Professionals use whatever get's the job done while maintaining acceptable risk levels for the client and staying in the confines of the rules of engagement and test scope. That might mean Metasploit, it might not. Your rules of engagement might specify only the use of built-in utilities or limit the types of exploits that can be used. Metasploit is a great tool but don't rely on it too heavily. Real pentesters can still do what they need to do without it, but usually don't unless they have to.

Thanks for the comments.

So if they dont use one of the framework platforms, how would they exploit the targert system? I dont know if I'm asking the right question, Im just trying to figure out how to word my question properly.

That does help. So alot of people who use metasploit are script kiddies? I'm thinking about joining hacking dojo, hacker academy, or elearnsecurity.com but after reading some reviews...I dont know if they are really worth the money.

Are you working in the security field?

I understand what you meant. I was just surpised script kiddies use metasploit. When I heard of SK's, I imagined someone using wireshark, nmap, or nessus and not really understanding what they are doing. Metasploit seems complicated, so I didnt think script kiddies used it.

I wouldnt mind hearing some of your personal experiences. I dont want to be a script kiddie haha

Here's one example (I'll post THIS one to the thread, as it's more vague, and doesn't directly name anyone.)  Nearby, in the area where I live, there is a fairly new company, who promotes 'KNOWING HOW A HACKER THINKS, AND WHAT THEY LOOK FOR AND USE TO GET YOU."  I've seen copies of their 'pentests' from some customers, who have since called me.  The reports are canned output from nessus and MSF, but don't even go as far as showing they achieved any compromise, or any real detail, aside of the fact that nessus SAYS there are vulnerabilities, and that MSF SAYS they can be exploited.  In fact, in one such report, they show an attempt (that failed) to use MSF to exploit the weakness, and leave it at a statement of "Given time, we're certain that we could've compromised your system."  (yeah.....  given LOTS of time, for them to call in someone with a clue.)  I'm sorry, but the point is to actually achieve the compromise, to prove the validity of the discovery.  A little extra work by them, to understand the exploit and tweak it, and they could've easily made it work.  But instead, they proved (to me, anyway) that they're more or less script kiddies, who memorized their way through certifications (or not even,) but don't truly understand the realities and flaws they were seeing.

This is one of a handful I could give you, from personal experiences.  There have been several, not only by that company, but by others I've seen.  I've also seen reports and findings from other companies who've claimed to have found really serious holes, only to have to relate to my clients (whom I did NOT test, at all) that the holes were neither valid, nor exploitable, in the way that said company claimed.  I went on, in one case to show it was IMPOSSIBLE to have gotten in, via one reported finding, and the contracted pentest company later acknowledged to the customer they doctored up things a bit, since they hadn't proven anything, otherwise.  They had also been contracted for services in maintaining patching,etc, so they wanted to prove there was reason to pay them for their time and services.  Needless to say, said company will NEVER be called by that particular customer, again.  I give the company in my first paragraph props, at least, for leaving it at, "we didn't get it, but could've."  At least they didn't outright lie...

Just goes to show, like in the thread where sil is discussing certified versus experienced, etc, that folks really need to vet out their employees, and need to research carefully on anyone they are contracting in for security work, to make sure the credentials and knowledge are accurate, and not just a ticket to open the front door and make some $$.