Metasploit is an open-source exploitation framework that bundles a database of public exploits, supporting payloads, post-exploitation modules, and the tooling to chain them together against a target. It is the most widely used framework of its kind and is a fixture of internal and external penetration testing.
Core concepts
Modules are the units of functionality: exploit modules contain the attack code, payload modules contain what runs after exploitation (a shell, a Meterpreter session, a custom callback), auxiliary modules perform supporting actions such as scanning and brute-forcing, and post modules run on a compromised target to escalate, gather credentials, or pivot.
Meterpreter is Metasploit’s signature post-exploitation payload. It runs entirely in memory on the target, provides a rich command set (file system access, process listing, screenshot, keyboard capture, network pivoting), and supports loading additional capabilities at runtime.
The msfconsole is the primary interface, a command-line shell where modules are selected, configured with the set command, and executed with run or exploit.
Typical workflow
A tester runs db_nmap to scan and import results into the Metasploit database, queries the database for hosts running vulnerable services, selects an appropriate exploit module, configures target and payload, and launches. After a successful exploit, Meterpreter is used for credential dumping, lateral movement via pass-the-hash, and discovery of next-stage targets.
Editions
The open-source Metasploit Framework is free and installed by default on Kali Linux. Metasploit Pro (commercial, from Rapid7) adds a web interface, automated phishing campaigns, vulnerability validation workflows, reporting templates, and policy controls. Most working pen testers use the open-source edition.
Limits and ethics
Metasploit’s exploit catalogue is public, which means defenders also have it. Many exploits are effective only against unpatched targets; on patched modern systems, Metasploit is used more for post-exploitation and pivoting than for initial access. As with all offensive tools, use against any system without written authorisation is a criminal offence in the UK under the Computer Misuse Act 1990.
Related terms
See also: exploit, Kali Linux, Nmap, and penetration testing.
Leave a Reply