Review: Metasploit, 2nd Edition

If you’ve spent any time in penetration testing, chances are you’ve crossed paths with Metasploit. The second edition of Metasploit tries to bring the book in line with how pentesters are using the tool. It mostly succeeds, with some caveats depending on your experience level and what you’re hoping to get out of it.

About the authors

David Kennedy, founder of Binary Defense and TrustedSec, is a cybersecurity leader who advised on the series Mr. Robot. Mati Aharoni, OffSec founder, is a veteran penetration tester who has uncovered major security flaws. Devon Kearns co-founded the Exploit Database and Kali Linux. Jim O’Gorman heads the Kali Linux project at OffSec. Daniel G. Graham is a professor of computer science at the University of Virginia and a former program manager at Microsoft.

Inside the book

At its core, the book still functions as both a walkthrough and a reference. It starts by laying out the penetration testing methodology: preengagement, recon, scanning, exploitation, post-exploitation, and reporting. Then it maps each of those phases to how you might use Metasploit along the way. It gives the reader a way to think systematically, which is useful if you’re building or refining your own approach.

The early chapters walk through setting up a lab with Kali and Metasploitable, exploring the framework’s structure, and understanding how Metasploit’s components like modules, payloads, and listeners fit together.

One of the strongest sections is the middle of the book, where it digs into exploitation, post-exploitation with Meterpreter, and evasion techniques. The authors take time to show not just how to pop a shell but how to make it stick. Topics like privilege escalation, persistence, and lateral movement, give the reader plenty of room to dig deeper.

The writing is straightforward and practical. The examples are command-line heavy, which is what you’d expect. The book assumes you’re comfortable in a terminal and that you’re not afraid of a little scripting.

Another plus is that the book goes beyond just using Metasploit like a script kiddie. It walks through building your own modules and porting exploits into the framework. These chapters won’t turn you into an exploit developer overnight, but they’ll give you a foundation and appreciation of how Metasploit works under the hood.

The simulated pentest in Chapter 15 is also a nice touch. It pulls together pieces from earlier chapters and gives a realistic look at how everything might come together in the field.

Who is it for?

This book is best suited for penetration testers or IT professionals who want to sharpen their offensive skills using Metasploit specifically. If you’ve used Metasploit a bit but feel like you’re only scratching the surface, this book will help you go deeper.

If you’re already doing full-scope red team engagements and writing custom tooling regularly, you probably won’t learn a lot of new tricks here. But it might still be worth skimming for its structure and as a refresher.

Metasploit, 2nd Edition is a solid update to a book that’s been a staple in the infosec community. You won’t finish the book and become an expert. But you will have a strong foundation, and you’ll know what to practice next. For IT pros working in or around security, this book remains a worthwhile tool in the learning arsenal.