Probably a silly question - Metasploit


Pretty new to this, but I’ve starting working through the boxes. Something that plays on my mind is that quite a few of these rely on Metasploit.

My current understanding of the OSCP (an aspiration of mine to take that one day) is that the use of Metasploit is prohibited.

Is there a methodology that can be used to achieve the same exploit as Metasploit but without using that tool?

How do people aiming for OSCP get the experience, but not become too reliant on the Metasploit tool?



Metasploit module are usually built from existing non Metasploit exploits. I think what usually happens is that someone finds a vulnerability and develops an exploit for it without using Metasploit and then somebody (sometimes the same person) ports that into a Metasploit module. Most vulnerabilities that have Metasploit exploits can be exploited without using it.

You can use Metasploit in the OSCP exam, but only once. You can however still use Metasploit’s exploit handlers and msfvenom for building exploits and payloads as many times as you want. At least that’s what the rules used to be.