Penetration Testing

Metasploit Pro

Product Overview

An overview of Metasploit Pro and its features, what the requirements your system needs, and what improved & fixed in the latest releases.

Metasploit Pro

Metasploit Pro is an exploitation and vulnerability validation tool that helps you divide the penetration testing workflow into manageable sections.

It used to test the vulnerability of computer systems or to break into remote systems. First version release in October 2010, for penetration testers. It adds commercial features such as Quick Start Wizards/MetaModules, building and managing social engineering campaigns, web application testing, an advanced Pro Console, dynamic payloads for anti-virus evasion, integration with Nexpose for ad-hoc vulnerability scans, and VPN pivoting.

Features Overview

Automate Every Step of Your Penetration Test

Conducting a thorough penetration test is time consuming for even the most experienced pentester. Metasploit makes it easy to automate all phases of a penetration test, from choosing the right exploits to streamlining evidence collection and reporting. Every hour you save is an hour you can spend digging deeper into your network.

Put Your People to the Test

Real attackers know people are generally the weakest link in the security chain. Our penetration testing software creates sophisticated attacks to test user weaknesses, including cloning websites with the click of a button for phishing campaigns and masking malicious files for USB drop campaigns. Keep track of who falls for what to assess your user awareness—or to gain a foothold for a deeper attack.

Test with Success, Regardless of Experience

Every organization is open to cyberattack, so every defender needs to be able to test their defenses. Metasploit Pro makes the powerful Metasploit Framework accessible to all with an easy-to-use interface, as well as wizards to get you launching and reporting on full pen tests in seconds.

Gather and Reuse Credentials

Credentials are the keys to any network, and the biggest prize for a penetration tester. With our penetration testing software, you can catalog and track gathered creds for reporting and try them across every other system in the network with a simple credential domino wizard, ensuring you leave no stone unturned.

Become a Next-Level Pen Tester

If you’ve already spent years becoming a Metasploit Framework expert, Metasploit Pro has a lot to offer: Maneuver through a network with ease with VPN pivoting and antivirus evasion capabilities, create instant reports on your progress and evidence, or, best of all, go down into the command line framework at any time and seamlessly use your custom scripts.

Additional Features:

- Task Chains

- Social Engineering

- Vulnerability Validations


- Quick Start Wizards

- Nexpose Integration

System Requirements

2 GHz+ processor

4 GB RAM available (8 GB recommended)

1 GB available disk space (50 GB recommended)

64-bit versions of the following platforms are supported.


Ubuntu Linux 18.04 LTS (RECOMMENDED)

Ubuntu Linux 16.04 LTS

Ubuntu Linux 14.04 LTS

Microsoft Windows Server 2019

Microsoft Windows Server 2016

Microsoft Windows Server 2012 R2

Microsoft Windows Server 2008 R2

Microsoft Windows 10

Microsoft Windows 8.1

Microsoft Windows 7 SP1+

Red Hat Enterprise Linux Server 8 or later

Red Hat Enterprise Linux Server 7.1 or later

Red Hat Enterprise Linux Server 6.5 or later

Red Hat Enterprise Linux Server 5.10 or later

Google Chrome (latest)

Mozilla Firefox (latest)

Microsoft Edge (latest)

Latest Releases


  • PR 15109 - An update has been made so that when a user attempts to load an extension that isn't available for the current Meterpreter type, they will now receive a list of payloads that would yield a Meterpreter session that would be capable of loading the specified extension. Additionally, when a user runs a command that's in an extension that hasn't been loaded yet, Metasploit will now tell the user which extension needs to be loaded for the command to run.
  • PR 15187 - Updates the msfdb script to now prompt the user before enabling the remote http webservice functionality, defaulting to being disabled. It is still possible to enable this functionality after the fact with msfdb --component webservice init
  • PR 15296 - The command_exists? method inside post/common.rb has been updated to fall back to using the which command to check if a command exists on a target system if command -v fails to run successfully. This allows users to check whether a command exists or not on systems that might not contain a command command, such as ESXi.
  • PR 15299 - The documentation has been updated to include additional information on how to request CVEs for vulnerabilities from Rapid7.
  • PR 15316 - The assembly stub used by the PrependFork option for Linux payloads has been updated to call setsid(2) in the child process to properly run the payload in the background before calling fork(2) again. This ensures the payload properly runs when the target environment is expecting the command or payload to return, and ensures the payloads better emulate the Mettle payload's background command to ensure better consistency across payloads.


