Think pen testing websites requires a full rig? Try it on a budget Android instead.
Back when I first got into ethical hacking, all I had was a secondhand Android phone, spotty Wi-Fi, and a deep curiosity about how websites really worked under the hood. Everyone online seemed to be using full-blown laptops running Kali Linux and fancy VPNs—and I wondered if I’d always be stuck spectating from the sidelines.
That changed when I discovered you could run Metasploit—yes, the real deal—on Termux. Suddenly, pen testing websites wasn’t some distant pro-level skill. It became something I could practice, right there, from the palm of my hand. No expensive gear. No shady tools. Just open-source firepower and a hunger to learn.
In this guide, I’ll show you how to ethically use Metasploit modules for pen testing web apps directly from your Android device. If you’re new to hacking, short on gear, or just want a smarter way to learn—this one’s for you.
Let’s dive in.
⚠️ Important: These tools are intended for ethical hacking, security research, and education. Use them only on systems and networks you own or have permission to test. Unauthorized use can lead to serious legal consequences.
Download my FREE Termux Cheat Sheet Now!
Before You Begin — What You Need to Set Up Pen Testing on Termux
Before diving into modules and exploits, let’s make sure your environment is ready. Here’s a quick checklist to keep you from hitting frustrating snags:
Android Phone (preferably with at least 3GB RAM and Android 10+)
Termux App from F-Droid (not the Play Store version)
Storage Permissions granted:
termux-setup-storageUpdated packages and repos:
pkg update && pkg upgradeEssential packages installed:
pkg install git ruby curl wget nmap postgresqlMetasploit installation (via script):
curl -LO https://raw.githubusercontent.com/Hax4us/Metasploit_termux/master/metasploit.sh
chmod +x metasploit.sh ./metasploit.shInitialize PostgreSQL database (required by Metasploit):
pg_ctl -D $PREFIX/var/lib/postgresql start msfconsoleBy following this setup, you avoid 90% of the problems that derail beginners—and you’ll be ready to ethically pen test with confidence.
Prerequisites
Before you start web application pen testing, ensure the following:
- Termux installed on your Android device.
- Metasploit framework installed in Termux.
- Basic understanding of web vulnerabilities and penetration testing.
Step 1: Installing Metasploit in Termux
If you haven’t installed Metasploit yet, follow these steps:
Update and upgrade your Termux environment:
pkg update && pkg upgradeInstall Metasploit using the following command:
pkg install unstable-repo pkg install metasploitOnce Metasploit is installed, you’re ready to begin pen testing.
Step 2: Using Metasploit to Identify Web Vulnerabilities
SQL Injection Vulnerabilities
SQL injection is one of the most common vulnerabilities in web applications. Metasploit’s auxiliary/scanner/http/sql_injection module can help identify potential SQL injection points. To use this module:
Run the Metasploit console:
msfconsoleUse the SQL injection scanner:
use auxiliary/scanner/http/sql_injection set RHOSTS <target> set RPORT 80 runTest Output Example:
[*] Starting SQL Injection scan against 192.168.1.10
[*] Vulnerable parameter found: id
[*] Possible SQL injection vulnerability detected on: /login.php?id=1Explanation: In this example, Metasploit scanned the target IP and found a possible SQL injection vulnerability in the id parameter of the login.php page. This means an attacker could potentially manipulate this input to access or alter the database. As a next step, the pen tester could attempt to exploit this vulnerability by crafting a custom SQL query.
For more insights on using Metasploit in other contexts, visit the Metasploit Project’s official documentation.
Cross-Site Scripting (XSS)
Cross-site scripting allows an attacker to inject malicious scripts into web pages viewed by other users. Metasploit’s auxiliary/scanner/http/xss_scanner can help detect XSS vulnerabilities:
Load the XSS scanner module:
use auxiliary/scanner/http/xss_scanner set RHOSTS <target> runTest Output Example:
[*] Scanning 192.168.1.10 for XSS vulnerabilities
[*] Vulnerable URL found: /search?q=<script>alert('XSS')</script>Explanation: The output indicates that the target web application has a potential XSS vulnerability in the search query parameter (q). The scanner injected a simple XSS payload (<script>alert('XSS')</script>) and detected that the web page failed to properly sanitize this input, leading to potential exploitation. This could allow attackers to run malicious JavaScript on users’ browsers.
For further examples of network diagnostics with Termux, check our guide on Using Termux for Network Diagnostics.
Remote File Inclusion (RFI) Vulnerabilities
Remote file inclusion occurs when a web application allows external files to be included in the URL. This can lead to arbitrary code execution. To detect this vulnerability with Metasploit:
use auxiliary/scanner/http/file_inclusion set RHOSTS <target> runTest Output Example:
[*] Scanning for File Inclusion vulnerabilities on 192.168.1.10
[*] Vulnerable URL found: /index.php?page=../../../../etc/passwdExplanation: In this output, the scanner found a file inclusion vulnerability on the target’s index.php page, where the page parameter allows access to files outside the web root. In this case, it could lead to the exposure of sensitive files like /etc/passwd, which contains user information on Linux systems. Exploiting this vulnerability could allow attackers to view system files or execute arbitrary code.
Step 3: Exploiting Web Vulnerabilities
After identifying vulnerabilities with Metasploit modules, the next step is to exploit them. For example, after detecting an SQL injection vulnerability, you can use the appropriate exploit module:
Load the SQL injection exploit module:
use exploit/multi/http/sql_injection set RHOSTS <target> set payload <desired_payload> runTest Output Example:
[*] Exploiting SQL injection on 192.168.1.10
[*] Dumping database content...
[+] Retrieved data: username=admin, password=123456Explanation: This output shows the successful exploitation of an SQL injection vulnerability, where the attacker was able to extract sensitive information from the database, such as usernames and passwords. This illustrates how a vulnerability could be leveraged to gain unauthorized access to the web application.
· · ─ ·𖥸· ─ · ·
Let’s Talk Ethics — What Makes a Pen Test “Legal”?
Ethical hacking isn’t just about cool tools and discovering vulnerabilities. It’s about permission, purpose, and protection.
Here’s a simple rule: if you don’t own it, or don’t have written permission, don’t touch it. Testing someone’s website—even “just to see”—without authorization is illegal, regardless of your intent.
Use this guide only on:
- Your own self-hosted sites
- Deliberately vulnerable environments like DVWA, Metasploitable, or bWAPP
- Open training targets in CTF platforms like TryHackMe or Hack The Box
We promote open learning, but we also promote ethical responsibility. The world needs more ethical hackers—FOSS-powered, community-driven defenders who respect the rules while learning to break them.
From Curiosity to Capability: Pen Testing With What You’ve Got
You don’t need a high-end setup to start learning the ropes of ethical hacking. With Termux, Metasploit, and the right mindset, pen testing websites becomes not only possible—it becomes empowering.
This tutorial isn’t just about tools. It’s about flipping the narrative: that security learning is expensive, elitist, or out of reach. FOSS breaks down those barriers. You’ve now got everything you need to start testing websites ethically, safely, and on your own terms.
Want more real-world guides like this?
Join the newsletter at samgalope.dev/newsletter and get hands-on hacking tutorials, FOSS-powered workflows, and practical insights—straight to your inbox.
⚠️ Important: These tools are intended for ethical hacking, security research, and education. Use them only on systems and networks you own or have permission to test. Unauthorized use can lead to serious legal consequences.
Leave a Reply