Skip to main content

Introduction


Revision History​

DateAuthorSummary
21-MAR-2026CW2 BernadotteInitial draft

Purpose​

This AID provides a practical command reference for Metasploit Framework usage during Cyber Threat Emulation (CTE) missions. The focus is on setup, workflow, payload generation, post-exploitation fundamentals, pivoting, and evasion - not on specific ATT&CK technique execution.


End-State​

  • Operators can initialize, configure, and navigate Metasploit efficiently from a Kali VM.
  • Operators can generate and deliver payloads using msfvenom with appropriate evasion applied.
  • Operators can manage sessions, navigate Meterpreter, and set up pivots through compromised hosts.
  • Operators understand which MSF settings reduce detection footprint without requiring custom tooling.

Requirements​

RequirementNotes
Kali Linux VMMetasploit Framework pre-installed
Network access to target(s)Required for exploitation and handler callbacks
msfdb initializedPostgreSQL backend - required for workspace and host tracking
Valid credentials or known vulnerabilityExploitation requires a foothold vector

Considerations​

  • OPSEC - Port Selection: Default MSF listener ports (4444, 4445) are well-known and frequently blocked or alerted on. Try to use 443, 80, or 8443 for handlers to try and blend in with common network traffic.
  • OPSEC - Protocol: Prefer HTTPS (reverse_https) over HTTP or raw TCP for callbacks. HTTP and raw TCP payloads transmit stage data and C2 traffic in plaintext, visible to any inline inspection.
  • OPSEC - Staged vs Stageless: Staged payloads (windows/x64/meterpreter/reverse_https) make a second network connection to download the stage - two connections, more detectable over the network. Stageless (windows/x64/meterpreter_reverse_https) embed the full payload in the file - single connection, less network noise, but more likely to be detected by endpoint security.
  • Cleanup: Remove uploaded files, close sessions, and drop listeners when finished. MSF does not auto-clean.