> msfconsole -q && echo 'ready'_
Nmap tells you a service is running. Nessus tells you the service is vulnerable. Metasploit tells you what an attacker can do about it. It's the framework that turns a CVE number into a shell, a shell into domain credentials, and domain credentials into evidence that the organisation's most sensitive data is accessible — all documented, timestamped, and reproducible.
Created by H.D. Moore in 2003 and now maintained by Rapid7, Metasploit is the most widely used exploitation framework in penetration testing. The open-source Metasploit Framework (MSF) contains over 2,300 exploits, 600 payloads, and thousands of auxiliary and post-exploitation modules. It's not a single tool — it's a platform that provides a consistent interface for exploit development, payload generation, exploitation, post-exploitation, and pivoting.
This deep dive covers the framework as professional penetration testers use it: not as a point-and-click attack tool, but as a structured exploitation platform where every action is logged, every compromise is evidenced, and every step serves the objective of producing a clear, defensible pen test report.
Metasploit is a legitimate security testing tool used by professionals worldwide. The techniques described in this article must only be used against systems you own or have explicit written authorisation to test. Unauthorised use of exploitation tools is illegal under the Computer Misuse Act 1990 (UK), the Computer Fraud and Abuse Act (US), and equivalent legislation in most jurisdictions.
Metasploit's power comes from its modular architecture. Every capability — every exploit, every payload, every post-exploitation technique — is a module that can be loaded, configured, and executed independently. Understanding the module types is the foundation for using the framework effectively.
| Module Type | What It Does | Example |
|---|---|---|
| Exploits | Code that triggers a vulnerability in a target system to deliver a payload. Exploits are organised by platform and service: exploit/windows/smb/, exploit/linux/http/, exploit/multi/misc/. |
exploit/windows/smb/ms17_010_eternalblue — the exploit that powered WannaCry, targeting SMBv1 on unpatched Windows systems. |
| Payloads | Code delivered by the exploit that runs on the target after successful exploitation. Payloads range from simple command execution to full-featured remote access agents (Meterpreter). | windows/x64/meterpreter/reverse_tcp — a staged Meterpreter payload that connects back to the attacker over TCP. |
| Auxiliary | Modules that perform tasks other than exploitation: scanning, enumeration, fuzzing, denial-of-service testing, brute-forcing, and service fingerprinting. The reconnaissance and enumeration workhorse. | auxiliary/scanner/smb/smb_ms17_010 — scans a range for EternalBlue vulnerability without exploiting it. |
| Post-exploitation | Modules that run after a system is compromised: credential harvesting, privilege escalation, persistence, lateral movement, and data collection. | post/windows/gather/hashdump — extracts local password hashes from a compromised Windows system. |
| Encoders | Transform payloads to avoid signature-based detection by antivirus and IDS. Encode the payload's byte sequence without changing its functionality. | x86/shikata_ga_nai — polymorphic XOR encoder, historically effective against AV (now widely signatured). |
| Evasion | Purpose-built modules for generating payloads that bypass specific security products. More sophisticated than encoders — they generate executables designed to evade modern endpoint detection. | evasion/windows/windows_defender_exe — generates an executable specifically crafted to bypass Windows Defender. |
msfconsole — the interface where everything happens.msfconsole is the primary interface to the Metasploit Framework. It provides a command-line environment for searching, loading, configuring, and executing modules — and for managing the database of hosts, services, and credentials discovered during the engagement.
The payload is the code that runs on the target after the exploit succeeds. Metasploit's payload naming convention encodes critical information: the platform, architecture, payload type, and communication method. Understanding this convention is the difference between a payload that works and one that doesn't.
| Payload Type | Naming Convention | How It Works | When to Use |
|---|---|---|---|
| Staged | windows/x64/meterpreter/reverse_tcp (forward slash before handler type) |
A small first-stage (stager) is delivered by the exploit. The stager connects back to the attacker and downloads the larger second-stage payload (Meterpreter). Smaller initial payload — fits in tighter exploit buffers. | When the exploit has a limited payload size. When you need the smallest possible initial footprint. Most common choice for initial exploitation. |
| Stageless | windows/x64/meterpreter_reverse_tcp (underscore before handler type) |
The entire payload is delivered in a single stage. Larger initial payload but no need for a second connection to download the main stage. Self-contained. | When the exploit buffer is large enough. When the network is unreliable and the second-stage download might fail. When you want to minimise the number of network connections. |
The choice between reverse_tcp, reverse_https, and other communication methods depends on the target's network controls. reverse_tcp is the simplest and most reliable — but it's also the most easily detected and blocked. reverse_https blends with normal web traffic and is harder to distinguish from legitimate HTTPS connections. On heavily monitored networks, HTTPS payloads communicating over port 443 are significantly harder for network security tools to flag.
