How to Install Metasploit Framework on Debian 12, 11 or 10

The Metasploit Framework is an indispensable cybersecurity tool renowned for its penetration testing and vulnerability assessment capabilities. This guide is tailored to walk you through the installation process of the Metasploit Framework on Debian platforms, specifically Debian 13 Trixie, Debian 12 Bookworm, Debian 11 Bullseye, and Debian 10 Buster. Given the inherent power of Metasploit, it’s a best practice to run it on a dedicated system or within a virtual environment. This ensures that your primary tasks and sensitive applications remain uncompromised. For the installation, we’ll be utilizing the Metasploit Official APT. Additionally, this guide will shed light on how to effectively use the Metasploit CLI to assess and enhance the security of your projects or services.

Key Points:

  • Metasploit Framework Defined: A premier tool tailored for penetration testing, vulnerability discovery, and exploit development.
  • Debian Compatibility: Seamless integration with Debian 13 Trixie, Debian 12 Bookworm, Debian 11 Bullseye, and Debian 10 Buster.
  • Safety Protocols: Recommendations to operate Metasploit in isolated environments for optimal security.
  • Installation Approach: A step-by-step guide using the Metasploit Official APT.
  • Metasploit in Action: Practical insights into deploying the Metasploit CLI for diverse cybersecurity tasks.

Metasploit’s Potential:

  • Vulnerability Scanning: Identify weak points in systems or applications.
  • Exploit Development: Craft custom exploits for identified vulnerabilities.
  • Payload Creation: Design payloads to gain control over compromised systems.
  • Post-Exploitation: Extract valuable data and maintain control after a successful breach.
  • Network Analysis: Understand network structures and identify potential entry points.

As we transition into the main content, you’ll be equipped with a foundational understanding of the Metasploit Framework’s prowess and its seamless integration with Debian platforms. The journey ahead promises to be both informative and transformative for your cybersecurity endeavors.

Section 1: Installing Metasploit via APT on Debian

Step 1: Install Dependencies

Before diving into the installation of Metasploit, it’s essential to ensure that your Debian system is up-to-date and has all the necessary dependencies in place.

Update and Upgrade Debian:

To keep your Debian system updated, execute the following commands:

sudo apt update
sudo apt upgrade

Install Required Dependencies:

With the system updated, proceed to install the dependencies essential for Metasploit:

sudo apt install curl ca-certificates apt-transport-https software-properties-common lsb-release postgresql -y

Step 2: Import Metasploit Repository

Having the dependencies in place, the next step involves importing the Metasploit repository. This ensures that you’re fetching genuine packages that haven’t been tampered with.

Import the GPG Key:

The GPG key ensures the authenticity of the packages. Import it with:

curl -fsSL | sudo gpg --dearmor | sudo tee /usr/share/keyrings/metasploit.gpg > /dev/null

Add the Metasploit Repository:

With the GPG key imported, proceed to add the Metasploit repository:

echo "deb [signed-by=/usr/share/keyrings/metasploit.gpg] buster main" | sudo tee /etc/apt/sources.list.d/metasploit.list

Note: Even though it says Buster, this is a generic repository now and will install the same package for all APT-based distros and does work on the latest Debian releases.

Step 3: Install Metasploit

With the repository in place, it’s time to install the Metasploit Framework.

Refresh APT Cache:

Update your package list to ensure the latest version of Metasploit Framework is available:

sudo apt update

Install Metasploit Framework:

Initiate the installation process with:

sudo apt install metasploit-framework

First-Time Setup Process:

Upon successful installation, you’ll need to configure Metasploit for its first use:


During this setup, you might encounter several prompts:

  • Setting up a New Database: It’s advisable to set up a new database for Metasploit. When prompted, type “yes” to proceed.
Would you like to use and setup a new database (recommended)?
Terminal process of initializing a new database in Metasploit on Debian.Pin
Steps to initialize and configure a new database for Metasploit Framework on Debian Linux.
  • Initializing the Web Service: This step isn’t mandatory. By default, the answer is “no.” If you wish to enable the web service, type “yes.”
[?] Would you like to init the webservice? (Not Required) [no]:
  • Final Configurations: After addressing the prompts, the system will finalize configurations. This might take a few minutes. You’ll be presented with information regarding the configuration process.
Terminal confirmation of successful Metasploit CLI installation on Debian.Pin
Terminal output confirming the successful setup of Metasploit CLI on a Debian system.

