Metasploit
The Penetration Tester's Guide
The second edition of the definitive No Starch guide to the Metasploit Framework, updated by the project's original maintainers and newer contributors for the modern Framework.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Published
- 2025
- Publisher
- No Starch Press
- Pages
- 288
- Language
- English
Read this if
Pentesters and red teamers who want to know Metasploit cold, or developers who want to extend the Framework. Written by the original project leads and updated for the current ecosystem; the canonical Metasploit text.
Skip this if
Readers wanting modern post-exploitation tradecraft against well-defended targets. Metasploit shines in lab and OSCP-style scenarios; against modern EDR with kernel callbacks, the playbook is more nuanced than this book covers.
Key takeaways
- Metasploit's value is workflow integration: payloads, post-exploitation modules, sessions, pivoting all wired together. The book teaches you to use the framework as a force multiplier, not as a list of exploits.
- Custom modules (auxiliary, exploit, post) are how you turn Metasploit into your toolkit; the book's chapters on module development are the highest-leverage material.
- The 2nd edition (2025) is updated for the modern Framework, mainstream Linux, and the current model of Meterpreter; the original 2011 edition is now dated.
Notes
Pair with Penetration Testing (Weidman) for the workflow context and Black Hat Python (Seitz/Arnold) for the custom-tool side that often replaces Metasploit modules in real engagements. The Rapid7 documentation and the Offensive Security PEN-200 course are the natural complements. Required reading for OSCP-curious learners; one Metasploit module is allowed on the exam.
What to read before
What to read before Metasploit →Beginner · 2014
Penetration Testing
Georgia Weidman's lab-driven introduction to pentesting, walking the reader from setting up a target environment through scanning, exploitation, post-exploitation, and reporting.
Intermediate · 2013
Hacking
A hands-on French guide to building a virtual lab (Proxmox) and using it to audit application, web and system flaws — then implement countermeasures.
Intermediate · 2024
Black Hat Bash
Nick Aleks and Dolev Farhi on getting offensive work done with the shell: privilege escalation tooling, lateral movement, and pipelining bash with the rest of the toolkit.
What to read next
What to read after Metasploit →Intermediate · 2013
Hacking
A hands-on French guide to building a virtual lab (Proxmox) and using it to audit application, web and system flaws — then implement countermeasures.
Advanced · 2017
Advanced Penetration Testing
A red-teamer's tour of getting into high-security targets without Metasploit, leaning on custom C2, social engineering, and tradecraft. Strong ideas, uneven execution.
Intermediate · 2024
Black Hat Bash
Nick Aleks and Dolev Farhi on getting offensive work done with the shell: privilege escalation tooling, lateral movement, and pipelining bash with the rest of the toolkit.
Explore similar books
Alternatives to Metasploit →Intermediate · 2013
Hacking
A hands-on French guide to building a virtual lab (Proxmox) and using it to audit application, web and system flaws — then implement countermeasures.
Beginner · 2014
Penetration Testing
Georgia Weidman's lab-driven introduction to pentesting, walking the reader from setting up a target environment through scanning, exploitation, post-exploitation, and reporting.
Intermediate · 2024
Black Hat Bash
Nick Aleks and Dolev Farhi on getting offensive work done with the shell: privilege escalation tooling, lateral movement, and pipelining bash with the rest of the toolkit.