when associated with a process such as Word or
browser
 keyscan_stop - stops the software keylogger
 screenshot - grabs a screenshot of the meterpreter desktop
 set_desktop - changes the meterpreter desktop
 uictl - enables control of some of the user interface components

Step 6Privilege Escalation Commands

 getsystem - uses 15 built-in methods to gain sysadmin privileges

Step 7Password Dump Commands

 hashdump - grabs the hashes in the password (SAM) file

 Note that hashdump will often trip AV software, but there are now two scripts that are more stealthy, "run
hashdump" and "run smart_hashdump". Look for more on those on my upcoming meterpreter script cheat
sheet.

Step 8Timestomp Commands

 timestomp - manipulates the modify, access, and create attributes of a file

Stay Tuned for More Meterpreter Tips

I've already used many of these commands in previous tutorials, and I will be using more in future guides
as well to show you how they work. Also, bookmark this page as it is possibly the most complete cheat
sheet of meterpreter commands found anywhere on the web, so you'll want it to refer back to this sheet
often.
Finally, check out my second meterpreter cheat sheet with the 135 scripts available for the meterpreter to
continue hacking with metasploit.

Metasploit framework is an incredible hacking and pentesting tool that every hacker worth their salt
should be conversant and capable on.
In a previous post, I had provided you a cheat sheet of meterpreter commands. These commands
are essential to running Metasploit's meterpreter, but in recent years, numerous hackers and security
pros have developed scripts that we can run from the meterpreter that can be much more effective
and malicious.
In this post, I will try to provide you the most complete list and description available anywhere on
the web. You will want to bookmark this page too, as no one remembers all these scripts and it's
likely you will want to return here at a later time to find a particular script for a particular hack.

Please note that new meterpreter scripts are being developed every day. This list attempts to provide
you with a complete list of scripts as of this writing. If you find errors or typos, please feel free to
post them here, so I will try correct them as soon as humanly possible.