Upon completion, your Metasploit Framework is ready for use. As we delve deeper into subsequent sections, you’ll gain insights into harnessing the full potential of this powerful cybersecurity tool on your Debian system.

Section 2: Utilizing Metasploit Framework Terminal Commands on Debian

Navigating the Metasploit Framework requires a good grasp of its terminal commands. This section provides a hands-on approach to using these commands effectively on Debian. A comprehensive table detailing all available commands will be presented by the end.

Step 1: Launching Metasploit Framework

To initiate the Metasploit Framework, access your terminal and input:


Upon execution, a banner will appear, displaying details about the current version, contributors, and some handy Metasploit Framework usage tips.

Step 2: Keeping Metasploit Updated

The Metasploit Framework is an evolving tool, regularly enhanced with new modules, features, and fixes. To ensure you’re using the latest version:


This command fetches and installs the most recent iteration of the Metasploit Framework.

Step 3: Searching for Exploits

A core functionality of the Metasploit Framework is its exploit search capability. To hunt for specific exploits:

search <search-term>

Replace <search-term> with relevant keywords or terms. For instance, to find exploits associated with the Apache Struts vulnerability:

search struts

This returns a list of exploits linked to the Apache Struts vulnerability.

Terminal output showing search results for 'struts' in Metasploit on Debian.Pin
Results from a Metasploit search query for ‘struts’ vulnerabilities on Debian Linux.

Step 4: Engaging with Exploits

After pinpointing a desired exploit, you can activate its module:

use <exploit-name>

Replace <exploit-name> with the exact exploit module name. If you’re aiming to utilize the Apache Struts exploit module:

use exploit/windows/http/struts2_rest_xstream

This action activates the exploit module, revealing details like its name, author, target platform, and associated payload.

Step 5: Configuring Exploit Parameters

Before deploying an exploit, it’s often necessary to adjust certain parameters, such as target IP, port, or chosen payload. To view an exploit’s configurable options:

show options

This command lists all tweakable parameters for the active exploit module.

To modify a specific parameter:

set <option-name> <value>

For instance, to designate the RHOST parameter to a target system’s IP address:


Step 6: Executing Exploits

With all parameters set, you can launch the exploit:


If the exploit succeeds, a confirmation message will appear, indicating a successful operation and the establishment of a session.

Section 3: Leveraging Metasploit’s Meterpreter on Debian

Meterpreter stands out as an advanced post-exploitation tool within the Metasploit Framework. It facilitates real-time interaction with compromised systems. To harness its capabilities, you first need an active session.

Step 1: Managing Sessions

To view all active sessions:

sessions -l

This command lists all sessions with their respective ID numbers.

To engage with a specific session:

sessions -i <session-id>

For instance, to interact with the first session:

sessions -i 1

Executing this command initiates a Meterpreter shell for the chosen session, allowing you to run a plethora of commands on the compromised system.

Step 2: Extracting System Data

Upon securing a Meterpreter session, a logical first step is to collect data about the compromised system:

  • System Overview:

This command provides a snapshot of the system, detailing the OS version, CPU type, and system architecture.

  • User Identification:

This reveals the current user ID on the system.

  • User Privileges:

This enumerates the current user’s system privileges.

Step 3: File Transfers

Meterpreter facilitates file transfers between your machine and the compromised system:

  • Uploading Files:
upload <local-file> <remote-file>

For instance, to transfer a local file named data.txt to the compromised system’s C:\Temp directory:

upload /localpath/data.txt C:\Temp\data.txt
  • Downloading Files:
download <remote-file> <local-file>

To retrieve a file named data.txt from the compromised system’s C:\Temp directory to your local machine:

download C:\Temp\data.txt /localpath/data.txt

Step 4: Probing WordPress Vulnerabilities with Metasploit

Given WordPress’s ubiquity as a CMS, it’s often a target for potential threats. Using Metasploit, you can assess your WordPress installations for known vulnerabilities. Remember, exploiting systems without permission is both illegal and unethical.

