A controlled security lab is easier to manage when module search, payload generation, database-backed notes, and safe target testing all live in one console. The official Rapid7 package bundles the runtime Metasploit needs, so you can install Metasploit Framework on Ubuntu without replacing Ubuntu’s system Ruby, Python, or PostgreSQL packages.
Ubuntu 26.04, 24.04, and 22.04 can use Rapid7’s nightly APT repository. The repository setup stores the signing key and source as auditable APT files, then the post-install flow verifies the package, initializes the optional Metasploit database, covers routine updates, and removes the package and local workspace data cleanly.
Metasploit is a dual-use security framework. Use it only on systems you own, operate, or have explicit written permission to assess, and keep lab targets separate from production systems whenever possible.
Install Metasploit Framework on Ubuntu
Update Ubuntu and Install Repository Tools
Refresh enabled package sources first, then install the small tools needed to fetch and convert Rapid7’s signing key:
sudo apt update
sudo apt install ca-certificates curl gpgDo not install Ubuntu’s postgresql package for this method. The Rapid7 package includes the PostgreSQL runtime used by Metasploit’s msfdb helper, and it stores the default database under your account instead of using Ubuntu’s system PostgreSQL service.
Add the Rapid7 Signing Key
Import the current Rapid7 signing key into a dedicated APT keyring. The curl -fsSL options fail on HTTP errors, show errors while hiding the progress meter, and follow redirects; the curl command in Linux reference covers the option set in more detail.
curl -fsSL https://apt.metasploit.com/metasploit-framework.gpg.key | sudo gpg --dearmor --yes -o /usr/share/keyrings/metasploit-framework.gpgCheck the imported key fingerprint before trusting the new source. The current Rapid7 package-signing key uses this primary fingerprint:
gpg --show-keys --with-fingerprint /usr/share/keyrings/metasploit-framework.gpgpub rsa4096 2015-05-26 [SC] [expires: 2030-01-11]
97B3 2012 EA11 76F0 5372 7A95 C048 F0B4 9DEE C457
uid Release Engineering <r7_re@rapid7.com>
Create the Metasploit APT Source
Rapid7’s Metasploit nightly installer documentation points Debian and Ubuntu users at the official APT repository. The repository uses lucid as its stable suite name, so keep that value as written instead of replacing it with your Ubuntu codename. Rapid7 currently publishes package indexes for amd64, arm64, armhf, and i386; the $(dpkg --print-architecture) value limits APT to the architecture your Ubuntu install actually uses.
printf '%s\n' \
'Types: deb' \
'URIs: https://apt.metasploit.com' \
'Suites: lucid' \
'Components: main' \
"Architectures: $(dpkg --print-architecture)" \
'Signed-By: /usr/share/keyrings/metasploit-framework.gpg' | sudo tee /etc/apt/sources.list.d/metasploit-framework.sources > /dev/nullThe sudo tee command writes the source file as root. A normal shell redirection would run as your user and fail because /etc/apt/sources.list.d/ is root-owned.
Refresh APT and Install Metasploit
Update APT again so Ubuntu reads the new Rapid7 source, then install the framework package:
sudo apt update
sudo apt install metasploit-frameworkAPT should select metasploit-framework from https://apt.metasploit.com. Rapid7 rebuilds nightly packages often, so the exact version changes over time.
Expect a large package transaction. Current Rapid7 packages download roughly 376 to 401 MB and use about 743 to 888 MB after installation, depending on architecture.
Verify Metasploit Framework on Ubuntu
Confirm that the package is installed and that the msfconsole launcher is available from your normal command path:
command -v msfconsole
dpkg-query -W -f='${db:Status-Abbrev} ${binary:Package}\n' metasploit-frameworkRelevant output starts with the /usr/bin/msfconsole launcher and an installed package state:
/usr/bin/msfconsole ii metasploit-framework
Rapid7 registers msfconsole, msfvenom, msfdb, and related tools through update-alternatives. The active executables point into /opt/metasploit-framework/bin/, while the user-facing commands are available under /usr/bin/.
Set Up the Metasploit Database on Ubuntu
Metasploit can open without a database, but database-backed workspaces are useful when you want to keep hosts, services, notes, and imported scan results between sessions. Initialize the per-user database with defaults:
msfdb init --use-defaultsSuccessful initialization creates the database under ~/.msf4/db and starts it on the bundled PostgreSQL port:
Creating initial database schema Database initialization successful
Check the database state from the helper. The current Rapid7 package may print RubyGems warning lines before the status block; the important result is the database status itself.
msfdb statusRunning the 'status' command for the database: Database started
Then verify from inside msfconsole without staying in the interactive prompt. A first console run may print an initial setup banner before the database status line.
msfconsole -q -x 'db_status; exit -y'[*] Connected to msf. Connection type: postgresql.