  • PR 15257 - The lib/msf/core/post_mixin.rb library has been updated to correctly check if missing Meterpreter command IDs are core command IDs or an extension command ID and provide appropriate feedback to end users about this incompatibility. This also fixes an issue where Meterpreter might complain that it couldn't load an extension but wouldn't display what the extension was.
  • PR 15284 - This fixes a localization-related issue in the post/linux/gather/pptpd_chap_secrets module. If the file is unreadable, Metasploit would treat the permission denied error as the contents.
  • PR 15290 - Invalid Meterpeter command requirements in mixins no longer raise a Runtime error.
  • PR 15293 - This fixes two bugs in the Redis extractor module. The first was an issue that would occur when a value was excessively large. The second was a race condition that could be encountered if the server was being actively used by a third-party.
  • PR 15312 - Ensures that msfconsole now supports setting both RHOST and RHOSTS interchangeably for all scenarios and modules
  • PR 15319 - This fixes a localization issue in the post/windows/gather/enum_hyperv_vms module where on non-English systems the error message would not match the specified regular expression.
  • PR 15328 - The lib/msf/core/session/provider/single_command_shell.rb library has been updated to address an issue whereby shell_read_until_token may sometimes fail to return output if the randomized token being used to delimit output is contained within the legitimate output as well.
  • PR 15337 - A bug has been fixed in apache_activemq_upload_jsp.rb whereby the URI and filesystem path were not separated appropriately. Additionally, extra checks were added to handle error conditions that may arise during module operation.
  • PR 15340 - A bug was identified in lib/msf/ui/console/command_dispatcher/db.rb where the -d flag was not being correctly honored, preventing users from being able to delete hosts from their database. This has now been fixed.


  • PR 14836 - This PR adds an aux scanner and module to exploit CVE-2020-26948, an SSRF against emby servers
  • PR 15215 - Adds a new multi/misc/nomad_exec module for HashiCorp's Nomad product. This module supports the use of the 'raw_exec' and 'exec' drivers to create a job that spawns a shell.
  • PR 15239 - A new module has been added to exploit CVE-2021-33393, an authenticated command injection vulnerability in the /cgi-bin/pakfire.cgi web page of IPFire devices running versions 2.25 Core Update 156 and prior. Successful exploitation results in remote code execution as the root user.
  • PR 15281 - Added an exploit for CVE-2021-1497/CVE-2021-1498, a command injection in Cisco HyperFlex HX Data Platform.
  • PR 15305 - This module allows an attacker with knowledge of the admin password of NSClient++ to start a privilege reverse shell, so long as the attacker has the admin password, and the NSClient++has both the web interface and ExternalScriptsfeature enabled.
  • PR 15314 - A new exploit for CVE-2021-31181 has been added, which exploits a RCE in SharePoint that was patched in May 2021. Successful exploitation requires the attacker to have login credentials for a SharePoint user who has SPBasePermissions.ManageLists permissions on any SharePoint site, and grants the attacker remote code execution as the user running the SharePoint server.

Offline Update

Metasploit Framework and Pro Installers


  • PR 15062 - Added support for separating command history for the various sub-shells such as Meterpreter and Pry.
  • PR 15079 - Introduced the meterpreter key to the compat hash to better-provide Meterpreter session compatibility info to users, including printing the required Meterpreter extension(s) to the console in the event of a session incompatibility. Additionally, post modules will automatically load Meterpreter extensions used, provided that the module's Meterpreter compatibility requirements are annotated.
  • PR 15199 - Improved the get_processes API on non-Windows systems with support that fails back to enumerating the /proc directory when the ps utility is not present.
  • PR 15220 - Added the ability to retrieve the OS version from an NTLMSSP type 2 message.
  • PR 15242 - Updated the tables displayed by the loot command to be displayed without wrapping. This makes it easier for users to copy and paste the output.
  • PR 15243 - Added a check() method to the Apache Tomcat Ghostcat module.
  • PR 15246 - Refactored some common functionality into a cross-platform Msf::Post::Process mixin with support for multiple session types.
  • PR 15251 - Added support for obtaining a stat object from the Post API via shell sessions when the stat command is available.
  • PR 15260 - Added a #pidof method that works with either Meterpreter or shell sessions and updates the #get_processes method to failover to command execution if it fails for some reason.
  • PR 15263 - Added a -p flag to the analyze command, allowing users to specify a payload that should be considered for use with any suggested exploit modules. Output will inform the user if the specified payload can be used with suggested payloads.


