If you're diving deep into
penetration testing,
ethical hacking, or
red teaming, then you’ve definitely come across
Meterpreter - one of the most powerful payloads built into the
Metasploit Framework. This tool gives security professionals and penetration testers a flexible, stealthy, in-memory shell packed with features that make post-exploitation faster, smarter, and more effective. 🔥
In this full guide, we’ll break down
how Meterpreter works, explain its internal process in simple language, and give you a clean, organized list of the
top 60 Meterpreter commands every ethical hacker should master. We’ll also include
practical examples and
command snippets so beginners and advanced users alike can follow along easily. 🧑💻💡
🔍 How Meterpreter Works
Meterpreter isn’t just a normal shell. It’s an advanced payload designed to run completely in memory, making it harder for antivirus and endpoint tools to detect. Here's the simplified workflow of how it operates:
🧩 1. The target runs the initial stager
This is usually one of the following:
bind,
reverse,
findtag,
passivex, etc.
Its job is to open communication between the attacker and the compromised machine.
🧬 2. Reflective DLL injection happens
The stager loads a DLL that starts with the prefix
Reflective.
The Reflective Loader is responsible for injecting Meterpreter into memory without writing files to disk — a huge advantage in stealth operations.
🔗 3. A secure TLS communication channel is established
Meterpreter initiates a
TLS/1.0 connection over the socket and sends a GET request.
Metasploit configures the client and prepares it for post-exploitation.
📦 4. Extensions are loaded
Meterpreter automatically loads key extensions such as:
- stdapi - for filesystem, networking, system commands
- priv - for advanced privilege escalation (loaded only when needed)
All extensions are transferred over encrypted TLS connections using the TLV protocol.
🛠️
Top 60 Useful Meterpreter Commands (With Descriptions) 🧑💻 Below is the full list of essential Meterpreter commands you’ll need during post-exploitation. These commands help you manage files, processes, users, keystrokes, desktops, webcams, privilege escalation, and more.
Each command is explained in simple, beginner-friendly language:
📂 File System Commands
| Command | Description |
|---|
| cat | Display file contents on screen |
| cd | Change directory |
| download | Download a file from the target |
| edit | Edit a file directly |
| getlwd | Show local working directory |
| getwd | Show remote working directory |
| lcd | Change local directory |
| lpwd | Show local directory |
| ls | List files/folders |
| mkdir | Create a directory |
| pwd | Print working directory |
| rm | Delete a file |
| rmdir | Remove directory |
| search | Search for files |
| upload | Upload file to target |
🔧 Example: Searching for password files
🧠 Session & Channel Commands
| Command | Description |
|---|
| background | Send session to background |
| bgkill | Kill background session |
| channel | Show active channels |
| close | Close a channel |
| interact | Interact with a channel |
| read | Read data from channel |
| write | Write data to a channel |
🧩 Unicode Encoding Commands
| Command | Description |
|---|
| disable_unicode_encoding | Disable Unicode encoding |
| enable_unicode_encoding | Enable Unicode encoding |
🧪 Scripting & Automation Commands
| Command | Description |
|---|
| irb | Ruby scripting shell (dev mode) |
| resource | Run commands from file |
| run | Execute a script or post module |
| load | Load Meterpreter extensions |
🖥️ Desktop & UI Interaction
| Command | Description |
|---|
| getdesktop | Get active desktop session |
| idletime | Show user idle time |
| keyscan_start | Start logging keystrokes |
| keyscan_stop | Stop logging |
| keyscan_dump | Show captured keystrokes |
| screenshot | Take screenshot |
| setdesktop | Switch desktop |
| uictl | Control GUI components |
🧪 Example: Taking a screenshot
📸 Webcam Commands
| Command | Description |
|---|
| webcam_list | List available webcams |
| webcam_snap | Capture an image |
🔓 Privilege & Security Commands
| Command | Description |
|---|
| getsystem | Attempt privilege escalation |
| hashdump | Dump SAM password hashes |
| timestomp | Edit file timestamps |
| clearev | Clear event logs |
| drop_token | Drop impersonation token |
| steal_token | Steal impersonation token |
🔥 Example: Attempting privilege escalation
👤 System Interaction & Process Control
| Command | Description |
|---|
| getpid | Get current process ID |
| getprivs | Show process privileges |
| getuid | Show current user |
| kill | Kill a process |
| ps | List processes |
| reboot | Reboot machine |
| shutdown | Shut down machine |
| reg | Access remote registry |
| rev2self | Revert to original user |
| shell | Open system command shell |
🚀 Execution & Migration
| Command | Description |
|---|
| execute | Run a command |
| migrate | Move Meterpreter to another process |
| quit | Exit session |
| exit | Close Meterpreter |
🔥 Example: Migrating to explorer.exe
📘 Simple Example: Using Meterpreter to Capture a Screenshot & Dump Passwords
Here’s a quick real-world workflow:
Bash:
# Take a screenshot
screenshot
# Dump password hashes
hashdump
# Search for sensitive files
search -f *.txt
# Escalate privileges
getsystem
These small tasks show how powerful Meterpreter can be for penetration testing, incident response, and red teaming.
🎯 Final Thoughts
Meterpreter is one of the strongest tools in the modern penetration tester’s toolkit. With features like in-memory execution, encrypted communication, stealthy process migration, keystroke capture, privilege escalation, and full system control - professionals can perform highly advanced post-exploitation tasks safely and efficiently.
Mastering these
top 60 Meterpreter commands will give you a huge advantage in real-world ethical hacking engagements and lab practice. Keep experimenting, stay ethical, and always get permission before testing! ⚡🛡️
