You can't secure what you don't acknowledge.SM

Thursday, December 23, 2010

Quick step-through of Metasploit Express

I've been raving about the penetration testing tool Metasploit for a while. With the release of Metasploit Express earlier this year I'm even more pleased with all the efforts HD Moore and his team have put forth. Metasploit Express is a commercial product you'll have to pay for but to me it's well worth the investment. It's easier to use, it has nice reporting and more. All the things we need in today's world of junk security tools that just don't deliver.

In the event you haven't tried it out, here's a brief walk-through of some of the nice features and capabilities of Metasploit Express.

<-- The main interface for a "project" provides access to hosts, sessions, reports, modules and tasks - the main sections of the app.

<-- If your vulnerability scanner has found a specific vulnerability you can search for it in Metasploit Express to confirm there's an exploit module as shown here.

<-- You can then manually launch the exploit on your target host.

<-- Once a vulnerability has been exploited and the payload delivered, you can gather evidence as shown here.

<-- Or, you just can just obtain a remote command prompt showing that you've compromised the host.

<-- When all's said and done, you can kill your session, clean up the remnants and be done with it.

There are numerous other features within Metasploit Express that allow you to automate host discovery, the exploitation process and so on...just a bit much to cover in one blog post. Perhaps I'll cover that in detail in my next edition of Hacking For Dummies. :)

All in all, Metasploit Express is a security testing tool you shouldn't be without. It's a great way to "prove" those security vulnerabilities you discover are indeed a business problem.

1 comment:

  1. P.S. - Sorry for the for weird formatting...inserting images and aligning text in Blogger is absolutely *painful*.