  • Pro: We fixed a bug where revealing an obfuscated API key in the Pro UI did not display the API key.
  • Pro: We fixed an issue in Social Engineering campaigns where the File Format Exploit options may not be correctly saved.
  • PR 15194 - Fixed a bug where msfconsole would crash when connected to a remote dataservice and tab completing possible RPORT values.
  • PR 15216 - Fixed a mistake in the exploit for CVE-2021-21551 where the version fingerprinting is overly specific. Windows 10 build 18363 failed because it didn't match the explicit build number 18362. This PR changes the fingerprinting to use ranges to fix this problem.
  • PR 15223 - Updated the exploit/windows/local/tokenmagic module to fix a crash that occurs on some targets, moving the target validation logic to earlier in the module.
  • PR 15236 - Added an additional check to the Linux checkvm module to fix a bug where it was failing to identify certain Xen environments such as those used within AWS.
  • PR 15240 - Fixed a typo that was present in the template for GitHub pull requests.
  • PR 15241 - Removed the previously prototyped RHOST_HTTP_URL module option and feature flag, as it had blocking edge cases for being enabled by default. A new implementation is being investigated.
  • PR 15262 - Improved msfvenom to only wrap output if the output is going to STDOUT.
  • PR 15267 - Fixed a bug that was present within the Shodan search module, where certain queries would cause an exception to be raised while processing the results.
  • PR 15289 - Corrected a command mapping for meterpreter API requirements in the Msf::Post::Windows::MSSQL mixin.
  • PR 15291 - Fixed a crash within the FortiOS SSL VPN Credential Leak module when running against a target which is not running FortiOS.


  • PR 14984 - New module post/osx/gather/gitignore adds an OSX Post exploitation module to retrieve .gitignore files that may contain pointers to files of interest.
  • PR 15024 - New module exploits/windows/smb/cve_2020_0796_smbghost adds an exploit for CVE-2020-0796 which can be used to gain unauthenticated remote code execution against unpatched Windows 10 v1903 and v1909 systems.
  • PR 15122 - New module exploits/unix/http/cacti_filter_sqli_rce exploits an authenticated SQL injection vulnerability in Cacti versions 1.2.12 and below. The module optionally saves Cacti creds and uses stacked queries to change the path_php_binary value to execute a payload and get code execution on the server.
  • PR 15231 - New module exploits/linux/http/suitecrm_log_file_rce targets SuiteCRM versions 7.11.18 and below. An authenticated user can rename the SuiteCRM log file to have an extension of .pHp. The log file can then be poisoned with arbitrary php code by modifying user account information, such as the user's last name. Authenticated code execution is then achieved by requesting the log file.

Offline Update

Metasploit Framework and Pro Installers



  • PR 15011 - Enhanced the analyze command to show additional information about an identified exploit being immediately runnable, or if it requires additional credentials or options to be set before being ran.
  • PR 15054 - Updated msfdb to work on additional platforms. Specifically Ubuntu through pg_ctlcluster, as well as an existing or remote databases with the new --connection-string option. This option can be used to interact with docker PostgreSQL containers.
  • PR 15125 - Updated the session_notifier.rb plugin to support Gotify, allowing users to be notified of new sessions via Gotify notifications.
  • PR 15146 - Improved the exploit module for CVE-2021-3156 (Baron Samedit) by removing the dependency on GCC being present in the target environment and adding new targets for Ubuntu 16.04, Ubuntu 14.04, CentOS 7, CentOS 8 and Fedora 23-27.
  • PR 15165 - Added documentation for the new cookie jar implementation, which is available for http-based modules.
  • PR 15175 - Updated the rejetto_hfs_exec module to replace calls to the depreciated URI.encode() function with calls to the URI::encode_www_form_component() function. This prevents users from being shown depreciation warnings when running the module.
  • PR 15178 - Updated the auxiliary/client/telegram/send_message module to support sending documents as well as to send documents and/or messages to multiple chat IDs.
  • PR 15202 - Updated the list of WordPress plugins and themes to allow users to discover more plugins and themes when running tools such as auxiliary/scanner/http/wordpress_scanner.
  • PR 15210 - Updated documentation for exploit/multi/http/gitlab_file_read_rce to provide additional information on how to set GitLab up with an SSL certificate for encrypted communications, allowing users to easily test scenarios in which an encrypted GitLab connection might be needed.
  • PR 15212 - Metasploit modules implemented in Python now explicitly require python3 to be present on the system path. This ensures that python2 is no longer used unintentionally, which previously occurred on Kali systems.


