
Penetration testing is a type of security testing used to test an organization’s defenses. Your goal as a pentester is to find and exploit vulnerabilities in the system to gain access to sensitive data or systems. One of the most popular tools for conducting penetration tests is Metasploit. In this tutorial we show you how to install Metasploit Framework on a Ubuntu Linux machine.
Tip: you can also check out other important penetration tools.[1]
.toc{background-color:#f3f4f6;font-size:16px;font-weight:500;padding:1em;}.toc h4{text-align:center;text-transform:uppercase;font-size:0.9375rem;margin-bottom:1rem;}.toc ul{margin:0;padding:0;font-size:15px;}.toc-content{overflow-y:auto;max-height:600px;}.toc-content li{list-style:none!important;margin-bottom:1em;}.toc-content a{color:rgba(74,85,104,var(–text-opacity));text-decoration:none;}.toc-content a:hover{color:#C72F29;}.toc-content li.active a{color:#C72F29;font-weight:bold;}@media (min-width:1340px){.toc-wrap{position:absolute;float:left;margin-left:-9rem;top:0;left:-90px;height:100%;width:200px;background-color:white;}.toc{position:sticky;top:50px;font-size:14px;padding:0.5em;}.toc-content li{margin-bottom:0.5em;}}
Metasploit is a free open-source tool for developing and executing exploit code. It comes with a large database of exploits for a variety of platforms. Metasploit can be used to test the security of systems and look for vulnerabilities.
Metasploit is a framework rather than a single tool. It includes a wide range of tools for conducting penetration tests and security research.
Features of Metasploit:
- Developing exploit code
- Automated security testing
- Reverse engineering
- Password cracking
- Social engineering
Note: you can’t just learn penetration testing without knowing what Kali Linux is. Learn all about Kali Linux here[2].
Metasploit is a popular tool for conducting penetration tests. It has a wide range of features that makes it useful for security researchers and penetration testers, is also easy to use and has a large database of exploits.
Before you begin this tutorial, you should have a basic understanding of Linux commands[3]. You will also need to have root access to your Ubuntu machine[4].
If you are using an Android phone, you can try Nethunter[5].
Bash scripts are used to automate tasks. They are easy to use and can save you a lot of time. In this section, you will use a bash script to install the Metasploit Framework on Ubuntu Linux.
- Run the following
wgetcommand to download the install the bash shell script. This command downloads the latest version of the Metasploit Framework for Linux 64-bit from the Metasploit website. The bash shell script file will be saved in the current working directory.
wget http://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run

- Run the
chmodcommand to make the install script executable. This command will give all users permission to execute the script[6].
chmod +x metasploit-latest-linux-x64-installer.run

- Run the installation script by using the
./command. This command tells Linux to execute the file in the current working directory.
./metasploit-latest-linux-x64-installer.run
You will be asked a series of questions during the installation process.
- Press Enter to accept the terms and conditions.

- When prompted to select a folder to install Metasploit, press Enter to use the default location or choose a different location. This tutorial uses the default folder since it is the recommended location.

- Type Y and press Enter to register Metasploit as a service or N and press Enter to skip this step. This tutorial will register Metasploit as a service.
Registering Metasploit as a service will start the Metasploit Framework automatically when the machine is started. This is useful if you plan to frequently use Metasploit.

- Some firewalls, such as UFW (Uncomplicated Firewall)[7], are usually preinstalled on Ubuntu systems. They do not work well with Metasploit, as they tend to block some of the payloads and make the exploitation process very difficult. Press Enter to disable the firewalls.

- You will be asked to set a port for running the Metasploit service. In computer networking, a port is a communication endpoint. Press Enter to use the default port 3790.
You can set up a custom port by entering the port number and pressing Enter. Make sure that the custom port is not being used by any other application on your system and is larger than 1000.

- Generate an SSL Certificate to be used to encrypt communication between the Metasploit server and clients. Press Enter to use the default values.
Type Y and press Enter when asked if you want to add the certificate to the operating system’s trusted store.
The trusted store is a location on your computer where certificates that are trusted by your operating system are stored. You can trust the certificate by adding it to the store, or you can choose not to trust it. This tutorial assumes that you trust the certificate.

- Type Y and press Enter again when asked to start the installation.

At this point, the bash script will start to automatically download and install all of the dependencies needed for Metasploit. No manual intervention is required. This process can take a while, depending on your system specs.

When the installation completes, uou will see a similar output as below:

Installing Metasploit Framework on Ubuntu Linux From Source
In this section, you will learn to install Metasploit Framework on Ubuntu from source.
This method is a bit more difficult than the previous one since you need to compile Metasploit from source. But this method gives you more control over the installation process, and you can customize it to your needs. You always have the latest version of Metasploit when you install it from source.
If you want the latest features and bug fixes, this method is the way to go.
sudo apt update && sudo apt -y upgrade

- Install the dependencies needed to compile Metasploit.
sudo apt install gpgv2 autoconf bison build-essential postgresql libaprutil1 libgmp3-dev libpcap-dev openssl libpq-dev libreadline6-dev libsqlite3-dev libssl-dev locate libsvn1 libtool libxml2 libxml2-dev libxslt-dev wget libyaml-dev ncurses-dev postgresql-contrib xsel zlib1g zlib1g-dev -y
- Run the following
curlcommand to download the Metasploit source code from GitHub. This source code file contains all of the code needed to compile Metasploit.
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
This curl command downloads and transfers[9] the source code file from GitHub and saves it as “msfinstall” on your system. The “.erb” file extension indicates that this file is a template written in the Ruby programming language.