Script Commands with Brief Descriptions

 arp_scanner.rb - Script for performing an ARP's Scan Discovery.
 autoroute.rb - Meterpreter session without having to background the current session.
 checkvm.rb - Script for detecting if target host is a virtual machine.
 credcollect.rb - Script to harvest credentials found on the host and store them in the database.
 domain_list_gen.rb - Script for extracting domain admin account list for use.
 dumplinks.rb - Dumplinks parses .lnk files from a user's recent documents folder and
Microsoft Office's Recent documents folder, if present. The .lnk files contain time stamps, file
locations, including share names, volume serial #s and more. This info may help you target
additional systems.
 duplicate.rb - Uses a meterpreter session to spawn a new meterpreter session in a different
process. A new process allows the session to take "risky" actions that might get the process
 killed by A/V, giving a meterpreter session to another controller, or start a keylogger on another
process.
 enum_chrome.rb - Script to extract data from a chrome installation.
 enum_firefox.rb - Script for extracting data from Firefox. enum_logged_on_users.rb - Script
for enumerating current logged users and users that have logged in to the system.
enum_powershell_env.rb - Enumerates PowerShell and WSH configurations.
 enum_putty.rb - Enumerates Putty connections.
 enum_shares.rb - Script for Enumerating shares offered and history of mounted shares.
 enum_vmware.rb - Enumerates VMware configurations for VMware products.
 event_manager.rb - Show information about Event Logs on the target system and their
configuration.
 file_collector.rb - Script for searching and downloading files that match a specific pattern.
 get_application_list.rb - Script for extracting a list of installed applications and their version.
 getcountermeasure.rb - Script for detecting AV, HIPS, Third Party Firewalls, DEP
Configuration and Windows Firewall configuration. Provides also the option to kill the
processes of detected products and disable the built-in firewall.
 get_env.rb - Script for extracting a list of all System and User environment variables.
 getfilezillacreds.rb - Script for extracting servers and credentials from Filezilla.
 getgui.rb - Script to enable Windows RDP.
 get_local_subnets.rb - Get a list of local subnets based on the host's routes.
 get_pidgen_creds.rb - Script for extracting configured services with username and passwords.
 gettelnet.rb - Checks to see whether telnet is installed.
 get_valid_community.rb - Gets a valid community string from SNMP.
 getvncpw.rb - Gets the VNC password.
 hashdump.rb - Grabs password hashes from the SAM.
 hostedit.rb - Script for adding entries in to the Windows Hosts file.
 keylogrecorder.rb - Script for running keylogger and saving all the keystrokes.
 killav.rb - Terminates nearly every antivirus software on victim.
 metsvc.rb - Delete one meterpreter service and start another.
 migrate - Moves the meterpreter service to another process.
 multicommand.rb - Script for running multiple commands on Windows 2003, Windows
Vistaand Windows XP and Windows 2008 targets.
 multi_console_command.rb - Script for running multiple console commands on a meterpreter
session.
 multi_meter_inject.rb - Script for injecting a reverce tcp Meterpreter Payload into memory of
multiple PIDs, if none is provided a notepad process will be created and a Meterpreter Payload
will be injected in to each.
 multiscript.rb - Script for running multiple scripts on a Meterpreter session.
 netenum.rb - Script for ping sweeps on Windows 2003, Windows Vista, Windows 2008 and
Windows XP targets using native Windows commands.
 packetrecorder.rb - Script for capturing packets in to a PCAP file.
 panda2007pavsrv51.rb - This module exploits a privilege escalation vulnerability in Panda
Antivirus 2007. Due to insecure permission issues, a local attacker can gain elevated privileges.
 persistence.rb - Script for creating a persistent backdoor on a target host.
 pml_driver_config.rb - Exploits a privilege escalation vulnerability in Hewlett-Packard's PML
Driver HPZ12. Due to an insecure SERVICE_CHANGE_CONFIG DACL permission, a local
attacker can gain elevated privileges.
 powerdump.rb - Meterpreter script for utilizing purely PowerShell to extract username and
password hashes through registry keys. This script requires you to be running as system in order
 to work properly. This has currently been tested on Server 2008 and Windows 7, which installs
PowerShell by default.
 prefetchtool.rb - Script for extracting information from windows prefetch folder.
 process_memdump.rb - Script is based on the paper Neurosurgery With Meterpreter.
 remotewinenum.rb - This script will enumerate windows hosts in the target environment given
a username and password or using the credential under which Meterpeter is running using WMI
wmic windows native tool.
 scheduleme.rb - Script for automating the most common scheduling tasks during a pentest.
This script works with Windows XP, Windows 2003, Windows Vista and Windows 2008.
 schelevator.rb - Exploit for Windows Vista/7/2008 Task Scheduler 2.0 Privilege Escalation.
This script exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet.
 schtasksabuse.rb - Meterpreter script for abusing the scheduler service in Windows by
scheduling and running a list of command against one or more targets. Using schtasks command
to run them as system. This script works with Windows XP, Windows 2003, Windows Vista
and Windows 2008.
 scraper.rb - The goal of this script is to obtain system information from a victim through an
existing Meterpreter session.
 screenspy.rb - This script will open an interactive view of remote hosts. You will need Firefox
installed on your machine.
 screen_unlock.rb - Script to unlock a windows screen. Needs system privileges to run and
known signatures for the target system.
 screen_dwld.rb - Script that recursively search and download files matching a given pattern.
 service_manager.rb - Script for managing Windows services.
 service_permissions_escalate.rb This script attempts to create a service, then searches through
a list of existing services to look for insecure file or configuration permissions that will let it
replace the executable with a payload. It will then attempt to restart the replaced service to run
the payload. If that fails, the next time the service is started (such as on reboot) the attacker will
gain elevated privileges.
 sound_recorder.rb - Script for recording in intervals the sound capture by a target host
microphone.
 srt_webdrive_priv.rb - Exploits a privilege escalation vulnerability in South River
Technologies WebDrive.
 uploadexec.rb - Script to upload executable file to host.
 virtualbox_sysenter_dos - Script to DoS Virtual Box.
 virusscan_bypass.rb - Script that kills Mcafee VirusScan Enterprise v8.7.0i+ processes.
 vnc.rb - Meterpreter script for obtaining a quick VNC session.
 webcam.rb - Script to enable and capture images from the host webcam.
 win32-sshclient.rb - Script to deploy & run the "plink" commandline ssh-client. Supports only
MS-Windows-2k/XP/Vista Hosts.
 win32-sshserver.rb - Script to deploy and run OpenSSH on the target machine.
 winbf.rb - Function for checking the password policy of current system. This policy may
resemble the policy of other servers in the target environment.
 winenum.rb - Enumerates Windows system including environment variables, network
interfaces, routing, user accounts, etc
