Metasploit is a penetration testing platform that enables you to find, exploit, and validate vulnerabilities. The platform includes the Metasploit Framework and its commercial counterparts: Metasploit Pro, Express, Community, and Nexpose Ultimate.
The Metasploit Framework is the foundation on which the commercial products are built. It is an open source project that provides the infrastructure, content, and tools to perform penetration tests and extensive security auditing. Thanks to the open source community and Rapid7's own hard working content team, new modules are added on a regular basis, which means that the latest exploit is available to you as soon as it's published.
There are quite a few resources available online to help you learn how to use the Metasploit Framework; however, we highly recommend that you take a look at the Metasploit Framework Wiki, which is maintained by Rapid7's content team, to ensure that you have the most up to date information available.
The commercial editions of Metasploit, which include Pro, Express, Community, and Nexpose Ultimate, are available to users who prefer to use a web interface to pentest. In addition to a web interface, some of the commercial editions provide features that are unavailable in the Metasploit Framework.
Most of the additional features are targeted towards automating and streamlining common pentest tasks, such as vulnerability validation, social engineering, custom payload generation, and bruteforce attacks.
If you are command line user, but still want access to the commercial features, don't worry. Metasploit Pro includes its very own console, which is very much like msfconsole, except it gives you access to most of the features in Metasploit Pro via command line.
All features documented are available in Metasploit Pro. Certain features may not be available in other editions. For a comparison of features available in different editions, check out this handy page that breaks down the features in each edition.
Rapid7 distributes the commercial and open source versions of Metasploit as an executable file for Linux and Windows operating systems.
You can download and run the executable to install Metasploit Pro on your local machine or on a remote host, like a web server. Regardless of where you install Metasploit Pro, you can access the user interface through a web browser. Metasploit Pro uses a secure connection to connect to the server that runs it.
If you install Metasploit Pro on a web server, users can use a web browser to access the user interface from any location. Users will need the address and port for the server that Metasploit Pro uses. By default, the Metasploit service uses port 3790. You can change the port that Metasploit uses during the installation process. So, for example, if Metasploit Pro runs on 192.168.184.142 and port 3790, users can use https://192.168.184.142:3790 to launch the user interface.
If Metasploit Pro runs on your local machine, you can use localhost and port 3790 to access Metasploit Pro. For example, type
https://localhost:3790 in the browser URL box to load the user interface.
For more information on installation, check out Installing the Metasploit Framework or Installing Metasploit Pro and other commercial editions.
Metasploit Pro consists of multiple components that work together to provide you with a complete penetration testing tool. The following components make up Metasploit Pro.
The Metasploit Framework is an open source penetration testing and development platform that provides you with access to the latest exploit code for various applications, operating systems, and platforms. You can leverage the power of the Metasploit Framework to create additional custom security tools or write your own exploit code for new vulnerabilities. The Metasploit team regularly releases weekly updates that contain new modules and bi-weekly updates that contain fixes and enhancements for known issues with Metasploit Pro.
A module is a standalone piece of code, or software, that extends functionality of the Metasploit Framework. Modules automate the functionality that the Metasploit Framework provides and enables you to perform tasks with Metasploit Pro.
A module can be an exploit, auxiliary, payload, no operation payload (NOP), or post-exploitation module. The module type determines its purpose. For example, any module that opens a shell on a target is an exploit module.
Metasploit Pro runs the following services:
- PostgreSQL runs the database that Metasploit Pro uses to store data from a project.
- Ruby on Rails runs the web Metasploit Pro web interface.
- Pro service, or the Metasploit service, bootstraps Rails, the Metasploit Framework, and the Metasploit RPC server.
A web interface is available for you to work with Metasploit Pro. To launch the web interface, open a web browser and go to
The Pro Console enables you to interact with Metasploit Pro from the command line.