Is using metasploit cheating for anything?

Hi, I was thinking of using metasploit but I realize that being a script kiddie is probably cheating and I don’t want to be a script kiddie. Is metasploit an ok tool to use on the missions or would you say it’s cheating?

No, but doing the challenges manually can help you learn more too.

It’s a bit of a complicated question and I think largely depends on your goals and what you want to get out of the challenges.

Personally I don’t think it’s cheating. I would say you should try to understand what it’s doing and why something works, but if an exploit is discovered and coded into metasploit what’s the point of trying to rediscover it? Seems overly complicated for some CTF machines.

I’m a programmer so I can read a lot of the metasploit scripts and basically understand what they’re doing. For me I see little point in trying to reinvent the wheel. If you read those scripts and didn’t understand them though maybe you should spend some more time trying to figure out why it works.

Another thing is, if metasploit is cheating what about nmap? Where does it stop? At the end of the day these are tools to assist you - the more you understand the concepts at a fundamental level the more you can leverage the tools.


Not really because in order to use Metasploit properly you need to know what the Metasploit modules do and why. Metasploit is basically a tool to achieve a goal. Hackers are using Metasploit in the same way carpenters use utility knives or tape measures: even if we have all these wonderful tools we must know what’s going on.

What comes to actual script kiddies: just using a tool does not make you one. The difference between a hacker using tools and script kiddies is that script kiddies show no bias. They scan blindly all systems, regardless of location and value. And when they find a weakness they will exploit it - regardless of consequences.

Another point is a reaction to failure. When script kiddies attack a machine and when they notice that off-the-shelf attack does not work, they move on. At this point, a person with “hacker mentality” starts to dig deeper to see why the exploit did not work.

In short: it’s not the tools, it’s the mentality and knowledge. :slight_smile:

Metasploit is a powerful tool but it does have some downsides. Recently I popped a Web Sphere box with a Java deserialize vulnerability. But I set off a CIRT because they know the Metasploit signatures. Doing it manually can help not get caught! Sometimes it is easier to write your own reverse shell than to try to get a metasploit one past the scanners.