- by x32x01 ||
If you're diving deep into penetration testing, ethical hacking, or red teaming, then you’ve definitely come across Meterpreter - one of the most powerful payloads built into the Metasploit Framework. This tool gives security professionals and penetration testers a flexible, stealthy, in-memory shell packed with features that make post-exploitation faster, smarter, and more effective. 
In this full guide, we’ll break down how Meterpreter works, explain its internal process in simple language, and give you a clean, organized list of the top 60 Meterpreter commands every ethical hacker should master. We’ll also include practical examples and command snippets so beginners and advanced users alike can follow along easily.
Meterpreter isn’t just a normal shell. It’s an advanced payload designed to run completely in memory, making it harder for antivirus and endpoint tools to detect. Here's the simplified workflow of how it operates:
This is usually one of the following:
bind, reverse, findtag, passivex, etc.
Its job is to open communication between the attacker and the compromised machine.
The stager loads a DLL that starts with the prefix Reflective.
The Reflective Loader is responsible for injecting Meterpreter into memory without writing files to disk — a huge advantage in stealth operations.
Meterpreter initiates a TLS/1.0 connection over the socket and sends a GET request.
Metasploit configures the client and prepares it for post-exploitation.
Meterpreter automatically loads key extensions such as:
Top 60 Useful Meterpreter Commands (With Descriptions)
Below is the full list of essential Meterpreter commands you’ll need during post-exploitation. These commands help you manage files, processes, users, keystrokes, desktops, webcams, privilege escalation, and more.
Each command is explained in simple, beginner-friendly language:
Here’s a quick real-world workflow:
These small tasks show how powerful Meterpreter can be for penetration testing, incident response, and red teaming.
Meterpreter is one of the strongest tools in the modern penetration tester’s toolkit. With features like in-memory execution, encrypted communication, stealthy process migration, keystroke capture, privilege escalation, and full system control - professionals can perform highly advanced post-exploitation tasks safely and efficiently.
Mastering these top 60 Meterpreter commands will give you a huge advantage in real-world ethical hacking engagements and lab practice. Keep experimenting, stay ethical, and always get permission before testing!
In this full guide, we’ll break down how Meterpreter works, explain its internal process in simple language, and give you a clean, organized list of the top 60 Meterpreter commands every ethical hacker should master. We’ll also include practical examples and command snippets so beginners and advanced users alike can follow along easily.
How Meterpreter Works
Meterpreter isn’t just a normal shell. It’s an advanced payload designed to run completely in memory, making it harder for antivirus and endpoint tools to detect. Here's the simplified workflow of how it operates:
1. The target runs the initial stager
This is usually one of the following:bind, reverse, findtag, passivex, etc.
Its job is to open communication between the attacker and the compromised machine.
2. Reflective DLL injection happens
The stager loads a DLL that starts with the prefix Reflective.The Reflective Loader is responsible for injecting Meterpreter into memory without writing files to disk — a huge advantage in stealth operations.
3. A secure TLS communication channel is established
Meterpreter initiates a TLS/1.0 connection over the socket and sends a GET request.Metasploit configures the client and prepares it for post-exploitation.
4. Extensions are loaded
Meterpreter automatically loads key extensions such as:- stdapi - for filesystem, networking, system commands
- priv - for advanced privilege escalation (loaded only when needed)
Top 60 Useful Meterpreter Commands (With Descriptions) Below is the full list of essential Meterpreter commands you’ll need during post-exploitation. These commands help you manage files, processes, users, keystrokes, desktops, webcams, privilege escalation, and more.
Each command is explained in simple, beginner-friendly language:
File System Commands
| Command | Description |
|---|---|
| cat | Display file contents on screen |
| cd | Change directory |
| download | Download a file from the target |
| edit | Edit a file directly |
| getlwd | Show local working directory |
| getwd | Show remote working directory |
| lcd | Change local directory |
| lpwd | Show local directory |
| ls | List files/folders |
| mkdir | Create a directory |
| pwd | Print working directory |
| rm | Delete a file |
| rmdir | Remove directory |
| search | Search for files |
| upload | Upload file to target |
Example: Searching for password files
Bash:
search -f *password*
Session & Channel Commands
| Command | Description |
|---|---|
| background | Send session to background |
| bgkill | Kill background session |
| channel | Show active channels |
| close | Close a channel |
| interact | Interact with a channel |
| read | Read data from channel |
| write | Write data to a channel |
Unicode Encoding Commands
| Command | Description |
|---|---|
| disable_unicode_encoding | Disable Unicode encoding |
| enable_unicode_encoding | Enable Unicode encoding |
Scripting & Automation Commands
| Command | Description |
|---|---|
| irb | Ruby scripting shell (dev mode) |
| resource | Run commands from file |
| run | Execute a script or post module |
| load | Load Meterpreter extensions |
Desktop & UI Interaction
| Command | Description |
|---|---|
| getdesktop | Get active desktop session |
| idletime | Show user idle time |
| keyscan_start | Start logging keystrokes |
| keyscan_stop | Stop logging |
| keyscan_dump | Show captured keystrokes |
| screenshot | Take screenshot |
| setdesktop | Switch desktop |
| uictl | Control GUI components |
Example: Taking a screenshot
Bash:
screenshot
Webcam Commands
| Command | Description |
|---|---|
| webcam_list | List available webcams |
| webcam_snap | Capture an image |
Privilege & Security Commands
| Command | Description |
|---|---|
| getsystem | Attempt privilege escalation |
| hashdump | Dump SAM password hashes |
| timestomp | Edit file timestamps |
| clearev | Clear event logs |
| drop_token | Drop impersonation token |
| steal_token | Steal impersonation token |
Example: Attempting privilege escalation
Bash:
getsystem
System Interaction & Process Control
| Command | Description |
|---|---|
| getpid | Get current process ID |
| getprivs | Show process privileges |
| getuid | Show current user |
| kill | Kill a process |
| ps | List processes |
| reboot | Reboot machine |
| shutdown | Shut down machine |
| reg | Access remote registry |
| rev2self | Revert to original user |
| shell | Open system command shell |
Execution & Migration
| Command | Description |
|---|---|
| execute | Run a command |
| migrate | Move Meterpreter to another process |
| quit | Exit session |
| exit | Close Meterpreter |
Example: Migrating to explorer.exe
Bash:
ps
migrate <PID>
Simple Example: Using Meterpreter to Capture a Screenshot & Dump Passwords
Here’s a quick real-world workflow: Bash:
# Take a screenshot
screenshot
# Dump password hashes
hashdump
# Search for sensitive files
search -f *.txt
# Escalate privileges
getsystem
Final Thoughts
Meterpreter is one of the strongest tools in the modern penetration tester’s toolkit. With features like in-memory execution, encrypted communication, stealthy process migration, keystroke capture, privilege escalation, and full system control - professionals can perform highly advanced post-exploitation tasks safely and efficiently.Mastering these top 60 Meterpreter commands will give you a huge advantage in real-world ethical hacking engagements and lab practice. Keep experimenting, stay ethical, and always get permission before testing!
Last edited: