The Metasploit Framework is a key resource for security assessors. Whether you’re goal is to become a commercial penetration tester, to demonstrate the risk of a vulnerability, or just need to identify certain weaknesses in your environment, Metasploit is your tool. Understanding how it works, and how to get started is the first step.
The Metasploit project was started in 2003 by HD Moore as an open source framework for developing and executing exploits. It’s modular designed allows developers to focus on the code unique to their objective without having to recreate components like transport methods or payloads. It has since grown to include thousands of modules for exploitation, post-exploitation attacks, scanning, encoding, and others.
In addition to exploiting known vulnerabilities, Metasploit has the functionality to do port scans, identify systems with default passwords, using credentials or hashes to run commands on remote systems, and much more. You can even setup listeners for capturing user credentials via common protocols like HTTP and SMB to be used in multi-part attacks. And if the functionality you need doesn’t exist, it’s very easy to write your own new modules.
Before you get to all that though, you have to understand how Metasploit works and get it up and running. We put together a one-hour webinar to help you get started. Whether you’ve never used Metasploit, or just need a refresher course, this video will walk you through the basic steps of understanding how things work, getting it installed, and exploiting your first vulnerability.
Check it out here:
When you’re ready for the next step, we also have a 2-hour recorded training class designed to help you become more proficient in Metasploit. It offers tips and tricks that we use on engagements.
Nathan Sweaney is a Senior Security Consultant with Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at firstname.lastname@example.org or visit the Secure Ideas – Professionally Evil site for services provided.