Metasploit Meterpreter
May 18, 2025Definition
Meterpreter runs on the target system but is not installed on it. It runs in memory and does not write itself to the disk on the target. This feature aims to avoid being detected during antivirus scans. By default, most antivirus software will scan new files on the disk (e.g. when you download a file from the internet) Meterpreter runs in memory (RAM - Random Access Memory) to avoid having a file that has to be written to the disk on the target system (e.g. meterpreter.exe). This way, Meterpreter will be seen as a process and not have a file on the target system.
Commands
Meterpreter will provide you with three primary categories of tools;
- Built-in commands
- Meterpreter tools
- Meterpreter scripting
If you run the help command, you will see Meterpreter commands are listed under different categories.
- Core commands
- File system commands
- Networking commands
- System commands
- User interface commands
- Webcam commands
- Audio output commands
- Elevate commands
- Password database commands
- Timestomp commands
Please note that the list above was taken from the output of the help command on the Windows version of Meterpreter (windows/x64/meterpreter/reverse_tcp). These will be different for other Meterpreter versions.
Meterpreter commands
Core commands will be helpful to navigate and interact with the target system. Below are some of the most commonly used. Remember to check all available commands running the help command once a Meterpreter session has started.
Core commands
background: Backgrounds the current sessionexit: Terminate the Meterpreter sessionguid: Get the session GUID (Globally Unique Identifier)help: Displays the help menuinfo: Displays information about a Post moduleirb: Opens an interactive Ruby shell on the current sessionload: Loads one or more Meterpreter extensionsmigrate: Allows you to migrate Meterpreter to another processrun: Executes a Meterpreter script or Post modulesessions: Quickly switch to another session
File system commands
cd: Will change directoryls: Will list files in the current directory (dir will also work)pwd: Prints the current working directoryedit: will allow you to edit a filecat: Will show the contents of a file to the screenrm: Will delete the specified filesearch: Will search for filesupload: Will upload a file or directorydownload: Will download a file or directory
Networking commands
arp: Displays the host ARP (Address Resolution Protocol) cacheifconfig: Displays network interfaces available on the target systemnetstat: Displays the network connectionsportfwd: Forwards a local port to a remote serviceroute: Allows you to view and modify the routing table
System commands
clearev: Clears the event logsexecute: Executes a commandgetpid: Shows the current process identifiergetuid: Shows the user that Meterpreter is running askill: Terminates a processpkill: Terminates processes by nameps: Lists running processesreboot: Reboots the remote computershell: Drops into a system command shellshutdown: Shuts down the remote computersysinfo: Gets information about the remote system, such as OS
Others Commands (these will be listed under different menu categories in the help menu)
idletime: Returns the number of seconds the remote user has been idlekeyscan_dump: Dumps the keystroke bufferkeyscan_start: Starts capturing keystrokeskeyscan_stop: Stops capturing keystrokesscreenshare: Allows you to watch the remote user’s desktop in real timescreenshot: Grabs a screenshot of the interactive desktoprecord_mic: Records audio from the default microphone for X secondswebcam_chat: Starts a video chatwebcam_list: Lists webcamswebcam_snap: Takes a snapshot from the specified webcamwebcam_stream: Plays a video stream from the specified webcamgetsystem: Attempts to elevate your privilege to that of local systemhashdump: Dumps the contents of the SAM database
Post Exploit
- migrate to other process to capture
- search for files
- hashdump
- shell to create a shell on the target machine