  • Pro: We fixed an issue where session replay involving the SSH login module may fail.
  • PR 15149 - Fixed an edge case were cookies left over from one module run could impact the next module run.
  • PR 15171 - Updated the lib/msf/core/post/common.rb and lib/msf/ui/console/command_dispatcher/core.rb libraries to properly support passing timeouts to session.sys.process.capture_output(), allowing users to specify timeouts when executing commands on sessions. Previously these options would be ignored and a default timeout of 15 seconds would be used instead.
  • PR 15179 - The swagger-blocks dependency has been marked as a default dependency for all installs, preventing cases where if a user did not install the development and tests groups, they would be unable to start the web service.
  • PR 15196 - Fixed a bug in the msfdb script that prevented users from being able to run the script if they installed Metasploit into a location that contained spaces within its path.
  • PR 15205 - Fixed a bug in the exploit/multi/http/gitlab_file_read_rce module to allow it to target vulnerable GitLab servers where TLS is enabled.
  • PR 15213 - Fixed msfdb to use the passed in SSL key path (if provided) instead of the default one at ~/.msf4/msf-ws-key.pem, which may not exist if users have passed in a SSL key path as an option.


  • PR 15102 - New module exploit/osx/browser/osx_gatekeeper_bypass exploits a vulnerability in macOS versions 10.15 to 11.3, inclusive. This module generates an app which is missing an Info.plist file. When downloaded and executed by a user, the signed / notarization checks standard for downloaded files will be bypassed, granting code execution on the target.
  • PR 15113 - New module post/multi/gather/saltstack_salt gathers salt information, configs, etc..
  • PR 15168 - New module exploits/windows/local/tokenmagic has been added to exploit TokenMagic, an exploitation technique affecting Windows 7 to Windows 10 build 17134 inclusive, that allows users to elevate their privileges to SYSTEM. Affected systems can be exploited either via exploiting a DLL hijacking vulnerability affecting Windows 10 build 15063 up to build 17134 inclusive, or by creating a new service on the target system.
  • PR 15185 - New module exploits/unix/fileformat/exiftool_djvu_ant_perl_injection exploits CVE-2021-22204, an arbitrary Perl injection vulnerability within the DjVu module of ExifTool 7.44 to 12.23 which allows for RCE when parsing a malicious file containing a crafted DjVu ANT (Annotation) section.
  • PR 15186 - New module exploits/windows/http/netmotion_mobility_mvcutil_deserialization exploits CVE-2021-26914, which is a remotely exploitable vulnerability within NetMotion Mobility, whereby a crafted request can trigger a deserialization vulnerability resulting in code execution.
  • PR 15190 - New module exploits/windows/local/cve_2021_21551_dbutil_memmove adds an exploit for CVE-2021-21551, which is an IOCTL that is provided by the DBUtil_2_3.sys driver distributed by Dell that can be abused to perform kernel-mode memory read and write operations.

Offline Update

Metasploit Framework and Pro Installers


  • PR 11257 - Added the ability to wrap some PowerShell used for exploitation purposes with RC4 for obfuscation.
  • PR 14831 - Updated the HttpClient mixin with with a new cookie jar implementation which correctly updates and merges the Set-Cookie header responses when using the send_request_cgi keep_cookies option.
  • PR 15000 - Replaced the use of the which command with command -v, providing a more portable solution.
  • PR 15014 - Added the ability to specify an individual private key as a string parameter for the auxiliary/scanner/ssh/ssh_login_pubkey module.
  • PR 15087 - Improved the exploit/windows/local/microfocus_operations_privesc module so that it now supports both vulnerable Operations Bridge Manager installations and vulnerable Operations Bridge Reporter installations, with the new additional target being Operations Bridge Reporter.
  • PR 15096 - Added shell session support to the post/windows/gather/checkvm module. This also notably added cross-platform support for getting a list of running processes using shell and Meterpreter sessions.
  • PR 15110 - Added the necessary functionality to the Java Meterpreter for resolving hostnames over DNS, closing a feature gap that had been present with other Meterpreters.
  • PR 15136 - Updated the exploit/multi/http/microfocus_ucmdb_unauth_deser module default Linux payload from cmd/unix/generic to cmd/unix/reverse_python.
  • PR 15138 - Cleaned up the auxiliary/scanner/http/dell_idrac module code and added the last_attempted_at field to create_credential_login to prevent a crash. Also added documentation for the module.


