Rapid7 holds a private key. Your offline license file contains a digital signature. The Metasploit Pro binary contains a hardcoded public key. When you load the file, the software asks: "Does this signature decrypt correctly using the public key?"

If the file has been tampered with—even changing a single byte in the expiration date—the signature fails.

  • Check logs:
  • Compute checksum:
  • Change permissions:

    • current_hwid = get_system_hwid unless license_info["host_ids"].include?(current_hwid) raise "Wrong machine" end

    true end

    Let’s walk through the exact process. Assume you have a Windows or Linux server with no internet access, and a separate internet-connected workstation.

    Activating Metasploit Pro offline is a process specifically designed for air-gapped systems or environments with strict network policies. Note that this feature is typically reserved for

    versions; it is generally not available for free trial editions. 1. Prerequisites for Activation Before starting, ensure you have the following: A Valid Product Key: Provided by Rapid7 upon purchase. The Activation File: A specific file (often a named something like user_license.zip ) provided by Rapid7 Support for your license. Admin Privileges:

    You must have root or administrator rights on the target machine. 2. Step-by-Step Offline Activation

    If your machine cannot connect to the internet, follow these steps to use your verified activation file: Access the Web Interface: Open your browser and go to

    Metasploit Pro enables offline license activation via a file-based process, restricted to licensed users and requiring contact with support for the initial file. The procedure involves uploading this file through the Administration panel in the web interface and requires manual, offline updates subsequently. For full instructions, visit Rapid7 Documentation. Register Without Internet Connection - Docs | © Rapid7

    This is intended for educational and authorized auditing purposes only.

  • Ensure you have the correct place to install the activation file (check vendor docs). Typical locations:
  • If the vendor requires a Host ID/Machine ID:

    • If you are using VMware or VirtualBox, never clone a licensed Metasploit Pro VM. The clone will have the same OS but a new MAC address, instantly invalidating the activation. Always "sysprep" or generalize the VM before cloning, then reactivate each clone separately.

    def verify_offline_license(license_file, request_file)
  pub_key = OpenSSL::PKey::RSA.new(File.read(RAPID7_PUBLIC_KEY_PATH))

    license_data = Base64.decode64(File.read(license_file))
signature = license_data[-256..-1]     # last 256 bytes = RSA signature
payload   = license_data[0..-257]
    

    unless pub_key.verify(OpenSSL::Digest::SHA256.new, signature, payload)
raise "Invalid signature"
end
    

    license_info = JSON.parse(payload)
request_hash = Digest::SHA256.file(request_file).hexdigest
    

    if license_info["request_hash"] != request_hash
raise "Request mismatch"
end
    

    if license_info["expiry"] < Time.now
raise "License expired"
end