Metasploit
The Penetration Tester's Guide
The second edition of the definitive No Starch guide to the Metasploit Framework, updated by the project's original maintainers and newer contributors for the modern Framework.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Published
- 2025
- Publisher
- No Starch Press
- Pages
- 288
- Language
- English
Read this if
Pentesters and red teamers who want to know Metasploit cold, or developers who want to extend the Framework. Written by the original project leads and updated for the current ecosystem; the canonical Metasploit text.
Skip this if
Readers wanting modern post-exploitation tradecraft against well-defended targets. Metasploit shines in lab and OSCP-style scenarios; against modern EDR with kernel callbacks, the playbook is more nuanced than this book covers.
Key takeaways
- Metasploit's value is workflow integration: payloads, post-exploitation modules, sessions, pivoting all wired together. The book teaches you to use the framework as a force multiplier, not as a list of exploits.
- Custom modules (auxiliary, exploit, post) are how you turn Metasploit into your toolkit; the book's chapters on module development are the highest-leverage material.
- The 2nd edition (2025) is updated for the modern Framework, mainstream Linux, and the current model of Meterpreter; the original 2011 edition is now dated.
Notes
Pair with Penetration Testing (Weidman) for the workflow context and Black Hat Python (Seitz/Arnold) for the custom-tool side that often replaces Metasploit modules in real engagements. The Rapid7 documentation and the Offensive Security PEN-200 course are the natural complements. Required reading for OSCP-curious learners; one Metasploit module is allowed on the exam.
What to read before
What to read before Metasploit →Beginner · 2014
Penetration Testing
Georgia Weidman's lab-driven introduction to pentesting, walking the reader from setting up a target environment through scanning, exploitation, post-exploitation, and reporting.
Intermediate · 2024
Black Hat Bash
Nick Aleks and Dolev Farhi on getting offensive work done with the shell: privilege escalation tooling, lateral movement, and pipelining bash with the rest of the toolkit.
Intermediate · 2020
Black Hat Go
Tom Steele, Chris Patten, and Dan Kottmann show how to use Go's networking primitives, concurrency model, and cross-compilation to write offensive tooling that runs almost anywhere.
What to read next
What to read after Metasploit →Intermediate · 2024
Black Hat Bash
Nick Aleks and Dolev Farhi on getting offensive work done with the shell: privilege escalation tooling, lateral movement, and pipelining bash with the rest of the toolkit.
Intermediate · 2020
Black Hat Go
Tom Steele, Chris Patten, and Dan Kottmann show how to use Go's networking primitives, concurrency model, and cross-compilation to write offensive tooling that runs almost anywhere.
Intermediate · 2021
Black Hat Python
Justin Seitz and Tim Arnold's hands-on tour of writing offensive tooling in Python: network sniffers, web scrapers, GitHub-based command-and-control, screen capture, keylogging, and Volatility extensions.
Explore similar books
Alternatives to Metasploit →Beginner · 2014
Penetration Testing
Georgia Weidman's lab-driven introduction to pentesting, walking the reader from setting up a target environment through scanning, exploitation, post-exploitation, and reporting.
Intermediate · 2024
Black Hat Bash
Nick Aleks and Dolev Farhi on getting offensive work done with the shell: privilege escalation tooling, lateral movement, and pipelining bash with the rest of the toolkit.
Intermediate · 2021
Black Hat Python
Justin Seitz and Tim Arnold's hands-on tour of writing offensive tooling in Python: network sniffers, web scrapers, GitHub-based command-and-control, screen capture, keylogging, and Volatility extensions.