Welcome back, my hacker apprentices!

Metasploit framework is an incredible hacking and pentesting tool that every

hacker worth their salt should be conversant and capable on.
In a previous post, I had provided you a cheat sheet of meterpreter
commands. These commands are essential to running Metasploit's
meterpreter, but in recent years, numerous hackers and security pros have
developed scripts that we can run from the meterpreter that can be much
more eective and malicious.
In this post, I will try to provide you the most complete list and description
available anywhere on the web. !ou will want to bookmark this page too, as
no one remembers all these scripts and it's likely you will want to return here
at a later time to "nd a particular script for a particular hack.
#lease note that new meterpreter scripts are being developed every day. This
list attempts to provide you with a complete list of scripts as of this writing. If
you "nd errors or typos, please feel free to post them here, so I will try
correct them as soon as humanly possible.
$cript %ommands with &rief 'escriptions
arp(scanner.rb ) $cript for performing an *+#'s $can 'iscovery.
autoroute.rb ) Meterpreter session without having to background the
current session.
checkvm.rb ) $cript for detecting if target host is a virtual machine.
credcollect.rb ) $cript to harvest credentials found on the host and
store them in the database.
domain(list(gen.rb ) $cript for e,tracting domain admin account list
for use.
dumplinks.rb ) 'umplinks parses .lnk "les from a user's recent
documents folder and Microsoft -.ce's +ecent documents folder, if
present. The .lnk "les contain time stamps, "le locations, including
share names, volume serial /s and more. This info may help you target
additional systems.
duplicate.rb ) 0ses a meterpreter session to spawn a new
meterpreter session in a dierent process. * new process allows the
session to take 1risky1 actions that might get the process killed by *23,
giving a meterpreter session to another controller, or start a keylogger
on another process.
enum(chrome.rb ) $cript to e,tract data from a chrome installation.
enum("refo,.rb ) $cript for e,tracting data from 4irefo,.
enum(logged(on(users.rb ) $cript for enumerating current logged
users and users that have logged in to the system.
enum(powershell(env.rb ) 5numerates #ower$hell and W$6
con"gurations.
enum(putty.rb ) 5numerates #utty connections.
enum(shares.rb ) $cript for 5numerating shares oered and history
of mounted shares.
enum(vmware.rb ) 5numerates 3Mware con"gurations for 3Mware
products.
event(manager.rb ) $how information about 5vent 7ogs on the
target system and their con"guration.
"le(collector.rb ) $cript for searching and downloading "les that
match a speci"c pattern.
get(application(list.rb ) $cript for e,tracting a list of installed
applications and their version.
getcountermeasure.rb ) $cript for detecting *3, 6I#$, Third #arty
4irewalls, '5# %on"guration and Windows 4irewall con"guration.
#rovides also the option to kill the processes of detected products and
disable the built)in "rewall.
get(env.rb ) $cript for e,tracting a list of all $ystem and 0ser
environment variables.
get"le8illacreds.rb ) $cript for e,tracting servers and credentials
from 4ile8illa.
getgui.rb ) $cript to enable Windows +'#.
get(local(subnets.rb ) 9et a list of local subnets based on the host's
routes.
get(pidgen(creds.rb ) $cript for e,tracting con"gured services with
username and passwords.
gettelnet.rb ) %hecks to see whether telnet is installed.
get(valid(community.rb ) 9ets a valid community string from $:M#.
getvncpw.rb ) 9ets the 3:% password.
hashdump.rb ) 9rabs password hashes from the $*M.
hostedit.rb ) $cript for adding entries in to the Windows 6osts "le.
keylogrecorder.rb ) $cript for running keylogger and saving all the
keystrokes.
killav.rb ) Terminates nearly every antivirus software on victim.
metsvc.rb ) 'elete one meterpreter service and start another.
migrate ) Moves the meterpreter service to another process.
multicommand.rb ) $cript for running multiple commands on
Windows ;<<=, Windows 3istaand Windows ># and Windows ;<<?
