Metasploit offers some great ways to automate its functionality through a programming interface. Metasploit users have built custom tools and processes based on this functionality, saving them time to conduct repetitive tasks, or enabling them to schedule automated tasks. Our most advanced customers have even intgrated Metasploit Pro into their enterprise security infrastructure to automatically verify the exploitability of vulnerabilities to make their vulnerability management program more efficient.

The Metasploit RPC API is accessed using the HTTP protocol over SSL. Metasploit Framework offers a basic set of commands, while the more advanced and higher-level API calls are reserved for Metasploit Pro. To get started with the Ruby API, you need to install the msfrpc-client GEM from www.rubygems.org. Authentication to the API happens either with a user name and password, which generates a temporary token, or an API key, in other words a permanent token.

The basic set of API calls available in both Metasploit Framework and Metasploit Pro includes:

  • Authentication: accessing the API through authentication tokens
  • Core: managing global variables in the framework object, saving the current configuration to disk, manipuliating the module load paths, reloading all modules, managing background threads, and retrieving the server version
  • Console: writing commands as if you were sitting in front of the console and reading its output
  • Jobs: listing and killing jobs
  • Modules: listing modules, enumerating options, identifying compatible payloads, and running them
  • Plugins: loading, unloading, and listing loaded plugins
  • Sessions: listing, interacting with, and terminating open sessions to compromised systems

The more advanced, higher-level API calls are exclusive to Metasploit Pro:

  • General: accessing product version information, active projects, and configured user accounts
  • License: registering and activating Metasploit Pro
  • Updates: checking for, downloading, and applying the latest Metasploit Pro updates
  • Task: enumerating, stopping and retrieving logs for background jobs initiated by the user through the web interface
  • Feature: accessing many of the top-level features in the Metasploit Pro user interface, such as scanning, importing, bruteforcing, exploiting, web, and reporting
  • Import: importing reports from third-party tools
  • Loot: collecting evidence from compromised machines
  • Module: searching the modules database

The Metasploit Web UI internally uses the advanced, higher-level Metasploit Pro API, so the API has been tested rigorously by our own engineers, our customers, and more than one million people who download Metasploit each year. We host the full documentation of the Metasploit Remote API here in the community - check it out now!