Metasploit Basics

What is Metasploit?

Imagine you’re a hacker (the good kind—a penetration tester). You need a Swiss Army knife that can do everything—from finding weak spots in a system to exploiting them, and even cleaning up after. That’s exactly what Metasploit is.

It’s one of the most popular tools in the cybersecurity world and helps at every stage of penetration testing:

• Information Gathering (finding out information about the target)

• Scanning (checking for open doors to attack)

• Exploitation (breaking in to the system)

• Post-Exploitation (what you do once you’re inside)

---

Metasploit Pro vs. Metasploit Framework

Metasploit comes in two flavors:

• Metasploit Pro – This is the paid, commercial version. It has a friendly Graphical User Interface (GUI) and is great for teams because it automates many tasks like reporting, phishing campaigns, etc.

• Metasploit Framework – This is the open-source, free version that runs from the command line. It’s what most ethical hackers and learners use. If you’re on Kali Linux (or most pentesting Linux distros), it’s already installed by default. This is the version we’ll focus on.

---

What’s Inside Metasploit Framework?

Think of Metasploit as a big toolbox, and here’s what’s in it:

• msfconsole – This is your main workspace. It’s a command-line interface where you run all Metasploit commands. (Like your hacker cockpit)

• Modules – These are like Lego blocks you can mix and match:

  • Exploits – Ready-made “break-in tools” for specific vulnerabilities.

  • Scanners – To scan targets for open ports or weak points.

  • Payloads – Code you send to a system once you’ve exploited it (like reverse shells).

• Tools – Stand-alone helpers for more advanced stuff:

• msfvenom – To create custom payloads. * pattern_create & pattern_offset – Used in exploit development (finding buffer overflow offsets, etc.). Don’t worry; these are more advanced and beyond this module.

Quick Example: Launching msfconsole

Let’s say you just fired up your Kali Linux. To get started with Metasploit Framework, you simply type:

msfconsole

This drops you into Metasploit’s command-line interface. From here, you can search for exploits, set targets, and launch attacks.

---

Components of Metasploit: Let’s Break It Down

When you start using the Metasploit Framework, you’ll mostly be hanging out in its console. Just fire it up from your terminal like this:

 msfconsole

This console is your command center. It’s where you’ll interact with all the parts of Metasploit—scanning, exploiting, and even post-exploitation stuff.

But before we jump into the details, let’s clear up three words you’ll hear again and again in Metasploit:

---

Exploit, Vulnerability & Payload (The Hacker Trinity)

Vulnerability – Think of this like a crack in a wall. It’s a weakness in the system’s design, code, or logic. Example: A web server running an outdated version with a known bug.

Exploit – This is your crowbar . It’s a piece of code that takes advantage of that crack to break in. Example: Code that abuses a buffer overflow to gain control.

Payload – Now that you’re in, what do you want to do? Payloads are the instructions you send to the target once the exploit succeeds. Example: Open a reverse shell so you can control the machine.

So in short:

Vulnerability = weakness 
Exploit = way to break in 
Payload = what you do after breaking in

---

What Are Modules?

Metasploit organizes its capabilities into modules. Think of modules as small tools in your hacker’s toolkit—each built for a specific job. You don’t run them separately; you load and use them from msfconsole.

Here’s the main types of modules you’ll see:

Auxiliary Modules – The Helpers

Think of auxiliary modules as your sidekicks. They don’t break into systems (like exploits do). Instead, they help you gather information and test for weaknesses.

These modules include things like:

• Scanners – To check for open ports, services, or vulnerabilities.

• Crawlers – To map out all the pages of a website.

• Fuzzers – To send random data and see if the system crashes (helpful for finding unknown bugs).

Encoders – The Disguises

Think of encoders like putting on a disguise . Their job is to “hide” your exploit and payload so that signature-based antivirus systems don’t immediately recognize them as threats.

Here’s how it works:

• Most antivirus software uses a database of known threats (signatures). When a file matches a signature in their database, they flag it as malicious.

• An encoder takes your payload and scrambles it (like changing the outfit of your payload), so the antivirus doesn’t recognize it right away.

But Remember…

Encoders aren’t magic. Modern antivirus solutions do more than just signature matching—they use behavior analysis and other methods. So while encoders can sometimes help bypass detection, they aren’t guaranteed to work every time.

Evasion – The Real Stealth Mode

Here’s where it gets interesting.

While encoders simply scramble your payload (like changing its outfit), they’re not a full-blown antivirus bypass. Think of them more as a light disguise.

But…

Evasion modules take it a step further. These are designed to actively avoid detection by antivirus and security systems. They try tricks like:

• Breaking up malicious code into smaller, less obvious pieces

• Using techniques that avoid triggering security rules

• Obfuscating behaviors that antivirus software looks for

Heads Up

Like encoders, evasion isn’t guaranteed to work. Modern antivirus software uses advanced detection methods (heuristics, behavior analysis, AI). But evasion modules are great for testing how strong a system’s defenses really are.

Exploits – The Break-In Tools

Exploits are the heart of Metasploit—they’re the actual attack codes designed to take advantage of a vulnerability in a target system.

Metasploit keeps its exploits neatly organized into categories based on target systems:

• Windows

• Linux

• Web servers

• Databases …and more.

Once loaded, you attach a payload to the exploit so you can do something (like get a shell) after the system is compromised.

NOPs – The Placeholders

NOPs (short for “No Operation”) are exactly what they sound like: instructions that tell the CPU… “do nothing” for a moment.

In the Intel x86 CPU world, NOPs are represented by the hexadecimal value 0x90. When the CPU reads 0x90, it just skips to the next instruction without doing anything.

Why Are NOPs Useful in Metasploit?

In exploit development, NOPs act like a cushion or buffer. They’re used to: * Pad out payloads so they have consistent sizes * Make sure the exploit lands correctly even if the exact memory location isn’t known

This “cushion“ of NOPs is often called a NOP sled—a sequence of NOPs that the CPU can slide down until it hits your actual payload.

In Short:

NOPs are like empty steps leading to your payload. They don’t do anything, but they help ensure your attack lands where it’s supposed to.

Payloads – What Happens After You Break In

You’ve used an exploit to break into the target system. But now what? Just breaking in isn’t enough—you need to do something once you’re inside.

That’s where payloads come in.

Payloads are small pieces of code that run on the target system after a successful exploit.

They let you:

• Open a shell (remote command line access)

• Add a new user

• Upload malware or a backdoor Or even do something harmless like launch the calculator (calc.exe) to prove you’ve got code execution for your penetration test report.

Example: Want to prove you can run commands on the target? Use this payload to open the calculator:

 windows/exec CMD=calc.exe

When the exploit lands, calc.exe pops up on the target system. Simple but powerful.

Payload Directories: What’s Inside?

Metasploit organizes payloads into four types. Here’s what each one does:

1. Adapters – The Wrappers

Adapters take a payload and repackage it in a different format so it can run in special environments.

Example: Wrapping a regular payload in a PowerShell command so it runs directly from PowerShell.

2. Singles – The One-and-Done Payloads

These are self-contained payloads. Once sent, they run immediately and don’t rely on downloading anything else.

Example: Adding a user, launching Notepad, or opening a basic reverse shell.

generic/shell_reverse_tcp

The _ between shell and reverse shows this is a single (inline) payload.

3. Stagers – The Connection Setters

Stagers create a small communication channel between Metasploit and the target system. This is handy when using staged payloads (explained below) because it keeps the initial payload size small.

4. Stages – The Heavy Hitters

Stages are the second part of a staged payload. After the stager sets up a connection, the stage downloads and runs larger payloads like Meterpreter.

Example:

windows/x64/shell/reverse_tcp

Notice the / between shell and reverse? That means it’s staged.

Shells: The Interactive Connection

One of the most powerful things a payload can do is give you a shell—an interactive command line on the target. With a shell, you can run commands like you’re sitting at the machine.

Metasploit even lets you send advanced payloads like Meterpreter, which gives you a full-featured command environment with file browsing, screenshots, and more.

Quick Recap: Singles vs Staged Payloads

So in short:

• Exploit = Gets you in

• Payload = Lets you do stuff after you’re in

• Shell = Gives you full control

Post Modules – The Cleanup Crew (and More)

So you’ve scanned the target, exploited a vulnerability, and sent a payload. Now what?

This is where Post modules step in. They’re designed for the post-exploitation phase—the final stage of a penetration test.

These modules help you:

• Gather more information about the compromised system (like passwords or user accounts)

• Escalate your privileges to get full admin control

• Maintain access by creating backdoors or persistence

• Clean up traces of your activities to avoid detection

Example: To dump password hashes from a Windows system after getting a Meterpreter shell:

ms6 > use post/windows/gather/hashdump

This pulls out password hashes that you can crack offline later.

Why Post Modules Matter?

In real-world penetration testing, getting in is only half the job. Post modules let you explore and document what an attacker could do next—critical for building a strong security report.