targets.
multi(console(command.rb ) $cript for running multiple console
commands on a meterpreter session.
multi(meter(in@ect.rb ) $cript for in@ecting a reverce tcp Meterpreter
#ayload into memory of multiple #I's, if none is provided a notepad
process will be created and a Meterpreter #ayload will be in@ected in to
each.
multiscript.rb ) $cript for running multiple scripts on a Meterpreter
session.
netenum.rb ) $cript for ping sweeps on Windows ;<<=, Windows
3ista, Windows ;<<? and Windows ># targets using native Windows
commands.
packetrecorder.rb ) $cript for capturing packets in to a #%*# "le.
panda;<<ApavsrvBC.rb ) This module e,ploits a privilege escalation
vulnerability in #anda *ntivirus ;<<A. 'ue to insecure permission
issues, a local attacker can gain elevated privileges.
persistence.rb ) $cript for creating a persistent backdoor on a target
host.
pml(driver(con"g.rb ) 5,ploits a privilege escalation vulnerability in
6ewlett)#ackard's #M7 'river 6#DC;. 'ue to an insecure
$5+3I%5(%6*:95(%-:4I9 '*%7 permission, a local attacker can gain
elevated privileges.
powerdump.rb ) Meterpreter script for utili8ing purely #ower$hell to
e,tract username and password hashes through registry keys. This
script reEuires you to be running as system in order to work properly.
This has currently been tested on $erver ;<<? and Windows A, which
installs #ower$hell by default.
prefetchtool.rb ) $cript for e,tracting information from windows
prefetch folder.
process(memdump.rb ) $cript is based on the paper :eurosurgery
With Meterpreter.
remotewinenum.rb ) This script will enumerate windows hosts in the
target environment given a username and password or using the
credential under which Meterpeter is running using WMI wmic windows
native tool.
scheduleme.rb ) $cript for automating the most common scheduling
tasks during a pentest. This script works with Windows >#, Windows
;<<=, Windows 3ista and Windows ;<<?.
schelevator.rb ) 5,ploit for Windows 3ista2A2;<<? Task $cheduler ;.<
#rivilege 5scalation. This script e,ploits the Task $cheduler ;.< >M7
<day e,ploited by $tu,net.
schtasksabuse.rb ) Meterpreter script for abusing the scheduler
service in Windows by scheduling and running a list of command
against one or more targets. 0sing schtasks command to run them as
system. This script works with Windows >#, Windows ;<<=, Windows
3ista and Windows ;<<?.
scraper.rb ) The goal of this script is to obtain system information
from a victim through an e,isting Meterpreter session.
screenspy.rb ) This script will open an interactive view of remote
hosts. !ou will need 4irefo, installed on your machine.
screen(unlock.rb ) $cript to unlock a windows screen. :eeds system
privileges to run and known signatures for the target system.
screen(dwld.rb ) $cript that recursively search and download "les
matching a given pattern.
service(manager.rb ) $cript for managing Windows services.
service(permissions(escalate.rb This script attempts to create a
service, then searches through a list of e,isting services to look for
insecure "le or con"guration permissions that will let it replace the
e,ecutable with a payload. It will then attempt to restart the replaced
service to run the payload. If that fails, the ne,t time the service is
started Fsuch as on rebootG the attacker will gain elevated privileges.
sound(recorder.rb ) $cript for recording in intervals the sound
capture by a target host microphone.
srt(webdrive(priv.rb ) 5,ploits a privilege escalation vulnerability in
$outh +iver Technologies Web'rive.
uploade,ec.rb ) $cript to upload e,ecutable "le to host.
virtualbo,(sysenter(dos ) $cript to 'o$ 3irtual &o,.
virusscan(bypass.rb ) $cript that kills Mcafee 3irus$can 5nterprise
v?.A.<iH processes.
vnc.rb ) Meterpreter script for obtaining a Euick 3:% session.
webcam.rb ) $cript to enable and capture images from the host
webcam.
win=;)sshclient.rb ) $cript to deploy I run the 1plink1 commandline
ssh)client. $upports only M$)Windows);k2>#23ista 6osts.
win=;)sshserver.rb ) $cript to deploy and run -pen$$6 on the target
machine.
winbf.rb ) 4unction for checking the password policy of current
system. This policy may resemble the policy of other servers in the
target environment.
winenum.rb ) 5numerates Windows system including environment
variables, network interfaces, routing, user accounts, etc
wmic.rb ) $cript for running WMI% commands on Windows ;<<=,
Windows 3ista and Windows ># and Windows ;<<? targets.
