Exploitation Frameworks (Metasploit, etc.)
Metasploit, exploit dev kits, and post-exploitation frameworks.
Once you have a vuln, you need a payload, a delivery, and a way to keep a foothold. Exploitation frameworks bundle modules, payloads, and post-ex tooling. For dedicated red-team C2 platforms see Red Team C2 (Sliver, Mythic). For AD-specific post-ex see Active Directory Pentesting. On the defensive side, alerts come from Runtime Security (Falco, Tetragon) and EDR / OSQuery.
The reference framework
- ★ ★ Metasploit Framework (Rapid7) — the universal exploitation framework; 2,300+ exploits, 1,400+ auxiliary modules, Meterpreter post-ex agent. Free / OSS; Pro paid adds GUI, reporting, evasion. Still the entrance ramp every pentester learns. Free CE.
- msfvenom — payload generator (
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=… -f exe). - msfconsole — the interactive REPL.
- Resource scripts (
.rc) — automate setups. - Note: Meterpreter is loud against modern EDR; for stealth use Sliver / Mythic (Red Team C2).
- msfvenom — payload generator (
Open-source modern alternatives
- ★ Sliver (BishopFox) — modern Go / mTLS C2; multi-protocol (mTLS, WireGuard, HTTPS, DNS); dynamic compilation per-implant; cross-platform implants. The mainstream FOSS replacement for Cobalt Strike. Free.
- Mythic (its-a-feature) — agnostic C2 framework; many community agents (Apollo, Athena, Poseidon, Medusa); Docker-deployed. Free.
- Havoc (C5pider) — modern C2 written in C++ / Qt; Cobalt-Strike-like UX; popular 2023–26. Free.
- AdaptixC2 — newer C2 (2024); pluggable extenders; gaining traction.
- Empire / Starkiller (BC-Security fork) — PowerShell + Python post-ex framework; Starkiller is the web GUI. Free.
- Covenant — .NET C2; Elite agent; less active 2024+.
- Merlin — HTTP/2 C2; legacy.
- NimPlant — Nim-language stealthy implant; fun for AV evasion training.
Commercial / paid
- Cobalt Strike (Fortra) — the industry incumbent for red teams; ~$5,900/seat/yr; Beacon implant, Malleable C2 profiles. Heavily fingerprinted by EDR vendors at this point.
- Brute Ratel C4 (Chetan Nayak) — paid (~$2,500/yr); newer, IR-evasion focused.
- Outflank Security Tooling (OST) — paid; curated red-team kits.
- Manjaro Tactical — community Cobalt-style ops-platform.
Exploit development / shellcode
- ★ pwntools — Python exploit-dev framework; ROP, formatstring, gadget search, remote/local glue. The CTF / binary-exploit standard. Free. See CTF Tools (pwntools).
- Pwndbg / GEF / PEDA — gdb extensions for exploit dev.
- ROPgadget / Ropper / one_gadget — ROP gadget hunters.
- angr — symbolic execution; CTF binary auto-solver toolkit.
- Shellcoder's handbook tooling —
msfvenom, shellnoob, scdbg, xc.
Web exploit / browser
- BeEF (Browser Exploitation Framework) — XSS-to-browser-control; legacy but still funny.
- XSStrike, Dalfox — XSS scanners + payload helpers.
- SQLMap — automated SQL injection / DB takeover. The reference for SQLi.
- NoSQLMap — NoSQL injection.
- Commix — command-injection framework.
Privilege escalation helpers
- WinPEAS / LinPEAS (PEASS-ng) — privesc enumeration scripts; the default first-thing-after-shell.
- PowerUp / PrivescCheck — Windows privesc.
- GTFOBins + LOLBAS — see Exploit DB & Cheatsheets.
- Linux Smart Enumeration (LSE) — quieter than LinPEAS.
- BeRoot — Win/Linux privesc.
Payload generation / encoding
- msfvenom — Metasploit's payload tool.
- Donut — generate position-independent shellcode from .NET / EXE.
- PEzor / scarecrow / freeze — modern payload obfuscation / EDR-evasion (loud territory; expect detection).
- Shellter — PE injector.
- Veil (legacy) — payload encoder.
Loaders / post-exploitation tooling
- Cobalt Strike Beacon, Sliver implants, Havoc demons — covered above.
- NimPlant, GoMet — language-experiment implants for AV-evasion learning.
- PowerShell Empire / Starkiller — see above.
- PE-sieve / Moneta / Hollows Hunter — defender side; detect injected modules.
Pick this if…
- Default learning / pentest framework: Metasploit Framework (free).
- Modern open-source C2, Cobalt Strike alternative: Sliver.
- Highly customizable C2 with many agents: Mythic.
- Cobalt-Strike-like UX, FOSS: Havoc.
- Exploit dev / CTF binary work: pwntools + GEF/Pwndbg.
- Authorized red team with budget, mature ops: Cobalt Strike or Brute Ratel.
- AD-specific post-ex: see Active Directory Pentesting.