Metasploit Framework: Penetration Testing Platform
How to use the Metasploit Framework for penetration testing, from setting up the environment to running exploits and generating reports.
Continue your mission
How to use the Metasploit Framework for penetration testing, from setting up the environment to running exploits and generating reports.
# Metasploit Framework: Penetration Testing Platform
The Metasploit Framework is the most widely deployed penetration testing platform in the security profession, used by offensive security practitioners, red teams, and defenders alike to validate whether known vulnerabilities can be exploited under real conditions. It exists because theoretical vulnerability assessments are insufficient: organizations need empirical proof that a flaw can be reached, triggered, and turned into unauthorized access before they can accurately prioritize remediation. Metasploit solves the gap between "a CVE exists" and "this CVE can be weaponized against our specific environment," giving practitioners a reproducible, structured environment to answer that question without writing exploit code from scratch every time.
---
The Metasploit Framework is an open-source penetration testing platform written primarily in Ruby, maintained by Rapid7, and distributed under a BSD-style license. At its core, it is a modular exploit development and execution environment that organizes offensive security capabilities into discrete, reusable modules: exploits, payloads, auxiliary tasks, post-exploitation routines, and encoders.
It is important to distinguish Metasploit from adjacent concepts. Metasploit is not a vulnerability scanner. Tools like Nessus, OpenVAS, or Qualys identify and report on vulnerabilities; Metasploit attempts to confirm exploitability by actually triggering them. It is also not a network mapper: that role belongs to tools like Nmap, though Metasploit integrates Nmap output natively through its database. Metasploit is not malware, though its payloads, particularly Meterpreter, share behavioral characteristics with remote access trojans and are therefore detected by endpoint security tools.
Metasploit exists in several variants. The Community Framework edition is free and open-source, accessible through msfconsole, and appropriate for most penetration testing workflows. Metasploit Pro is a commercial product from Rapid7 that adds a web-based interface, automated exploitation chains, phishing campaign management, and compliance-oriented reporting. Metasploit Express (now discontinued) occupied a middle tier. For this article, references to "Metasploit" mean the open-source Framework unless specified otherwise.
What Metasploit is not: it is not an authorization mechanism. Running Metasploit against systems you do not own or do not have explicit written permission to test constitutes unauthorized computer access under statutes such as the Computer Fraud and Abuse Act (CFAA) in the United States and equivalent legislation in other jurisdictions. The tool itself is neutral; its legality depends entirely on authorization.
---
Metasploit organizes its capabilities into a structured module system, each module type serving a specific role in a penetration testing engagement. Understanding the full chain, from reconnaissance through post-exploitation, is essential to using the platform correctly and interpreting its output accurately.
The Module Architecture
Exploits are modules that trigger a specific vulnerability in a target service or application. Each exploit module is written to match a particular CVE or class of vulnerability, a specific software version range, and an operating system type. When a practitioner selects an exploit module, they are selecting a piece of code that implements the mechanics of a known attack path. The framework contains over 2,000 exploit modules covering everything from memory corruption vulnerabilities to web application flaws to industrial control system weaknesses.
Payloads are the code that executes on the target after a successful exploit. They are separate from the exploit itself, which allows mix-and-match combinations. A reverse TCP shell payload instructs the target to initiate an outbound connection back to the attacker's listener, which bypasses many inbound firewall rules. A bind shell payload opens a listening port on the target and waits for an inbound connection from the tester. Meterpreter is Metasploit's advanced in-memory payload that never writes to disk in its initial form, communicates over an encrypted channel, and provides a rich set of post-exploitation commands including file system access, process injection, credential dumping, and pivot routing.
Auxiliary modules cover non-exploitation tasks: port scanning, service fingerprinting, brute-force credential attacks, fuzzing, and protocol-specific enumeration. These are commonly used in the reconnaissance and enumeration phases before exploitation begins. The framework includes over 1,200 auxiliary modules, many targeting specific services like SMB, SSH, HTTP, and database protocols.
Post-exploitation modules run after Meterpreter or a shell session is established. They automate common post-exploitation tasks: extracting password hashes, searching for sensitive files, gathering system information, pivoting to adjacent network segments, and establishing persistence mechanisms. The post/multi/recon/local_exploit_suggester module, for instance, analyzes the compromised host and recommends additional exploits that might escalate privileges or enable lateral movement.
Encoders transform payloads to avoid pattern-based detection by inline security controls, though modern endpoint detection and response (EDR) systems focus on behavioral detection rather than static signatures, limiting the effectiveness of basic encoding.
A Concrete Scenario: EternalBlue Against an Unpatched Windows Host
Consider a penetration test against an internal corporate network. Scope includes a Windows Server 2008 R2 host that the client believes is fully patched. The tester begins with an Nmap scan, which Metasploit imports directly into its PostgreSQL database using the db_nmap command inside msfconsole. The scan reveals that TCP port 445 (SMB) is open.
The tester runs the SMB MS17-010 auxiliary scanner module (auxiliary/scanner/smb/smb_ms17_010) against the target. The module returns a result indicating the host appears vulnerable to EternalBlue (CVE-2017-0144), a critical SMB buffer overflow disclosed by the Shadow Brokers and exploited in the WannaCry and NotPetya campaigns of 2017.
The tester selects the exploit module exploit/windows/smb/ms17_010_eternalblue, sets the RHOSTS parameter to the target IP, selects a Meterpreter reverse TCP payload (windows/x64/meterpreter/reverse_tcp), sets LHOST to the tester's machine IP, and executes with run. If the target is vulnerable and unpatched, the exploit triggers the overflow, injects the payload into memory, and opens a Meterpreter session on the tester's machine.
From the Meterpreter session, the tester runs getsystem to attempt privilege escalation to SYSTEM-level access, then hashdump to extract NTLM password hashes from the SAM database, and run post/multi/recon/local_exploit_suggester to identify additional local privilege escalation paths. This entire workflow, from scanning to credential extraction, takes fewer than ten minutes against a vulnerable and unpatched target.
Web Application Exploitation Example
Metasploit's web application testing capabilities extend beyond network service exploitation. The auxiliary/scanner/http/dir_scanner module performs directory enumeration against web servers, while modules like exploit/multi/http/struts2_content_type_ognl target specific web framework vulnerabilities. For SQL injection testing, modules such as auxiliary/scanner/mssql/mssql_login test database authentication and auxiliary/admin/mssql/mssql_enum extracts database configuration information.
The framework's web delivery module (exploit/multi/script/web_delivery) serves payloads through HTTP, allowing testers to simulate attacks where users download and execute malicious scripts. This is particularly valuable for testing user awareness and browser security controls.
Configuration Considerations and Operational Practice
Setting the correct LHOST value is critical when working across network address translation (NAT) boundaries. Practitioners working from behind a NAT device must either port-forward on their router or use a VPN with a routable address. The setg command in msfconsole sets global variables that persist across module switches, reducing repetitive configuration. Workspaces in Metasploit's database allow testers to segment findings by client or engagement, preventing cross-contamination of host records. The hosts and services commands query the database to provide a structured view of discovered assets.
Resource scripts automate common workflows by scripting msfconsole commands. A typical resource script might import an Nmap scan, run specific auxiliary scanners against discovered services, and launch appropriate exploits based on the results. This automation is particularly valuable during time-constrained engagements or when testing large IP ranges.
---
Organizations that rely solely on vulnerability scanners to assess their security posture are making a category error. A vulnerability scanner tells you a flaw exists; it does not tell you whether that flaw is reachable from the network segment an attacker would most likely occupy, whether compensating controls block the exploitation path, or whether the potential impact is a low-privilege shell or full domain compromise. Metasploit closes that gap by providing empirical evidence of actual exploitability under real network conditions.
Without penetration testing using a platform like Metasploit, security teams operate on assumptions. They assume that their firewall blocks lateral movement. They assume that their patching program is current. They assume that their endpoint controls would catch a Meterpreter session. Metasploit's value is in converting those assumptions into verified facts or falsified hypotheses.
Real-World Consequence: WannaCry and the Cost of Untested Patch Compliance
The WannaCry ransomware campaign of May 2017 infected more than 230,000 systems across 150 countries within a single day. The UK's National Health Service (NHS) was among the most severely affected, with over 80 of its trusts impacted, roughly 19,000 appointments cancelled, and estimated damages exceeding 92 million GBP according to the UK Department of Health. The vulnerability exploited (MS17-010, EternalBlue) had been patched by Microsoft in March 2017, two months before the outbreak.