$tep CJ %ore %ommands
*t its most basic use, meterpreter is a 7inu, terminal on the victim's
computer. *s such, many of our basic 7inu, commands can be used on the
meterpreter even if it's on a Windows or other operating system.
6ere are some of the core commands we can use on the meterpreter.
K ) help menu
background ) moves the current session to the background
bgkill ) kills a background meterpreter script
bglist ) provides a list of all running background scripts
bgrun ) runs a script as a background thread
channel ) displays active channels
close ) closes a channel
e,it ) terminates a meterpreter session
help ) help menu
interact ) interacts with a channel
irb ) go into +uby scripting mode
migrate ) moves the active process to a designated #I'
Euit ) terminates the meterpreter session
read ) reads the data from a channel
run ) e,ecutes the meterpreter script designated after it
use ) loads a meterpreter e,tension
write ) writes data to a channel
$tep ;J 4ile $ystem %ommands
cat ) read and output to stdout the contents of a "le
cd ) change directory on the victim
del ) delete a "le on the victim
download ) download a "le from the victim system to the attacker system
edit ) edit a "le with vim
getlwd ) print the local directory
getwd ) print working directory
lcd ) change local directory
lpwd ) print local directory
ls ) list "les in current directory
mkdir ) make a directory on the victim system
pwd ) print working directory
rm ) delete a "le
rmdir ) remove directory on the victim system
upload ) upload a "le from the attacker system to the victim
$tep =J :etworking %ommands
ipcon"g ) displays network interfaces with key information including I#
address, etc.
portfwd ) forwards a port on the victim system to a remote service
route ) view or modify the victim routing table
$tep LJ $ystem %ommands
clearav ) clears the event logs on the victim's computer
drop(token ) drops a stolen token
e,ecute ) e,ecutes a command
getpid ) gets the current process I' F#I'G
getprivs ) gets as many privileges as possible
getuid ) get the user that the server is running as
kill ) terminate the process designated by the #I'
ps ) list running processes
reboot ) reboots the victim computer
reg ) interact with the victim's registry
rev;self ) calls +evertTo$elfFG on the victim machine
shell ) opens a command shell on the victim machine
shutdown ) shuts down the victim's computer
steal(token ) attempts to steal the token of a speci"ed F#I'G process
sysinfo ) gets the details about the victim computer such as -$ and name
$tep BJ 0ser Interface %ommands
enumdesktops ) lists all accessible desktops
getdesktop ) get the current meterpreter desktop
idletime ) checks to see how long since the victim system has been idle
keyscan(dump ) dumps the contents of the software keylogger
keyscan(start ) starts the software keylogger when associated with a
process such as Word or browser
keyscan(stop ) stops the software keylogger
screenshot ) grabs a screenshot of the meterpreter desktop
set(desktop ) changes the meterpreter desktop
uictl ) enables control of some of the user interface components
$tep MJ #rivilege 5scalation %ommands
getsystem ) uses CB built)in methods to gain sysadmin privileges
$tep AJ #assword 'ump %ommands
hashdump ) grabs the hashes in the password F$*MG "le
:ote that hashdump will often trip *3 software, but there are now two scripts
that are more stealthy, 1run hashdump1 and 1run smart(hashdump1. 7ook for
more on those on my upcoming meterpreter script cheat sheet.
$tep ?J Timestomp %ommands
timestomp ) manipulates the modify, access, and create attributes of a "le