Tool Documentation:
Video
msfrpcd
root@kali:~# msfrpcd -h
Usage: msfrpcd <options>
OPTIONS:
-P <opt> Specify the password to access msfrpcd
-S Disable SSL on the RPC socket
-U <opt> Specify the username to access msfrpcd
-a <opt> Bind to this IP address
-f Run the daemon in the foreground
-h Help banner
-n Disable database
-p <opt> Bind to this port instead of 55553
-t <opt> Token Timeout (default 300 seconds
-u <opt> URI for Web server
Metasploit-Framework Usage Examples
One of the best sources of information on using the Metasploit Framework is Metasploit Unleashed, a free online course created by OffSec. Metasploit Unleashed guides you from the absolute basics of Metasploit all the way through to advanced topics.
Packages and Binaries:
metasploit-framework
Framework for exploit development and vulnerability research
The Metasploit Framework is an open source platform that supports
vulnerability research, exploit development, and the creation of custom
security tools.
Installed size: 541.06 MB
How to install: sudo apt install metasploit-framework
Dependencies:
- bundler
- curl
- gcc-mingw-w64-i686-win32
- gcc-mingw-w64-x86-64-win32
- git
- john
- libc6
- libffi8
- libgcc-s1
- liblzma5
- libpcap0.8t64
- libruby3.3
- libsqlite3-0
- libssl3t64
- libstdc++6
- libyaml-0-2
- nasm
- nmap
- openssl
- oracle-instantclient-basic
- postgresql
- python3
- rake
- ruby
- ruby-json
- wget
- zlib1g
msf-egghunter
root@kali:~# msf-egghunter -h
Usage: msf-egghunter [options]
Example: msf-egghunter -f python -e W00T
Specific options:
-f, --format <String> See --list-formats for a list of supported output formats
-b, --badchars <String> (Optional) Bad characters to avoid for the egg
-e, --egg <String> The egg (Please give 4 bytes)
-p, --platform <String> (Optional) Platform
--startreg <String> (Optional) The starting register
--forward (Optional) To search forward
--depreg <String> (Optional) The DEP register
--depdest <String> (Optional) The DEP destination
--depsize <Integer> (Optional) The DEP size
--depmethod <String> (Optional) The DEP method to use (virtualprotect/virtualalloc/copy/copy_size)
-a, --arch <String> (Optional) Architecture
--list-formats List all supported output formats
-v, --var-name <name> (Optional) Specify a custom variable name to use for certain output formats
-h, --help Show this message
msf-exe2vba
root@kali:~# msf-exe2vba -h
Usage: msf-exe2vba [exe] [vba]
msf-exe2vbs
root@kali:~# msf-exe2vbs -h
Usage: msf-exe2vbs [exe] [vbs]
msf-find_badchars
root@kali:~# msf-find_badchars -h
Usage: msf-find_badchars <options>
OPTIONS:
-b The list of characters to avoid: '\x00\xff'
-h Help banner
-i Read memory contents from the supplied file path
-t The format that the memory contents are in (empty to list)
msf-halflm_second
root@kali:~# msf-halflm_second -h
Usage: msf-halflm_second <options>
OPTIONS:
-h Display this help information
-n The encrypted LM hash to crack
-p The decrypted LANMAN password for bytes 1-7
-s The server challenge (default value 1122334455667788)
msf-hmac_sha1_crack
root@kali:~# msf-hmac_sha1_crack -h
Usage: msf-hmac_sha1_crack hashes.txt <wordlist | - >
The format of hash file is <identifier>:<hex-salt>:<hash>
msf-java_deserializer
root@kali:~# msf-java_deserializer -h
Usage: msf-java_deserializer <file> [option]
-a, --array=ID Print detailed information about content array
-o, --object=ID Print detailed information about content object
-h, --help Prints this help
msf-jsobfu
root@kali:~# msf-jsobfu -h
Usage: msf-jsobfu [options]
Specific options:
-t, --iteration <Integer> Number of times to obfuscate the JavaScript
-i, --input <String> The JavaScript file you want to obfuscate (default=1)
-o, --output <String> Save the obfuscated file as
-p id1,id2, The identifiers to preserve
--preserved-identifiers
-h, --help Show this message
msf-makeiplist
msf-md5_lookup
root@kali:~# msf-md5_lookup -h
Usage: msf-md5_lookup [options]
Specific options:
-i, --input <file> The file that contains all the MD5 hashes (one line per hash)
-d, --databases <names> (Optional) Select databases: all, authsecu, i337, md5_my_addr, md5_net, md5crack, md5cracker, md5decryption, md5online, md5pass, netmd5crack, tmto (Default=all)
-o, --out <filepath> (Optional) Save the results to a file (Default=md5_results.txt)
-h, --help Show this message
msf-metasm_shell
root@kali:~# msf-metasm_shell -h
Usage: msf-metasm_shell <options>
OPTIONS:
-a The architecture to encode as (ARM, Ia32, MIPS, X86_64)
-e The endianness to encode as (big, little)
-h Display this help information
msf-msf_irb_shell
root@kali:~# msf-msf_irb_shell -h
Usage: irb.rb [options] [programfile] [arguments]
-f Don't initialize from configuration file.
