How to Hack Exploit Windows using Metasploit | Beginner’s Guide | How to HackExploit Windows using Metasploit | Beginner's Guide
How to HackExploit Windows using Metasploit | Beginner's Guide

For this video – article, I set up Windows 7 (As an easy target). Create a payload with Metasploit MSFvenom and get full control over the target machine using Metasploit MSFConsole. And then we going to have some fun.

I like to mention, that these commands I use in this tutorial are the same and it does not matter wetter you use Kali Linux or Parrot Security OS. All commands are the same.

Video Hack/Exploit Windows using Metasploit | Beginner’s Guide

In the video, I am using Kali Linux. But once you have installed Metasploit on your computer, you can use these commands that I use, with any Operating System. So both with Kali Linux, Parrot Security OS, and a regular Ubuntu installation.

Setting up a simple server with python

In the example I show in the video, I put the made payload with MSFVernom on the Kali Linux Apache server.

cd /var/www/html/

But there are more options for setting up a simple server.
You have to make sure that python3 is installed, then you can start the server with a very simple command:

python3 -m http.server

python3 -m http.server

Making the Executable FUD (Fully Undetectable)

Obviously it is very cool if you can program yourself a bit so that you can make your own FUD (Fully Undetectable) script. But not everyone can do this and that is why you can use the scripty below for this.

To encode the executable, you can use Shellter. Shellter works by changing the executable’s signatures from the obviously malicious one to a completely new and unique one that can bypass detection.

For Debian-based link Kali Linux or Parrot Security

sudo apt install shellter

For Arch – based like BlackArch

sudo pacman -S shellter

sudo apt install shellter
metasploit, windows, exploit, payload

windows exploit, payload, msfconsole metasploit

VirusTotal (And Other Online Scanners) Hand Everything Over to Antivirus Companies

Be aware Never – ever upload scripts, payloads, or whatever to VirusTotal or other online scanners! They hand everything over to antivirus companies. This has never been a secret. 

VirusTotal conf

This is a mistake I see many people make. If you are using someone else’s tool, you are making it less likely to work in the future. AV companies aren’t always detecting a payload. They’re often detecting the method used to hide it. So every time you upload a test payload, you’re helping them along.

Virustotal analyzes suspicious files and URLs to detect types of malware, automatically share them with the security community
Obviously, if you are a regular computer user, and not dealing with payloads and other scripts, and you think a “file” is malicious then I would say, of course, you have to find out if the file is doomed

What is a Payload

A payload can be considered to be somewhat similar to a virus. A payload is a set of malicious codes that carry crucial information that can be used to hack any device beyond limits that you can’t imagine.

Like the Greek soldiers hiding inside the wooden horse in the tale of the Trojan Horse, a malicious payload can sit harmlessly for some time until triggered and can do the job.

Trojan Horse

How to get the payload to the victim

That’s a question I could turn into a lot of articles. 😀
In fact, once you’ve created a payload, you still have to get the payload to a victim, and that can sometimes be quite a challenge. Below I will mention some options.

  • Social Engineering
  • Process the payload in an image
  • Process the payload in a PDF file
  • Put the payload on a server
  • Put the payload on a website
  • Process the payload in an email
  • And so on


  • This article was written for educational purposes and pentest only.
  • The author can not be held responsible for damages caused by the use of these resources.
  • You will not misuse the information to gain unauthorized access.
  • The information shall only be used to expand knowledge and not for causing malicious or damaging attacks.
  • Just remember, Performing any hacks without written permission is illegal ..!

Read also the Disclaimer

All the techniques provided in the tutorials on the, YouTube channel, and on the website are meant for educational purposes only.

If you are using any of those techniques for illegal purposes, can’t be held responsible for possible lawful consequences.

My goal is to educate people and increase awareness by exposing methods used by real black-hat hackers and show how to secure systems from these hackers.


If you have any questions about this article, any feedback, suggestions if you want to share your thoughts, please feel free to do it using the below comment form.

Bulls Eye
My name is Jolanda de Koff and on the internet, I'm also known as Bulls Eye. Ethical Hacker, Penetration tester, Researcher, Programmer, Self Learner, and forever n00b. Not necessarily in that order. Like to make my own hacking tools and I sometimes share them with you. "You can create art & beauty with a computer and Hacking is not a hobby but a way of life ..." I ♥ open-source and Linux"
error: Content is protected !!