Meterpreter (Meta-Interpreter) is Metasploit's advanced payload — a memory-resident agent that runs entirely in RAM without writing to disk, communicates over encrypted channels, and provides a rich set of post-exploitation commands. It's the difference between a raw command shell and a structured platform for credential harvesting, privilege escalation, pivoting, and evidence collection.
The load kiwi command deserves particular attention. Kiwi is Metasploit's built-in Mimikatz integration — it extracts plaintext passwords, NTLM hashes, and Kerberos tickets directly from the memory of a compromised Windows system. On a domain controller (or with sufficient privileges), kiwi_cmd lsadump::dcsync performs the DCSync attack — replicating the domain's password database as if Meterpreter were a domain controller. This is frequently the step that produces the "Domain Admin achieved" finding in a pen test report.
Metasploit includes a PostgreSQL database that tracks every host, service, vulnerability, and credential discovered during the engagement. Combined with Nmap import, it creates a centralised intelligence picture that the tester uses to select targets, track progress, and generate evidence.
The workflow is: scan with Nmap, import into Metasploit, query the database to identify targets, run auxiliary scanners to confirm vulnerabilities, exploit confirmed targets, and harvest credentials — all tracked in the database. At the end of the engagement, the database contains a complete record of every host, service, vulnerability, exploitation attempt, and credential — forming the evidence base for the report.
Pivoting is the process of using a compromised system to access network segments the attacker can't reach directly. Metasploit's autoroute and SOCKS proxy capabilities make pivoting seamless — once configured, all Metasploit modules and external tools can route through the compromised host as if the attacker were on the target network.
The combination of autoroute and the SOCKS proxy is one of Metasploit's most powerful capabilities. autoroute handles routing for Metasploit's own modules. The SOCKS proxy extends this to every external tool that supports proxy chains — Nmap, CrackMapExec, Gobuster, Bloodhound's SharpHound collector, and any other tool the tester needs to run against the otherwise-unreachable network segment.
Metasploit isn't used in isolation — it's one tool in a chain that starts with reconnaissance and ends with a report. Here's how it fits into a typical internal infrastructure engagement.
msfvenom — standalone payloads for every scenario.msfvenom is Metasploit's standalone payload generator — used to create executable files, shellcode, scripts, and web payloads outside the framework. When the exploit isn't a Metasploit module — when the tester needs to deliver a payload via social engineering, a file upload vulnerability, or a manual exploitation technique — msfvenom generates the payload as a standalone file.
Understanding Metasploit isn't just for attackers — defenders benefit from knowing what their adversaries are using. Metasploit's default configurations produce detectable signatures that a well-tuned SOC can identify.
| Detection Opportunity | What to Look For | Where |
|---|---|---|
| Default Meterpreter traffic | TLS connections on non-standard ports with self-signed certificates. Meterpreter's default TLS certificate has a recognisable serial number and issuer pattern. | Network monitoring / IDS. Flag outbound TLS connections to non-standard ports with self-signed certs and check certificate metadata. |
| Named pipe indicators | Metasploit's PsExec module creates a named pipe with a default name pattern on the target. Default service names and binary names are also recognisable. | Windows Event Logs (Event ID 7045 — new service installation). EDR telemetry monitoring named pipe creation. |
| Mimikatz / Kiwi in memory | The load kiwi command loads Mimikatz into the Meterpreter process. This triggers in-memory signatures that most modern EDR products detect. |
EDR / endpoint telemetry. AMSI (Antimalware Scan Interface) detections. Process memory scanning. |
| DCSync traffic | DCSync generates Directory Replication Service (DRS) traffic from a non-domain-controller host — a highly anomalous event that should trigger an immediate alert. | Domain controller event logs (Event ID 4662 with specific GUIDs for replication). SIEM rules monitoring DRS requests from non-DC hosts. |
| Staged payload download | Staged payloads generate a small initial connection followed by a larger download — the second stage. The traffic pattern (small outbound, large inbound) is detectable. | Network traffic analysis. Proxy logs showing unusual download patterns from internal hosts. |
Metasploit is the framework that bridges the gap between vulnerability identification and exploitation evidence. Nmap finds the service. Nessus identifies the vulnerability. Metasploit proves what an attacker can do with it — and does so in a structured, logged, reproducible way that produces the evidence a pen test report requires.
Its strength is the modular architecture: exploits, payloads, auxiliaries, and post-exploitation modules that can be combined for virtually any scenario. Its practical value is the database that tracks every host, service, credential, and action across the engagement — creating the audit trail that turns a demonstration into a finding, and a finding into a remediation recommendation.
For defenders, understanding Metasploit is equally valuable. Knowing how the framework operates — its default signatures, its traffic patterns, its named pipes and service names — provides the detection opportunities that a well-tuned SOC can use to identify Metasploit-based attacks in progress. The same framework that helps the pen tester demonstrate risk helps the defender detect and prevent it.
Our testers use Metasploit as part of a disciplined methodology where every compromise is documented, every credential is tracked, and every exploitation step produces the evidence that makes findings undeniable and remediations specific.