Run First Metasploit Console Checks
Start the console from a terminal when you are ready to work interactively:
msfconsoleInside the msf6 > prompt, begin with read-only discovery commands. These commands show help, search module metadata, and inspect a module without running it against any target:
help
search type:auxiliary name:scanner
info auxiliary/scanner/ssh/ssh_version
exit -y| Command | Use |
|---|---|
help | Lists console commands and categories. |
search | Finds modules by type, platform, name, CVE, author, or keyword. |
info | Shows module description, options, references, and requirements before any run attempt. |
db_status | Confirms whether the console is connected to the Metasploit database. |
exit -y | Leaves the console without an extra confirmation prompt. |
Understand Modules and Datastore Options
Rapid7’s Metasploit Framework getting-started documentation describes modules as the framework’s task units and the datastore as named options that configure those tasks. For a first Ubuntu session, use that knowledge to inspect what a module does before setting a target or running anything.
| Concept | First-session meaning |
|---|---|
auxiliary modules | Support modules such as scanners and enumerators. Inspect them with info before any run attempt. |
exploit modules | Modules that attempt to use a vulnerability. Run them only against authorized lab targets after reviewing required options. |
payload modules | Code paired with an exploit after a successful compromise. Payloads are not needed for install verification. |
post modules | Modules used after an authorized session already exists. |
| Datastore options | set applies a value to the current module; setg creates a global default. Prefer module-level values while learning so settings do not leak into later modules. |
If your lab workflow uses Nmap results, install Nmap on Ubuntu before using Metasploit database import commands such as db_nmap.
Update Metasploit Framework on Ubuntu
Because this install uses an APT source, update Metasploit through APT. The --only-upgrade option upgrades the package only if it is already installed, so it will not perform a new install on a system that does not have Metasploit yet.
sudo apt update
sudo apt install --only-upgrade metasploit-frameworkRapid7 also ships an msfupdate helper, but this DEB822 source layout is cleaner to maintain with APT directly. Keeping updates in APT keeps source ownership obvious and makes removal predictable.
Troubleshoot Metasploit Framework on Ubuntu
APT Reports a Metasploit Key or Source Error
Older Metasploit tutorials and helper runs may leave a legacy .list source or older keyring name. Remove those legacy files, then repeat the Rapid7 signing-key command and recreate /etc/apt/sources.list.d/metasploit-framework.sources if APT still cannot verify the repository:
sudo rm -f /etc/apt/sources.list.d/metasploit-framework.list
sudo rm -f /etc/apt/sources.list.d/metasploit.list
sudo rm -f /usr/share/keyrings/metasploit.gpg
sudo apt updateIf sudo apt update still reports a missing key after that cleanup, repeat the Rapid7 signing-key command and confirm /usr/share/keyrings/metasploit-framework.gpg exists.
Metasploit Shows No Database Connection
A console without a database connection usually prints this status:
[*] postgresql selected, no connection
Check whether the per-user database exists and start it if it is already initialized:
msfdb status
msfdb startIf msfdb status says no database exists, initialize it first:
msfdb init --use-defaultsRuby Gem Warnings Appear During msfdb Commands
Some Rapid7 nightly packages print bundled Ruby warning lines before normal msfdb output:
WARN: Unresolved or ambiguous specs during Gem::Specification.reset:
base64 (>= 0.2)
logger (~> 1.6)
Update Metasploit first. If msfdb status still reports Database started and msfconsole connects to PostgreSQL, the warning is coming from the bundled Metasploit runtime rather than a missing Ubuntu package. Avoid running system Ruby cleanup commands against Ubuntu’s Ruby just to silence a warning from the bundled framework.
Remove Metasploit Framework from Ubuntu
Delete the Metasploit Database
The database cleanup removes Metasploit’s local database and configuration under your account. Export or back up anything you still need before confirming the delete prompt.
If you initialized the Metasploit database, delete it before removing the package so the msfdb helper can stop the bundled PostgreSQL process cleanly:
msfdb deleteThe command asks whether to delete existing data and configurations. Answer yes only when you are ready to remove the local database:
[?] Would you like to delete your existing data and configurations? []:
Purge Metasploit and Remove the APT Source
Purge the package after any database cleanup is complete:
sudo apt purge metasploit-frameworkRemove the DEB822 source, the dedicated keyring, and legacy filenames used by older Metasploit setup instructions or helper runs:
sudo rm -f /etc/apt/sources.list.d/metasploit-framework.sources
sudo rm -f /etc/apt/sources.list.d/metasploit-framework.list
sudo rm -f /etc/apt/sources.list.d/metasploit.list
sudo rm -f /usr/share/keyrings/metasploit-framework.gpg
sudo rm -f /usr/share/keyrings/metasploit.gpg
sudo apt updateConfirm the launcher and repository candidate are gone:
command -v msfconsole || echo "msfconsole removed"
apt-cache policy metasploit-frameworkAfter the source cleanup, the launcher check should report msfconsole removed. apt-cache policy metasploit-framework should also show no install candidate unless another Metasploit source remains enabled.
Remove Remaining Metasploit User Data
Removing
~/.msf4deletes Metasploit profile data for the current Linux account, including local configuration, logs, and any remaining workspace files.
Check whether the profile directory still exists:
find "$HOME" -maxdepth 1 -name ".msf4" -printIf the command prints /home/username/.msf4 for your account and you no longer need that profile data, remove it:
rm -rf "$HOME/.msf4"Conclusion
Metasploit Framework is available on Ubuntu through Rapid7’s APT packages, with the console, database helper, update path, and cleanup commands separated cleanly. For lab reconnaissance, keep Nmap installed for importable scan data, then review Nmap command examples before scanning any network outside your written authorization.
Formatting tips for your comment
You can use basic HTML to format your comment. Useful tags currently allowed in published comments:
<code>command</code>command<strong>bold</strong><em>italic</em><blockquote>quote</blockquote>