  • Pro: We improved date parsing for Acunetix imports within Metasploit Framework.
  • PR 14953 - Fixed python string formatting compatibility in auxiliary/scanner/http/rdp_web_login.
  • PR 15050 - Fixed a crash in Metasploit's console when the user tried to tab complete values, such as file paths, which were missing their final closing quote.
  • PR 15081 - Updated the Microsoft SQL Server interesting data finder module to correctly handle the scenario where no interesting data is found. Previously, this would result in a module crash.
  • PR 15094 - Fixed a bug in how certain Meterpreters would execute command issued through sessions -c, where some would use a subshell while others would not.
  • PR 15111 - Fixed an issue in how some Meterpreter session types would inconsistently run commands issued through sessions -c.
  • PR 15114 - Updated the auxiliary/scanner/redis/file_upload module to correctly handle Redis instances which require authenticated access.
  • PR 15116 - Fixed a bug that would occur when importing newer Acunetix reports into the database due to a change in how the timestamp is formatted.
  • PR 15120 - Fixed a regression within tools/modules/module_author.rb so that it runs without crashing.
  • PR 15140 - Fixed msftidy_docs.rb so it doesn't double warn on optional (and missing) Options headers.


  • PR 11130 - New module post/multi/gather/unix_cached_ad_hashes retrieves cached AD credentials from two different solutions on UNIX (SSSD and VAS).
  • PR 11130 - New module post/multi/gather/unix_kerberos_tickets retrieves cached Kerberos tickets from two different solutions on UNIX (SSSD and VAS).
  • PR 14702 - New module auxiliary/gather/redis_extractor retrieves all data from a Redis instance (version 2.8.0 and above).
  • PR 14947 - New module exploits/linux/misc/igel_command_injection exploits an unauthenticated command injection vulnerability in the Secure Terminal and Secure Shadow services in various versions of IGEL OS.
  • PR 14977 - New module exploits/linux/http/apache_druid_js_rce targets Apache Druid versions prior to 0.20.1. An authenticated user can send a single request that both enables the execution of user-provided JavaScript code and executes the code on the server with the privileges of the user running the Apache Druid process. By default, Apache Druid does not require authentication.
  • PR 15005 - New module exploits/linux/http/vmware_vrops_mgr_ssrf_rce exploits both a pre-auth SSRF and a post-auth file write via directory traversal to get code execution as the admin user on vulnerable VMware vRealize Operations Manager installs.
  • PR 15021 - New module post/android/local/koffee leverages the CVE-2020-8539 vulnerability on certain Kia Motors head units. This vulnerability is also known as KOFFEE.
  • PR 15030 - New module exploits/linux/http/gravcms_exec leverages an unauthenticated arbitrary YAML write/update vulnerability to get remote code execution on vulnerable GravCMS targets under the context of the web server user. This vulnerability is identified as CVE-2021-21425 and has been fixed in the admin component version 1.10.10, which was released with GravCMS version 1.7.9.
  • PR 15086 - New module exploits/linux/ssh/microfocus_obr_shrboadmin provides an exploit for CVE-2020-11857, which is a hardcoded SSH password in Micro Focus Operations Bridge Manager instances.
  • PR 15090 - New module exploits/linux/http/microfocus_obr_cmd_injection adds an exploit for CVE-2021-22502, which is an unauthenticated OS command injection vulnerability in the Micro Focus Operations Bridge Reporter.
  • PR 15105 - New module exploits/multi/browser/chrome_cve_2021_21220_v8_insufficient_validation exploits CVE-2021-21220, a Chrome V8 XOR typer OOB Access RCE that was found in the 2021 Pwn2Own competition by Dataflow Security's Niklas Baumstark (@niklasb) and Bruno Keith (@bkth).Note that this module will require you to run Chrome without the sandbox enabled, as it does not come with a sandbox escape.

Offline Update

Metasploit Framework and Pro Installers

E-SPIN Value Proposition

E-SPIN Group in the enterprise ICT solution supply, consulting, project management, training and maintenance for customers across the region E-SPIN do business. Cybersecurity testing, vulnerability assessment and penetration testing (VAPT) is always one of the core domain E-SPIN Group assisting the market with best of world class technology and products for a variety of use cases across industries and sectors. Enterprise vulnerability assessment then import into penetration testing workflow is one of the typical enterprise customer use cases. Feel free to engage E-SPIN for the end to end unified project requirements, from the enterprise information security project, to penetration testing (pentesting), ethical hacking or red team operations, DevSecOps for corporation or national needs.