How Metasploit Is Used During a Pentest
It is considered one of the most effective auditing tools to carry out penetration testing today. Metasploit offers a wide variety of exploits, an extensive exploit development environment, information gathering and web testing capabilities, and much more.
As another flavor of threat hunting, once flaws are identified and documented, the information can be used to address systemic weaknesses and prioritize solutions.The Metasploit Project was undertaken in 2003 by H.D. Moore for use as a Perl-based portable network tool, with assistance from core developer Matt Miller. It was fully converted to Ruby by 2007, and the license was acquired by Rapid7 in 2009, where it remains as part of the Boston-based company’s repertoire of IDS signature development and targeted remote exploit, fuzzing, anti-forensic, and evasion tools. Portions of these other tools reside within the Metasploit framework, which is built into the Kali Linux OS. Rapid7 has also developed two proprietary OpenCore tools, Metasploit Pro, Metasploit Express. This framework has become the go-to exploit development and mitigation tool. Prior to Metasploit, pen testers had to perform all probes manually by using a variety of tools that may or may not have supported the platform they were testing, writing their own code by hand, and introducing it onto networks manually. Remote testing was virtually unheard of, and that limited a security specialist’s reach to the local area and companies spending a fortune on in-house IT or security consultants.
The Metasploit Framework source code is available on GitHub. Like Coca-Cola, Metasploit comes in different flavors. In addition to the free/libre Metasploit Framework, Rapid7 also produces the Metasploit Community Edition, a free web-based user interface for Metasploit, and Metasploit Pro, the big daddy with the non-free add-ons for pentesters who prefer a GUI or MS Office-like wizards to perform baseline audits, and want to phish their clients as part of an engagement.