- Make the msfinstall file executable. The 775 permissions will give the owner of the file read, write and execute permissions. The group and other users are given read and execute permissions. This is a good set of permissions to give to a bash script file.
chmod 755 msfinstall
- Run the msfinstall file to start the building and installation process.
./msfinstall

With Metasploit Framework installed, launch the Metasploit console with the following command:
msfconsole
It can take a minute or two for the console to load all of the modules.
You will see a similar output as below when the console finishes loading. The msf6 > prompt indicates that the console is ready to accept commands.

The first command that you need to know is help. You can use this command to get help with any of the other commands inside the console.
You will see a similar output as below. The left column shows all of the available commands, and the right column shows a description of each command. The output is truncated in the screenshot below, but you get the idea.

The next command is show payloads. This command lists all of the available payloads that can be used in an exploit. A payload is a piece of code that is executed on a target system after an exploit is successful. In simple terms, a payload is a piece of malware that is delivered to a target system via an exploit, which performs malicious action on the target system.
show payloads
It is borrowed from transportation terminology, where a payload is actual cargo carried by a vehicle.
For example, if you are exploiting a Windows system, you might want to use a payload that creates a reverse shell back to your Kali Linux system. This would allow you to access and control the target Windows system from your Kali Linux system.
You will see a similar output as below. The left column shows the name of each payload, and the right column shows a description of the payload.
The “Date,” “Rank,” and “Check” columns in the middle indicate when the payload was added to Metasploit, how popular it is, and whether it has been checked for errors.

The next command, show exploits, lists all of the exploits that are available in Metasploit. You can use these exploits to attack systems.
show exploits
An exploit is a code or technique that can be used to take advantage of a software vulnerability. Metasploit Framework comes with a large number of exploits for different platforms and services. An exploit runs multiple stages. The first is used to connect to the target system and deliver the payload. The second runs the payload on the target system.
Metasploit offers two types of exploits: automated and manual. Automated exploits are easy to use, as they don’t require any user interaction. Just provide the target information and select the exploit and payload, and Metasploit will do the rest.
Manual exploits require some user interaction. For example, if you are exploiting a buffer overflow vulnerability, you will need to provide the exact buffer size and offset.

You can also list more information about a specific exploit by using the info command. This command shows you the available options for an exploit as well as a description of the exploit.
For example, perhaps you want to learn more about the SMBGhost exploit. You can use the below command to get more information about it.
info exploit/windows/smb/ms17_010_eternalblue
You will see a similar output as below.

To exit the Metasploit console, use the exit command.

What to Do Next
At this point, you should be able to install Metasploit Framework on Ubuntu and navigate the Metasploit console. With this newfound knowledge, why not conduct a real penetration test[10] on one of your systems to see if you can find any vulnerabilities. Remember, always get permission from the system owner before conducting any tests.
Frequently Asked Questions
Is Metasploit Framework safe to install on my computer?
No, you should never install Metasploit Framework on your primary computer. To install it, you need to disable any antivirus software and firewall rules. This can leave your computer vulnerable to attack.
It is recommended that you install Metasploit Framework on a dedicated penetration testing system that is isolated from your primary computer and other systems on your network.
Can I use Metasploit Framework to hack any system?
No, you can only use Metasploit Framework to conduct penetration tests on systems that you have permission to test. If you use it to hack into a system without permission, you could be breaking the law.
Always get permission from the system owner before conducting any tests.
How do I protect myself from Metasploit Framework?
Metasploit Framework is a tool that can be used for both good and bad. To protect yourself from Metasploit Framework, you should keep your systems up to date with the latest security patches. You should also use a firewall to block incoming connections from untrusted sources. Finally, you should use antivirus software to scan for and remove any malware that may be present on your system.
Image credit: FreePik[11]. All screenshots by Nicholas Xuan Nguyen.
Our latest tutorials delivered straight to your inbox
References
- ^ check out other important penetration tools. (www.maketecheasier.com)
- ^ all about Kali Linux here (www.maketecheasier.com)
- ^ basic understanding of Linux commands (www.maketecheasier.com)
- ^ have root access to your Ubuntu machine (www.maketecheasier.com)
- ^ try Nethunter (www.maketecheasier.com)
- ^ all users permission to execute the script (www.maketecheasier.com)
- ^ UFW (Uncomplicated Firewall) (www.maketecheasier.com)
- ^ apt tool (www.maketecheasier.com)
- ^ curl command downloads and transfers (www.maketecheasier.com)
- ^ conduct a real penetration test (docs.metasploit.com)
- ^ FreePik (www.freepik.com)