Metasploit
What is Metasploit?
MetasploitAn open-source exploitation framework that bundles exploits, payloads, and post-exploitation modules into a single platform for penetration testers and researchers.
Metasploit is a modular offensive-security framework originally created by H.D. Moore in 2003 and now maintained by Rapid7 as an open-source project and a commercial product (Metasploit Pro). It provides a database of public exploits, payloads (including Meterpreter), encoders, and auxiliary modules that operators can chain together to validate vulnerabilities, develop proof-of-concept exploits, and conduct authorized penetration tests. Because Metasploit lowers the bar for weaponizing known CVEs, defenders also use it for control validation, detection engineering, and red-team exercises. Use without explicit written authorization is illegal in most jurisdictions.
● Examples
- 01
Using msfconsole to run exploit/windows/smb/ms17_010_eternalblue against a lab host.
- 02
Generating a reverse-shell payload with msfvenom for a red-team engagement.
● Frequently asked questions
What is Metasploit?
An open-source exploitation framework that bundles exploits, payloads, and post-exploitation modules into a single platform for penetration testers and researchers. It belongs to the Defense & Operations category of cybersecurity.
What does Metasploit mean?
An open-source exploitation framework that bundles exploits, payloads, and post-exploitation modules into a single platform for penetration testers and researchers.
How does Metasploit work?
Metasploit is a modular offensive-security framework originally created by H.D. Moore in 2003 and now maintained by Rapid7 as an open-source project and a commercial product (Metasploit Pro). It provides a database of public exploits, payloads (including Meterpreter), encoders, and auxiliary modules that operators can chain together to validate vulnerabilities, develop proof-of-concept exploits, and conduct authorized penetration tests. Because Metasploit lowers the bar for weaponizing known CVEs, defenders also use it for control validation, detection engineering, and red-team exercises. Use without explicit written authorization is illegal in most jurisdictions.
How do you defend against Metasploit?
Defences for Metasploit typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Metasploit?
Common alternative names include: Metasploit Framework, MSF.
● Related terms
- defense-ops№ 813
Penetration Testing
An authorized, simulated cyberattack against systems, applications, or people to identify exploitable weaknesses before real adversaries do.
- vulnerabilities№ 399
Exploit
A piece of code, data, or technique that takes advantage of a vulnerability to cause unintended behaviour such as code execution, privilege escalation, or information disclosure.
- vulnerabilities№ 867
Proof-of-Concept Exploit
A minimal, often non-weaponized piece of code that demonstrates a vulnerability is real and exploitable, typically published for research or coordinated disclosure.
- defense-ops№ 909
Red Team
An offensive security group that emulates real adversaries end-to-end to test how an organization detects, contains, and responds to attacks.
- defense-ops№ 193
Cobalt Strike
A commercial adversary-simulation platform widely used for red-team operations and frequently abused by threat actors for post-exploitation and command-and-control.
- vulnerabilities№ 1226
Weaponized Exploit
A reliable, fully developed exploit ready for real-world use — typically integrated into malware, intrusion frameworks, or attacker tradecraft.
● See also
- № 577Kali Linux