-d Set $DEBUG and $VERBOSE to true (same as 'ruby -d').
-r load-module Require load-module (same as 'ruby -r').
-I path Specify $LOAD_PATH directory (same as 'ruby -I').
-U Set external and internal encodings to UTF-8.
-E ex[:in] Set default external (ex) and internal (in) encodings
(same as 'ruby -E').
-w Suppress warnings (same as 'ruby -w').
-W[level=2] Set warning level: 0=silence, 1=medium, 2=verbose
(same as 'ruby -W').
--context-mode n Set n[0-4] to method to create Binding Object,
when new workspace was created.
--extra-doc-dir Add an extra doc dir for the doc dialog.
--echo Show result (default).
--noecho Don't show result.
--echo-on-assignment
Show result on assignment.
--noecho-on-assignment
Don't show result on assignment.
--truncate-echo-on-assignment
Show truncated result on assignment (default).
--inspect Use 'inspect' for output.
--noinspect Don't use 'inspect' for output.
--no-pager Don't use pager.
--multiline Use multiline editor module (default).
--nomultiline Don't use multiline editor module.
--singleline Use single line editor module.
--nosingleline Don't use single line editor module (default).
--colorize Use color-highlighting (default).
--nocolorize Don't use color-highlighting.
--autocomplete Use auto-completion (default).
--noautocomplete Don't use auto-completion.
--regexp-completor
Use regexp based completion (default).
--type-completor Use type based completion.
--prompt prompt-mode, --prompt-mode prompt-mode
Set prompt mode. Pre-defined prompt modes are:
'default', 'classic', 'simple', 'inf-ruby', 'xmp', 'null'.
--inf-ruby-mode Use prompt appropriate for inf-ruby-mode on emacs.
Suppresses --multiline and --singleline.
--sample-book-mode, --simple-prompt
Set prompt mode to 'simple'.
--noprompt Don't output prompt.
--script Script mode (default, treat first argument as script)
--noscript No script mode (leave arguments in argv)
--single-irb Share self with sub-irb.
--tracer Show stack trace for each command.
--back-trace-limit n[=16]
Display backtrace top n and bottom n.
--verbose Show details.
--noverbose Don't show details.
-v, --version Print the version of irb.
-h, --help Print help.
-- Separate options of irb from the list of command-line args.
msf-nasm_shell
root@kali:~# msf-nasm_shell -h
0 bits not supported
msf-pattern_create
root@kali:~# msf-pattern_create -h
Usage: msf-pattern_create [options]
Example: msf-pattern_create -l 50 -s ABC,def,123
Ad1Ad2Ad3Ae1Ae2Ae3Af1Af2Af3Bd1Bd2Bd3Be1Be2Be3Bf1Bf
Options:
-l, --length <length> The length of the pattern
-s, --sets <ABC,def,123> Custom Pattern Sets
-h, --help Show this message
msf-pattern_offset
root@kali:~# msf-pattern_offset -h
Usage: msf-pattern_offset [options]
Example: msf-pattern_offset -q Aa3A
[*] Exact match at offset 9
Options:
-q, --query Aa0A Query to Locate
-l, --length <length> The length of the pattern
-s, --sets <ABC,def,123> Custom Pattern Sets
-h, --help Show this message
msf-pdf2xdp
root@kali:~# msf-pdf2xdp -h
Usage: msf-pdf2xdp input.pdf output.xdp
msf-virustotal
root@kali:~# msf-virustotal -h
Usage: msf-virustotal [options]
Specific options:
-k <key> (Optional) Virusl API key to use
-d <seconds> (Optional) Number of seconds to wait for the report
-q (Optional) Do a hash search without uploading the sample
-f <filenames> Files to scan
Common options:
-h, --help Show this message
msfconsole
Metasploit Framework Console
root@kali:~# msfconsole -h
Usage: msfconsole [options]
Common options:
-E, --environment ENVIRONMENT Set Rails environment, defaults to RAIL_ENV environment variable or 'production'
Database options:
-M, --migration-path DIRECTORY Specify a directory containing additional DB migrations
-n, --no-database Disable database support
-y, --yaml PATH Specify a YAML file containing database settings
Framework options:
-c FILE Load the specified configuration file
-v, -V, --version Show version
Module options:
--[no-]defer-module-loads Defer module loading unless explicitly asked
-m, --module-path DIRECTORY Load an additional module path
Console options:
-a, --ask Ask before exiting Metasploit or accept 'exit -y'
-H, --history-file FILE Save command history to the specified file
-l, --logger STRING Specify a logger to use (Flatfile, Stderr, Stdout, StdoutWithoutTimestamps, TimestampColorlessFlatfile)
--[no-]readline
-L, --real-readline Use the system Readline library instead of RbReadline
-o, --output FILE Output to the specified file
-p, --plugin PLUGIN Load a plugin on startup
-q, --quiet Do not print the banner on startup
-r, --resource FILE Execute the specified resource file (- for stdin)
-x, --execute-command COMMAND Execute the specified console commands (use ; for multiples)
-h, --help Show this message
msfd
root@kali:~# msfd -h
Usage: msfd <options>
OPTIONS:
-a Bind to this IP address instead of loopback
-A Specify list of hosts allowed to connect
-D Specify list of hosts not allowed to connect
-f Run the daemon in the foreground
-h Help banner
-p Bind to this port instead of 55554
-q Do not print the banner on startup
-s Use SSL
msfdb
root@kali:~# msfdb -h
Manage the metasploit framework database
You can use an specific port number for the
PostgreSQL connection setting the PGPORT variable
in the current shell.