To identify Metasploit modules related to WordPress vulnerabilities:

search wordpress

This command lists Metasploit modules tailored for WordPress vulnerabilities.

Terminal screenshot displaying a list of WordPress exploits in Metasploit on Debian.Pin
Comprehensive list of WordPress vulnerabilities accessible via Metasploit on Debian.

To engage with a specific module, for instance, the WP Paid Pro CODE SQLI vulnerability:

  • Search for the Exploit: Once Metasploit is running, you can search for the exploit to ensure it’s available in your Metasploit version:
search wp_paid_membership_pro_code_sqli
  • Use the Exploit: If the exploit is available, you can load it using the use command:
use auxiliary/scanner/http/wp_paid_membership_pro_code_sqli
  • Set the Options: Before running the exploit, you must set some options. At a minimum, you’ll need to set the RHOSTS option, which specifies the target IP address or domain:
set RHOSTS target_website_or_IP

You can view all the available options for the exploit by typing:

show options

Ensure you configure any other necessary options based on your specific scenario.

Terminal window highlighting the wp_paid_membership_pro SQLi exploit in Metasploit.Pin
Demonstration of using Metasploit to identify the wp_paid_membership_pro SQLi vulnerability.
  • Run the Exploit: Once all the options are set, you can run the exploit:

If the target is vulnerable, Metasploit will attempt to exploit it and provide you with the results.

Section 4: Comprehensive Metasploit Command Overview for Debian Linux

The Metasploit Framework is a vast tool with many commands at its disposal. While we’ve touched upon some commands in previous sections, it’s essential to understand those were just the tip of the iceberg. This section will provide a more detailed table of commonly used commands to help you navigate the framework more efficiently.

Exploit Commands

Exploit commands are pivotal in leveraging vulnerabilities within a target system.

searchLocate a specific exploit or payload.
useChoose an exploit or payload for deployment.
show optionsDisplay available options for the chosen exploit or payload.
setDefine a value for a particular option.
exploitLaunch the selected exploit.
sessionsOversee active Meterpreter sessions.
backDepart from the current exploit or payload context.

Auxiliary Commands

Auxiliary commands cater to various tasks, from scanning and fuzzing to gathering crucial information.

searchFind a specific auxiliary module.
useActivate a desired auxiliary module.
show optionsEnumerate current options for the selected auxiliary module.
setAssign a value to a specific option.
runInitiate the chosen auxiliary module.
backExit the current auxiliary module context.

Post-Exploitation Commands

Once access to a system is secured, post-exploitation commands come into play, allowing various operations on the compromised system.

sysinfoRetrieve detailed system data.
getuidIdentify the active user ID.
getprivsEnumerate the privileges of the current user.
shellAccess a system command shell.
psList active processes.
migrateTransition to a different process.
downloadRetrieve a file from the compromised system.
uploadTransfer a file to the compromised system.

Database Commands

These commands facilitate interaction with the Metasploit Framework’s integrated database.

db_statusVerify the database’s operational status.
db_rebuild_cacheRefresh the database cache.
db_nmapIncorporate an nmap scan result into the database.
hostsEnumerate all hosts registered in the database.
servicesList all services documented in the database.
vulnsDetail all vulnerabilities recorded in the database.

Module Management Commands

Managing modules within the Metasploit Framework is streamlined with these commands.

loadIntegrate a module into the console.
reload_allRefresh all modules.
unloadRemove a module from the console.
infoProvide details about a specific module.
editModify a module’s parameters.

Conclusion and Final Thoughts

In this comprehensive guide, we’ve installed the Metasploit Framework on various Debian versions, including Debian 13 Trixie, Debian 12 Bookworm, Debian 11 Bullseye, and Debian 10 Buster. We’ve covered the foundational steps, delved into command overviews, and explored the potential of Metasploit’s Meterpreter. As with any powerful tool, using the Metasploit Framework with a clear understanding of its capabilities and implications is crucial.

Disclaimer: It’s imperative to emphasize that the Metasploit Framework, like any cybersecurity tool, should be used responsibly and ethically. Only deploy it for cybersecurity research on your platforms or those of entities that have granted explicit permission. Unauthorized or malicious use can lead to severe legal consequences and breaches of ethical standards.

Share to...