Metasploit 101: The Ultimate Cheat Sheet
What is Metasploit?
Metasploit is one of the most powerful and popular tools for penetration testing in cybersecurity. It gives security professionals, ethical hackers, and red teamers everything they need to find vulnerabilities, build exploits, and test how strong a system’s defences are.
First built by H.D. Moore back in 2003, Metasploit has become the go-to framework for simulating real-world attacks. Thanks to its modular design, you can scan networks, exploit weaknesses, and take control of systems, in a flexible and customisable way.
Some of the primary uses of Metasploit include:
- Vulnerability Scanning: Metasploit makes network scanning and identifying vulnerabilities easy. It helps you find the weak spots before an attacker does, allowing you to know exactly where to focus your fixes.
- Exploitation of Security Flaws: Metasploit gives you the tools to exploit vulnerabilities once you find them. Whether you are testing systems or building attack chains, it makes launching exploits fast and flexible.
- Post Exploitation: After getting access to a system, Metasploit has a variety of tools to dig deeper. You can pull sensitive data, move laterally inside networks, and escalate your privileges for permanent access.
- Payload Generation: Metasploit can generate all kinds of payloads depending on what you need. From popping a reverse shell to setting up full backdoor access, it lets you customise and deploy them quickly on the fly.
- Security Research and Proof of Concept Creation: If you are building or testing new exploits, Metasploit is your go-to. It makes it simple to put together proof-of-concept code so you can show exactly how a vulnerability could be abused in the real world.
- Community and Commercial Support: Metasploit is backed by a large community and serious commercial support. Whether you are just learning or doing professional red team work, there is a vast body of knowledge including updates, that help keep you sharp.
Common Metasploit Commands
| Short Title | Command | Description |
|---|---|---|
| Start Metasploit | msfconsole |
Starts the Metasploit console where all operations happen. |
| Search Modules | search [keyword] |
Looks for modules that match a keyword, like exploits or scanners. |
| Load Module | use [module_path] |
Loads a specific module to work with. |
| Module Info | info |
Gives detailed information about the loaded module. |
| List Exploits | show exploits |
Lists all available exploits in Metasploit. |
| List Auxiliary | show auxiliary |
Lists all auxiliary modules like scanners and fuzzers. |
| List Payloads | show payloads |
Shows all payloads available to attach to exploits. |
| List Encoders | show encoders |
Displays all encoders for obfuscating payloads. |
| List NOPs | show nops |
Lists all no-operation generators for payload padding. |
| Show Module Options | show options |
Displays the configurable options for a loaded module. |
| Set Module Option | set [option] [value] |
Sets a value for a specific option in the loaded module. |
| Set Global Option | setg [option] [value] |
Sets a global value to persist across modules. |
| Unset Option | unset [option] |
Clears a set option from the current module. |
| Unset Global Option | unsetg [option] |
Clears a global setting that was previously set. |
| Back to Console | back |
Exits the module and returns to the main console. |
| Exit Metasploit | exit or quit |
Fully exits the Metasploit console. |
| Check Vulnerability | check |
Tests if the target is vulnerable before exploiting. |
| Run Module | run |
Executes an auxiliary module like a scanner or brute-forcer. |
| Launch Exploit | exploit |
Launches the loaded exploit module at the target. |
| List Sessions | sessions |
Lists all active sessions from successful exploits. |
| Interact with Session | sessions -i [ID] |
Opens an interactive shell with a specific session. |
| Background Session | background |
Pushes the active session into the background. |
| List Jobs | jobs |
Lists all background jobs like scanners and listeners. |
| Kill Job | kill [job_id] |
Stops a running background job. |
| Nmap Scan | db_nmap [options] |
Runs an Nmap scan directly inside Metasploit and stores results. |
| List Vulnerabilities | vulns |
Lists vulnerabilities found during scanning. |
| List Hosts | hosts |
Displays all discovered hosts. |
| List Services | services |
Displays services running on discovered hosts. |
| View Loot | loot |
Manages and displays collected files and session data. |
| Use Handler | use exploit/multi/handler |
Loads a handler to catch reverse shells or staged payloads. |
| Set Payload | set PAYLOAD [payload_name] |
Sets the specific payload you want to use. |
| Show Targets | show targets |
Lists available targets for the exploit you loaded. |
| Show Advanced Options | show advanced |
Displays advanced options for the loaded module. |
| Reload Module | reload |
Reloads the currently loaded module. |
| Save Configuration | save |
Saves your current workspace and settings. |
| Load Saved Configuration | load |
Loads previously saved settings. |
| Generate Payload | msfvenom |
Creates a custom payload manually. |
| Update Metasploit | msfupdate |
Updates the Metasploit Framework to the latest version. |
| Connect to Remote Host | connect [IP] [Port] |
Opens a simple TCP connection to a target host. |
| Resource Script | resource [script.rc] |
Runs a script with a list of Metasploit commands automatically. |
| db_status | db_status |
Shows the current status of the database connection. |
| Workspace Management | workspace |
Creates or switches between multiple Metasploit workspaces. |
| Clear Console | clear |
Clears the Metasploit console screen. |
Now that you're familiar with the basics, check out our Metasploit in 100 seconds video on YouTube. Remember to like and subscribe 😉.
Metasploit in 100 seconds.
For more information, feel free to explore the Metasploit Docs.
The threats evolve. And so should you. Subscribe to our YouTube channel, join the monthly intel briefing, or support us and stay ahead of the evolving cybersecurity landscape.
