Metasploit Framework Tutorial
Intermediate · ⏱ 30 min read · Penetration Testing & Red Team
Exploit with confidence. Master Metasploit Framework.
Metasploit Framework is the world's most used penetration testing framework with 2,000+ exploits and powerful post-exploitation capabilities.
Prerequisites
- Kali Linux or Metasploit installed
- Basic networking knowledge
- A vulnerable lab (Metasploitable, HackTheBox)
Installation & Database Setup
Pre-installed on Kali. Initialize PostgreSQL with sudo msfdb init.
Verify Database
Run db_status inside msfconsole to confirm connection.
Core Concepts
Modules: exploits, auxiliary, post, payloads, encoders. Workspaces and RHOSTS/LHOST paradigm.
Module Types
Exploits deliver payloads. Auxiliary scans. Post runs after access.
Finding & Using Exploits
Search by CVE, service, or platform. Set options and run.
Meterpreter Deep Dive
Interactive shell with file management, pivoting, privilege escalation, credential harvesting.
Pivoting
Use autoroute and portfwd to reach internal networks.
Post-Exploitation
Gather creds, escalate privileges, persist with hashdump, autoroute, persistence_exe.
Generating Payloads (msfvenom)
Create standalone payloads for phishing, USB, or web delivery.
Real-World Workflow
1) db_nmap scan. 2) Search exploits. 3) Exploit. 4) Escalate. 5) Pivot. 6) Collect evidence. 7) Report.
Frequently Asked Questions
Is Metasploit free?
Framework is free. Metasploit Pro costs ~$15K/year with automation and web UI.
Is it illegal?
Only use against authorized systems. Unauthorized use is a criminal offense.
Metasploit vs Cobalt Strike?
Metasploit is open-source for initial exploitation. Cobalt Strike is commercial for post-exploitation and C2.