CyberSchool Module 6 · Penetration Testing
Home › Module 6 › Penetration Testing
Lesson 8

Penetration Testing & Metasploit

A penetration test is a legally authorised, simulated attack that proves whether a weakness is truly exploitable — so an organisation can fix it before a real attacker arrives. This lesson covers the professional methodology and introduces Metasploit, using only your own lab target.

The authorisation rule is the whole profession What separates a penetration tester from a criminal is written permission (a signed “scope” and “rules of engagement”). Everything below is performed only against Metasploitable — a machine built to be practised on — inside the sealed Host-Only lab you set up in Module 2. Never point these tools at any system you don't own or aren't contracted to test.

The penetration testing methodology

Professional tests follow a repeatable lifecycle (the PTES / EC-Council phases). Notice you've already learned the first two modules of it:

PhaseWhat happensYou learned it in
1. Planning & scopingAgree targets, limits, and permission in writingThis lesson
2. ReconnaissanceGather information about the targetModule 3
3. Scanning & enumerationMap services, versions, usersModules 3 & 5
4. ExploitationSafely prove a weakness is realThis lesson
5. Post-exploitationAssess impact: what could an attacker reach?This lesson
6. ReportingDocument findings and fixes — the real productThis lesson
Analogy — A hired locksmith A company hires a locksmith to test their doors. With a signed contract, the locksmith tries the locks, notes which open, and writes a report: “the back door lock is weak — replace it.” They never steal anything; the value is the report. A penetration tester is that locksmith for computers. The report, not the break-in, is the deliverable.

Tool deep dive: Metasploit Framework

What it is & why it exists

Metasploit is an open-source framework that organises security testing into reusable building blocks, so testers don't rewrite the same code for every job. It's the industry-standard training and testing platform, and it ships with Kali.

The four building blocks

The msfconsole workflow

You interact through msfconsole. The pattern is always the same five verbs:

$ msfconsole # launch the framework msf6 > search vsftpd # 1. find a module for a service you enumerated msf6 > use exploit/unix/ftp/vsftpd_234_backdoor # 2. select it msf6 > show options # 3. see what settings it needs msf6 > set RHOSTS 192.168.56.101 # 4. point it at YOUR lab target only msf6 > exploit # 5. run it against the practice VM

This classic example targets a deliberately backdoored FTP service on Metasploitable — a well-known teaching flaw that exists only for training. The point isn't the single trick; it's learning the repeatable workflow: enumerate → match a module → configure → verify → document.

Post-exploitation & reporting

Once you've proven access in the lab, a tester asks: what does this actually endanger? They note reachable data or accounts (to measure impact), then — crucially — write it up:

Try It Yourself (simulated msfconsole)

Try the workflow: search vsftpd, use exploit/unix/ftp/vsftpd_234_backdoor, show options, set RHOSTS 192.168.56.101.

kali@lab: msfconsole
Simulated Metasploit — lab target 192.168.56.101 only. Follow the 5-step workflow.
msf6 >
Practical Exercise 8.1 — Run the full loop on Metasploitable

On your own lab only. This exercise practises the methodology, which matters far more than any one exploit.

  1. Enumerate: nmap -sV 192.168.56.101 and pick one outdated service.
  2. Match: in msfconsole, search that service name and read the module descriptions.
  3. Configure: use a module, show options, and set RHOSTS to your lab target.
  4. Verify: run it and confirm the result in the sealed lab.
  5. Report: write the Finding / Impact / Severity / Fix rows. That report is what you'd actually hand a client — and it's what gets vulnerabilities fixed.
Quick check: What is the actual deliverable of a professional penetration test?
A copy of the target's data
A report of findings, impact, and recommended fixes
A permanent backdoor left behind
Bragging rights on social media
The value is the report that lets the organisation fix its weaknesses. Testers prove risk; they don't steal or damage.
Why does this matter for your career? “Penetration tester” and “red team” are among the most sought-after roles in security. Metasploit and the PTES methodology are central to the CEH and OSCP certifications. Just as important, understanding attacks makes you a far stronger defender — you can't protect against what you don't understand.

Key takeaways

  • Penetration testing is authorised, methodical, and ends in a report.
  • The lifecycle: scope → recon → scan/enumerate → exploit → post-exploit → report.
  • Metasploit's parts: exploit, payload, auxiliary, Meterpreter; the workflow is search → use → options → set → exploit.
  • Practise the loop on Metasploitable only — the skill is the method, not any single trick.