• United States



Senior Writer

What is Metasploit? And how to use this popular hacking tool

Mar 25, 20194 mins

Metasploit is a widely used penetration testing tool that makes hacking way easier than it used to be. It has become an indispensable tool for both red team and blue team.

binary code matrix broken / breached / failed / hacked / security risk / threat / vulnerability
Credit: Valery Brozhinsky / Getty Images

Metasploit definition

Metasploit is a penetration testing framework that makes hacking simple. It’s an essential tool for many attackers and defenders. Point Metasploit at your target, pick an exploit, what payload to drop, and hit Enter.

It’s not quite as simple as that, of course, so let’s begin at the beginning. Back in ye olden days of yore, pentesting involved a lot of repetitive labor that Metasploit now automates. Information gathering? Gaining access? Maintaining persistence? Evading detection? Metasploit is a hacker’s Swiss army chainsaw (sorry, Perl!), and if you work in information security, you’re probably already using it.

Better still, the core Metasploit Framework is both free and libre software and comes pre-installed in Kali Linux. (It’s BSD-licensed, in case you’re curious). The framework offers only a command-line interface, but those wanting GUI-based click-and-drag hacking — plus some other cool features — can drop a bundle for per-seat licenses to Metasploit Pro.

Let’s take a closer look at how Metasploit works, and its history.

History of Metasploit

HD Moore began working on Metasploit in the early oughts, and released 1.0, written in Perl, in 2003. The project has grown dramatically since then, from the original 11 exploits the project came with to more than 1,500 now, plus around 500 payloads, with a switch to Ruby under the hood along the way.

Security outfit Rapid7 acquired both Metasploit and Moore in 2009. (Moore left the project in 2016.) Metasploit has since become the de facto framework for exploit development, despite competition from Canvas and Core Impact. Today it is common for zero day reports to include a Metasploit module as proof of concept.

How to use Metasploit

During the information gathering phase of a pentest, Metasploit integrates seamlessly with Nmap, SNMP scanning and Windows patch enumeration, among others. There’s even a bridge to Nessus, Tenable’s vulnerability scanner. Pretty much every reconnaissance tool you can think of integrates with Metasploit, making it possible to find the chink in the armor you’re looking for.

Once you’ve identified a weakness, hunt through Metasploit’s large and extensible database for the exploit that will crack open that chink and get you in. For instance, NSA’s EternalBlue exploit, released by the Shadow Brokers in 2017, has been packaged for Metasploit and is a reliable go-to when dealing with unpatched legacy Windows systems.

Like fine wine and cheese, pair the exploit with a payload to suit the task at hand. Since what most folks are wanting is a shell, a suitable payload when attacking Windows systems is the ever-popular Meterpreter, an in-memory-only interactive shell. Linux boxes get their own shellcode, depending on the exploit used.

Once on a target machine, Metasploit’s quiver contains a full suite of post-exploitation tools, including privilege escalation, pass the hash, packet sniffing, screen capture, keyloggers, and pivoting tools. You can also set up a persistent backdoor in case the machine in question gets rebooted.

More and more features are being added to Metasploit every year, include a fuzzer to identify potential security flaws in binaries, as well as a long list of auxiliary modules too long to list here.

This is only a high-level view of what Metasploit can do. The framework is modular and easily extensible and enjoys an active community. If it doesn’t do exactly what you want it to do, you can almost certainly tweak it to suit.

How to learn Metasploit

Many free and cheap resources are available to learn Metasploit. The best place to start for many is probably downloading and installing Kali Linux, along with a vulnerable virtual machine (VM) for target practice. (Don’t learn Metasploit by pointing it at other people’s networks without their permission. That would be illegal.)

Offensive Security, the folks who maintain Kali and run the OSCP certification, also offer Metasploit Unleashed, a free training course that asks only for a donation to hungry children in Africa in return. The No Starch Metasploit book is also an indispensable resource that, like all No Starch Press books, comes with a DRM-free ebook.

The Metasploit project offers detailed documentation and its YouTube channel is another good resource for the beginning penetration tester.

Where to download Metasploit

Metasploit ships as part of Kali Linux, but you can also download it separately at the Metasploit website. Metasploit runs on *nix and Windows systems. The Metasploit Framework source code is available on GitHub.

Like Coca-Cola, Metasploit comes in different flavors. In addition to the free/libre Metasploit Framework, Rapid7 also produces the Metasploit Community Edition, a free web-based user interface for Metasploit, and Metasploit Pro, the big daddy with the non-free add-ons for pentesters who prefer a GUI or MS Office-like wizards to perform baseline audits, and want to phish their clients as part of an engagement. Rapid7 offers a feature comparison on its website.

Senior Writer

J.M. Porup got his start in security working as a Linux sysadmin in 2002. Since then he's covered national security and information security for a variety of publications, and now calls CSO Online home. He previously reported from Colombia for four years, where he wrote travel guidebooks to Latin America, and speaks Spanish fluently with a hilarious gringo-Colombian accent. He holds a Masters degree in Information and Cybersecurity (MICS) from UC Berkeley.

More from this author