Getting Started With the Metasploit Framework: A Pentesting Tutorial

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

The Metasploit project contains some of the best security tools available, including the open source Metasploit Framework. Both pen testers and hackers use it to find and exploit vulnerabilities as well as to set up reverse shells, develop malicious payloads, or generate reports.

The tool, maintained by Rapid7, even offers comprehensive documentation, where you can learn the basics to start using it.

However, Metasploit is not just another hacking tool. It’s a whole platform with command lines and modules you can use to attack a target. It offers several different features, web interfaces, and free trials. But, here we’ll focus on Metasploit Framework, which is the free, open-source edition.

Also read: 10 Top Open Source Penetration Testing Tools

Setting Up a Test Environment

The idea with Metasploit is to attack another machine, so you’ll need another machine to run your tests. Most beginners use a virtual machine with Kali Linux and their own machine as a target.

While it might seem convenient, it’s not recommended to use such a configuration. It is better to use several virtual machines; for example, one for the attacker and one for the victim. This way, you can train with various operating systems and disable antivirus software and firewalls safely.


For convenience, we’ll use Kali Linux, but you can use Nightly Installers if you prefer. The Metasploit Framework is available on all major operating systems, including macOS, Windows, and Linux distributions.

If you’re ready to install Kali, the easy way is to spin up a virtual machine. Once you have that, connect to a new Kali session and search Metasploit Framework in the menu to launch the console. Alternatively, you can open the terminal and type msfconsole.

As a general rule, it is strongly recommended to keep your system up to date to get the latest version of exploits and other software. To do so, open the Kali terminal and type apt update.

While it might take some time, don’t skip this step unless it’s the first time you install and use Kali.

Your First Exploit

Metasploit provides a great database of all kinds of exploits. For example, you can use the command search type:exploit platform:unix to search exploits for Unix systems.

You’ll get a large list of potential exploits to attack your target. And commands such as use exploit/unix/local/chkrootkit can be used directly in the console.

If there’s a default payload, Metasploit will select it for you, but you can show all payloads with the command show payloads.

To select a payload, use the command set payload. For example, set payload cmd/unix/bind_awk would select the first option above.

After that, you would logically use the run command. However, some payloads require additional configurations, like an active session and a host.

To list all options you can continue with, type show options in the terminal, and to get more information, you can type info.

These commands will give you everything you need to know, including the current status of your payload, parameters, all details about the exploit you are generating, and many more.

Additionally, you can use the setg command to set some parameters as global variables, so you won’t need to type the same configurations again during your tests with other exploits.

Once you have everything set correctly, you can type run or exploit. After that, the following steps usually consist of sending the generated executable to a targeted machine to exploit the vulnerability.

Also read:

Key Metasploit Concepts and Features

To fully take advantage of Metasploit Framework, there are more advanced concepts (not necessarily more complicated) you need to understand.


In addition to the exploits and payloads, Metasploit provides auxiliaries, which are pre-configured modules to ease the work.

For example, the command use auxiliary/scanner/ftp/easy_file_sharing_ftp 

allows you to exploit a directory traversal vulnerability found in Easy File Sharing FTP Server 3.6. And scanners use a simple run command to efficiently spot vulnerabilities to exploit.

In addition, auxiliaries are relatively organized with the use of categories (subfolders), which can be useful to help speed up work processes.


Encoders allow obfuscating your payloads to evade detection. For example, the command use encoder/x64/xor uses an 8-byte key and takes advantage of x64 relative addressing.


Once you have generated your first payloads, there are more advanced settings you might appreciate, such as the evasion options, which can be found with the command show evasion.

It’s not always set by default for all payloads, but, if there are evasions available, you can use them to evade typical detection mechanisms, such as antivirus software, endpoint detection and response (EDR) software, or firewalls.


Nops are another type of modules provided by Metasploit. They can be shown with the command use nop/tty/generic.

These generators produce “a series of random bytes that you can use to bypass standard IDS and IPS NOP sled signatures.”


Metasploit can help with post modules to escalate root privileges, install keyloggers, or execute PowerShell scripts after you have gained unauthorized access.

Such post-exploitation techniques are extremely useful to speed up operations during a pen test. For example, use post/osx/capture/keylog_recorder can be used to record keystrokes and other keyboard events.


When you search for exploits or other modules, use grep to speed up the process and select only the relevant results. It is a useful command for all types of modules, not just auxiliary scanners. Use grep along with the search command. For example:

grep scanner search ssh


Meterpreter is an advanced payload that is one of the most widely used payloads for Metasploit. It is often used in development to emulate attacks, and it has special features that allow migrating to another process or taking screenshots inside the target machine.


Msfvenom is the combination of payload generation and encoding that replaced msfpayload and msfencode in 2015. The syntax is not that complicated, and you can use it directly in Kali Linux by typing the command or just msfpc in the terminal (outside the msf console). Moreover, it’s not limited to one output format (e.i., you can generate .exe and other file types).

Also read: 13 Best Vulnerability Scanner Tools

What Attackers Can Do With Minimum Effort

Metasploit is a powerful tool that pen testers (and hackers) can use to:

  • Perform all kinds of scans and enumerations
  • Gain unauthorized access (e.g. listing tokens)
  • Impersonate users
  • Exfiltrate confidential data
  • Take screenshots
  • Copy the login page of a website frequently visited by the victim and redirect them to a rogue server (e.g., by modifying the hosts file)
  • Install keyloggers

In other words, an attacker can take full control of a targeted machine with minimum effort and limited technical ability using Metasploit Framework.

Read next: Top Vulnerability Management Tools

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Julien Maury Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

Top Cybersecurity Companies

Top 10 Cybersecurity Companies

See full list

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis