INSTALLATION

UPDATE

root@oco:~$ sudo apt update && sudo apt install metasploit-framework
 ...
 (Reading database ... 414458 files and directories currently installed.)
 Preparing to unpack .../metasploit-framework_6.0.2-0parrot1_amd64.deb ...
 Unpacking metasploit-framework (6.0.2-0parrot1) over (5.0.88-0kali1) ...
 Setting up metasploit-framework (6.0.2-0parrot1) ...
 Processing triggers for man-db (2.9.1-1) ...
 Scanning application launchers
 Removing duplicate launchers from Debian
 Launchers are updated
 
 * the old method of updating MSF is to issue the cmd "msfupdate" in the OS CLI
   outside of msfconsole

BASE FILE

BASE PATH

root@oco:~$ ../../metasploit-framework

 * in HTB's ParrotOS, the exact base file location is...
    - /usr/share/metasploit-framework

MODULES

//MODULE SYNTAX
<No.> <type>/<os>/<service>/<name>
794   exploit/windows/ftp/scriptftp_list

 * the No. tag refers to the object id
    - When selecting a module to use for payload delivery, the use <no.> command can 
      only be used with the following modules that can be used as 
      initiators (or interactable modules):
       - Type	        Description
         Auxiliary	Scanning, fuzzing, sniffing, and admin capabilities. Offer extra assistance and functionality.
         Exploits	Defined as modules that exploit a vulnerability that will allow for the payload delivery.
         Post	        Wide array of modules to gather information, pivot deeper, etc.
 
 * The Type tag is the first level of segregation between the Metasploit modules. 
    - this helps in identifying what the module will accomplish. Some of these types 
      are not directly usable as an exploit module would be. However, 
      they are set to introduce the structure alongside the interactable ones for 
      better modularization.
       - example types:
          Type	        Description
          Auxiliary	Scanning, fuzzing, sniffing, and admin capabilities. Offer extra assistance and functionality.
          Encoders	Ensure that payloads are intact to their destination.
          Exploits	Defined as modules that exploit a vulnerability that will allow for the payload delivery.
          NOPs	        (No Operation code) Keep the payload sizes consistent across exploit attempts.
          Payloads	Code runs remotely and calls back to the attacker machine to establish a connection (or shell).
          Plugins	Additional scripts can be integrated within an assessment with msfconsole and coexist.
          Post	        Wide array of modules to gather information, pivot deeper, etc.
          
 * The OS tag specifies which operating system and architecture the module was 
   created for
   
 * The Service tag refers to the vulnerable service that is running on the 
   target machine
    - For some modules, such as the auxiliary or post, this tag can refer to a 
      more general activity such as gather, referring to the gathering of credentials
      
 * the Name tag explains the actual action that can be performed by the specified
   module
   
root@oco:~$ ls /usr/share/metasploit-framework/modules
 auxiliary  encoders  evasion  exploits  nops  payloads  post
 
 * The Metasploit modules are prepared scripts with a specific purpose and 
   corresponding functions that have already been developed and tested in the wild
 
 * The exploit category consists of proof-of-concept (POCs) that can be used to 
   exploit existing vulnerabilities in a largely automated manner
   
 * A payload is a module that assist the exploit module typicaly to return a shell
    - payloads are sent together with the exploit itself to bypass standard 
      functioning procedures of the vulnerable service (exploits job) and then run 
      on the target OS to typically return a reverse connection to the attacker 
      and establish a foothold (payload's job).
       - exploit utilizes weakness on the target service
       - payload establishes a foothold
    - payload modules: whether or not a payload is staged is represented by / in the
      payload name

PLUGINS

root@oco:~$ ls /usr/share/metasploit-framework/plugins/
 aggregator.rb      ips_filter.rb  openvas.rb           sounds.rb
 alias.rb           komand.rb      pcap_log.rb          sqlmap.rb
 auto_add_route.rb  lab.rb         request.rb           thread.rb
 beholder.rb        libnotify.rb   rssfeed.rb           token_adduser.rb
 db_credcollect.rb  msfd.rb        sample.rb            token_hunter.rb
 db_tracker.rb      msgrpc.rb      session_notifier.rb  wiki.rb
 event_tester.rb    nessus.rb      session_tagger.rb    wmap.rb
 ffautoregen.rb     nexpose.rb     socket_logger.rb
 
 * Plugins offer the pentester more flexibility when using the msfconsole since 
   they can easily be manually or automatically loaded as needed to provide 
   extra functionality and automation during assessments.

SCRIPTS

root@oco:~$ ls /usr/share/metasploit-framework/scripts/
 meterpreter  ps  resource  shell

TOOLS

root@oco:~$ ls /usr/share/metasploit-framework/tools/
 context  docs     hardware  modules   payloads
 dev      exploit  memdump   password  recon

PAYLOADS

A payload is a module that assist the exploit module typically to return a shell. They are sent together with the exploit itself to bypass standard functioning procedures of the vulnerable service (exploits job) and then run on the target OS to typically return a reverse connection to the attacker and establish a foothold (payload's job).

PAYLOAD STAGE PROCESS

Stage0 is the small initial shellcode sent to a vulnerable service whose sole job is to establish a stable channel between the victim and attacker (commonly seen as reverse_tcp, reverse_https, or bind_tcp) and then read in a larger payload. Once the connection is up, the attacker sends the Stage1 payload which is a bigger, feature-rich payload (e.g., a shell or Meterpreter). This is loaded into memory and executed to provide the attacker with interactive access.

TYPES

Some exploits cannot deliver a large payload inline, so attackers use a small, reliable stager to bootstrap a larger stage: the stager’s job is simply to create a stable channel back to the attacker (or open a port) and then fetch and execute the full-featured payload. This separation enables flexibility. Stages such as Meterpreter offer rich post-exploitation capabilities without the strict size limits that would break an inline payload while keeping the initial exploit lightweight. It also improves reliability against modern protections: Windows “NX” vs “NO-NX” stagers differ in how they allocate and execute memory under DEP/NX constraints, and Metasploit selects the most appropriate stager for the target OS and protections to maximize the chance of successful execution.

SINGLES

These are self-contained payloads that contains the exploit and the entire shellcode for the selected task; it doesn't require follow-up download.

  • windows/shell_bind_tcp is a single payload with no stage

  • non-staged payloads (singles) have the format "meterpreter_reverse_tcp" without the "/" separator

STAGERS

These are payloads that work with Stage payloads to perform a specific task. Think of it as a small code that runs on the target to set up communications (connect back or bind) and then fetch/launch a larger stage. Metasploit will use the best one and fall back to a less-preferred one when necessary.

  • Windows NX vs. NO-NX Stagers

    • Reliability issue for NX CPUs and DEP

    • NX stagers are bigger (VirtualAlloc memory)

    • Default is now NX + Win7 compatible

STAGES

These are payload components that are downloaded by stager's modules. This is the full featured payload (Meterpreter, VNC, etc.) that the stager downloads (w/o size limits) and runs.

  • windows/shell/bind_tcp consists of a stager (bind_tcp) and a stage (shell)

  • staged payloads have the format "meterpreter/reverse_tcp"

  • payload stages automatically use middle stagers

    • A single recv() fails with large payloads

    • The Stager receives the middle stager

    • The middle Stager then performs a full download

    • Also better for RWX

SPECIAL PAYLOAD

Meterpreter is an advanced in-memory payload that uses DLL injection to create a stealthy, stable session on a compromised host. It runs entirely in RAM (leaving minimal disk artifacts), supports dynamic loading/unloading of scripts and plugins, and provides an interactive command interface focused on post-exploitation tasks. Once executed it opens a Meterpreter session offering capabilities like keystroke capture, credential harvesting, process token impersonation, microphone/screenshot capture, and many other post-compromise actions. It is designed to be flexible, stealthy, and powerful for assessment or exploitation workflows.

COMMON WINDOWS PAYLOADS

Critical payload frameworks used by professional penetration testers include tools like Empire and Cobalt Strike, which deliver powerful post‑exploitation capabilities and are frequently employed in red‑team engagements against high‑value targets to emulate realistic adversary behavior. Beyond those flagship frameworks, there's a wide ecosystem of payloads targeted at specific platforms and vendors (Cisco, Apple, industrial PLCs, etc.) and many custom payloads that can be generated with msfvenom. Payloads trade off delivery method, platform compatibility, stealth, and reliability. Always pick the payload that matches the objective (initial access, persistence, credential harvesting, lateral movement) and the target’s defenses.

PreviousMETASPLOITNextENGAGEMENT STRUCTURE

Last updated