Organizations that had run active exploitation tests using a module equivalent to ms17_010_eternalblue against their estate in the weeks after the patch release would have identified unpatched hosts before WannaCry did. Those that relied only on scanner reports showing "patch installed on 98% of hosts" missed the 2% that WannaCry found immediately.
Financial Impact and Regulatory Compliance
The financial implications of unvalidated vulnerabilities extend beyond direct incident response costs. Regulatory frameworks like PCI DSS require penetration testing for organizations handling credit card data. HIPAA security rule implementation guidance recommends periodic penetration testing for healthcare organizations. The EU's GDPR includes provisions for technical and organizational measures that would encompass active vulnerability validation.
Insurance companies increasingly require proof of security testing before writing cybersecurity policies. Lloyd's of London and other major insurers now request penetration testing reports as part of their underwriting process. Organizations that cannot demonstrate regular exploitation testing face higher premiums or policy exclusions.
Common Misconceptions
A persistent misconception is that Metasploit use implies criminal intent. In practice, it is a standard tool in every major penetration testing certification curriculum, including OSCP, CEH, and GPEN, and is recommended in NIST SP 800-115 as part of a technical security testing methodology. Another misconception is that successful exploitation during a pentest means the organization is definitively compromised in production. Penetration tests occur under controlled conditions; production exploitation involves additional factors including defender response times, network segmentation enforcement, and logging fidelity.
Some organizations believe that annual penetration testing provides adequate validation. This approach fails to account for the rapid pace of software deployment, configuration changes, and new vulnerability disclosure. Quarterly or continuous testing using Metasploit provides a more realistic assessment of ongoing security posture.
---
CDA approaches Metasploit and the broader penetration testing capability set through the lens of Predictive Defense Intelligence (PDI): see the threat before it sees you. Within the Planetary Defense Model (PDM), Metasploit sits firmly in the Threat Intelligence and Detection (TID) domain, serving as the empirical validation layer that converts raw threat intelligence into actionable risk findings.
Where many organizations treat penetration testing as a compliance checkbox, CDA treats it as a continuous intelligence-gathering function. A single annual penetration test tells you what was exploitable on one day under one scope. CDA's methodology calls for targeted, hypothesis-driven testing cycles tied directly to current threat actor TTPs (Tactics, Techniques, and Procedures) from MITRE ATT&CK. When threat intelligence indicates that a particular threat group is actively exploiting SMB vulnerabilities in the financial sector, the PDI cycle triggers a focused validation exercise using the relevant Metasploit modules against the client's SMB-exposed assets, not a full-scope engagement, but a precise, time-sensitive validation.
CDA's operational differentiation with Metasploit involves three specific practices. First, all Metasploit module selections are mapped explicitly to MITRE ATT&CK technique IDs before execution. This ensures findings are expressed in a language that bridges offensive and defensive teams rather than in tool-specific terminology that obscures the actual adversary behavior being simulated. Second, CDA treats the post-exploitation phase as the primary intelligence collection phase, not just a proof-of-concept. How far a Meterpreter session can pivot, which credentials are reachable, and which monitoring systems fail to alert on the activity are all findings of equal or greater importance than the initial exploit. Third, all Metasploit session logs, commands, and outputs are preserved in an evidence chain that supports both remediation guidance and, where relevant, regulatory reporting obligations under frameworks like PCI DSS or HIPAA.
This approach positions Metasploit not as an attack simulation toy but as a precision measurement instrument for security control effectiveness, which is precisely how it should be used in a mature security program.
---
db_nmap rather than running standalone scans; this enables the hosts and services commands to correlate findings automatically and reduces duplicate work across an engagement.local_exploit_suggester post-exploitation module against every initial shell you obtain, even low-privilege ones, before concluding that limited access means limited impact; most privilege escalation paths begin from exactly the positions that are easy to underestimate.---
---
CDA Theater missions that address topics covered in this article.
Guide to AWS Security Hub for centralized finding aggregation, continuous compliance monitoring, and automated remediation across AWS organizations.
Vendor assessment guide for HashiCorp Vault.
Wireshark is the leading network protocol analyzer for traffic capture and security investigation.
Written by CDA Wiki Team
Found an issue? Help improve this article.