Penetration Testing & Metasploit
A penetration test is a legally authorised, simulated attack that proves whether a weakness is truly exploitable — so an organisation can fix it before a real attacker arrives. This lesson covers the professional methodology and introduces Metasploit, using only your own lab target.
The penetration testing methodology
Professional tests follow a repeatable lifecycle (the PTES / EC-Council phases). Notice you've already learned the first two modules of it:
| Phase | What happens | You learned it in |
|---|---|---|
| 1. Planning & scoping | Agree targets, limits, and permission in writing | This lesson |
| 2. Reconnaissance | Gather information about the target | Module 3 |
| 3. Scanning & enumeration | Map services, versions, users | Modules 3 & 5 |
| 4. Exploitation | Safely prove a weakness is real | This lesson |
| 5. Post-exploitation | Assess impact: what could an attacker reach? | This lesson |
| 6. Reporting | Document findings and fixes — the real product | This lesson |
Tool deep dive: Metasploit Framework
What it is & why it exists
Metasploit is an open-source framework that organises security testing into reusable building blocks, so testers don't rewrite the same code for every job. It's the industry-standard training and testing platform, and it ships with Kali.
The four building blocks
- Exploit — the technique that takes advantage of a specific weakness.
- Payload — what runs after access is gained (e.g. a command shell to demonstrate impact).
- Auxiliary — supporting tools like scanners and fuzzers.
- Meterpreter — an advanced payload that gives a controlled session for assessing impact during an authorised test.
The msfconsole workflow
You interact through msfconsole. The pattern is always the same five verbs:
This classic example targets a deliberately backdoored FTP service on Metasploitable — a well-known teaching flaw that exists only for training. The point isn't the single trick; it's learning the repeatable workflow: enumerate → match a module → configure → verify → document.
Post-exploitation & reporting
Once you've proven access in the lab, a tester asks: what does this actually endanger? They note reachable data or accounts (to measure impact), then — crucially — write it up:
- Finding: vsftpd 2.3.4 on 192.168.56.101 contains a backdoor.
- Impact: full command access to the host.
- Severity: Critical (maps to a CVSS ~10).
- Fix: upgrade/replace the service; restrict FTP; monitor.
Try the workflow: search vsftpd, use exploit/unix/ftp/vsftpd_234_backdoor, show options, set RHOSTS 192.168.56.101.
On your own lab only. This exercise practises the methodology, which matters far more than any one exploit.
- Enumerate: nmap -sV 192.168.56.101 and pick one outdated service.
- Match: in msfconsole, search that service name and read the module descriptions.
- Configure: use a module, show options, and set RHOSTS to your lab target.
- Verify: run it and confirm the result in the sealed lab.
- Report: write the Finding / Impact / Severity / Fix rows. That report is what you'd actually hand a client — and it's what gets vulnerabilities fixed.
Key takeaways
- Penetration testing is authorised, methodical, and ends in a report.
- The lifecycle: scope → recon → scan/enumerate → exploit → post-exploit → report.
- Metasploit's parts: exploit, payload, auxiliary, Meterpreter; the workflow is search → use → options → set → exploit.
- Practise the loop on Metasploitable only — the skill is the method, not any single trick.