Example: PGPORT=5433 msfdb init
msfdb init # start and initialize the database
msfdb reinit # delete and reinitialize the database
msfdb delete # delete database and stop using it
msfdb start # start the database
msfdb stop # stop the database
msfdb status # check service status
msfdb run # start the database and run msfconsole
msfrpc
root@kali:~# msfrpc -h
Usage: msfrpc <options>
OPTIONS:
-a Connect to this IP address
-h Help banner
-p Connect to the specified port instead of 55553
-P Specify the password to access msfrpcd
-S Disable SSL on the RPC socket
-U Specify the username to access msfrpcd
msfrpcd
root@kali:~# msfrpcd -h
Usage: msfrpcd <options>
OPTIONS:
-a Bind to this IP address (default: 0.0.0.0)
-c (JSON-RPC) Path to certificate (default: /root/.msf4/msf-ws-cert.pem)
-f Run the daemon in the foreground
-h Help banner
-j (JSON-RPC) Start JSON-RPC server
-k (JSON-RPC) Path to private key (default: /root/.msf4/msf-ws-key.pem)
-n Disable database
-p Bind to this port (default: 55553)
-P Specify the password to access msfrpcd
-S Disable SSL on the RPC socket
-t Token Timeout seconds (default: 300)
-U Specify the username to access msfrpcd
-u URI for Web server
-v (JSON-RPC) SSL enable verify (optional) client cert requests
msfupdate
root@kali:~# msfupdate -h
msfupdate is no longer supported when Metasploit is part of the operating
system. Please use 'apt update; apt install metasploit-framework'
msfvenom
Payload Generator and Encoder
root@kali:~# msfvenom -h
MsfVenom - a Metasploit standalone payload generator.
Also a replacement for msfpayload and msfencode.
Usage: /usr/bin/msfvenom [options] <var=val>
Example: /usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> -f exe -o payload.exe
Options:
-l, --list <type> List all modules for [type]. Types are: payloads, encoders, nops, platforms, archs, encrypt, formats, all
-p, --payload <payload> Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom
--list-options List --payload <value>'s standard, advanced and evasion options
-f, --format <format> Output format (use --list formats to list)
-e, --encoder <encoder> The encoder to use (use --list encoders to list)
--service-name <value> The service name to use when generating a service binary
--sec-name <value> The new section name to use when generating large Windows binaries. Default: random 4-character alpha string
--smallest Generate the smallest possible payload using all available encoders
--encrypt <value> The type of encryption or encoding to apply to the shellcode (use --list encrypt to list)
--encrypt-key <value> A key to be used for --encrypt
--encrypt-iv <value> An initialization vector for --encrypt
-a, --arch <arch> The architecture to use for --payload and --encoders (use --list archs to list)
--platform <platform> The platform for --payload (use --list platforms to list)
-o, --out <path> Save the payload to a file
-b, --bad-chars <list> Characters to avoid example: '\x00\xff'
-n, --nopsled <length> Prepend a nopsled of [length] size on to the payload
--pad-nops Use nopsled size specified by -n <length> as the total payload size, auto-prepending a nopsled of quantity (nops minus payload length)
-s, --space <length> The maximum size of the resulting payload
--encoder-space <length> The maximum size of the encoded payload (defaults to the -s value)
-i, --iterations <count> The number of times to encode the payload
-c, --add-code <path> Specify an additional win32 shellcode file to include
-x, --template <path> Specify a custom executable file to use as a template
-k, --keep Preserve the --template behaviour and inject the payload as a new thread
-v, --var-name <value> Specify a custom variable name to use for certain output formats
-t, --timeout <second> The number of seconds to wait when reading the payload from STDIN (default 30, 0 to disable)
-h, --help Show this message
Learn more with OffSec
Want to learn more about metasploit-framework? get access to in-depth training and hands-on labs:
Updated on: 2025-Dec-09