Metasploit Pro 3.6 was released today with a slew of new features aimed at facilitating pen testers throughout the entire penetration testing process. One such new feature is asset tagging of groups of hosts, so that they can be grouped together easily. Utilizing another new feature, global search, makes managing large engagements a breeze. In addition [...]
Metasploit Pro 3.6 was released today with a slew of new features aimed at facilitating pen testers throughout the entire penetration testing process. One such new feature is asset tagging of groups of hosts, so that they can be grouped together easily. Utilizing another new feature, global search, makes managing large engagements a breeze. In addition to a free webinar on March 22 with James “egyp7″ Lee on the Metasploit Framework, EH-Net regular columnist, Ryan Linn, explores Metasploit Pro. He not only shows off some of those new features but also walks the viewer through the basic steps of performing a pen test with Metasploit Pro with the following 3 videos:
- Getting Started With Metasploit Pro
- Post Exploitation
- Reporting and Cleaning Up
As we all know, a pen test is not over when the hacking is done. Rapid7 realizes this as well, so the new reporting capabilities are a very welcome addition. It is now easy to generate PCI compliance notes based on the findings throughout the penetration test. These reports indicate exactly where the failures are and actually provides evidence to support those findings. For those that need more detailed reports on all of the activity performed throughout a penetration test, the activity report shows all commands issued and all gathered evidence. These two reports alone can save a lot of time for testers who need to present this type of information to their clients.
For those that haven’t learned to ‘stop worrying and love the GUI,’ Metasploit Pro now has a console mode where you can interact with Metasploit Pro just like the Community Edition. For those that have embraced the GUI, the addition of tags allows for easy grouping of assets, and the tags can be used in many of the fields as shortcuts for specifying specific IP addresses. This really speeds up every step in the process.
So let’s get a feel for Metasploit Pro as a whole as well as the new features of v3.6.
Discuss in Forums
Join us for a Free Webinar on March 22
James “egyp7″ Lee takes participants in a technical deep-dive through the new features of the free and open source Metasploit Framework version 3.6, focusing on techniques valuable to professional penetration testers in red teams and consulting firms. This will include post exploitation modules (a more powerful replacement for Meterpreter scripts) and using platform-agnostic payloads for increased pwnage. Before the QA, he will also cover some of the feature highlights in the commercial Metasploit editions Metasploit Pro and Metasploit Express. Webinar participants should be familiar with the concepts of Metasploit and penetration testing.
Video 1: Getting Started With Metasploit Pro
This video is going to walk you through logging into Metasploit Pro, creating a project, and doing the initial scanning. You will see a network scan to identify assets using Nmap through Metasploit Pro, look at how to tag assets, and then pass those assets to NeXpose for vulnerability scanning.
Video 2: Post Exploitation
Now that NeXpose is done scanning, this video will walk through exploitation and post-exploitation using Metasploit Pro. You will also see how to do post-exploitation information gathering through the GUI.
Video 3: Reporting and Cleaning Up
Once you have all of your loot, you need to clean up your sessions and do some reporting. This video shows how to clean up the meterpreter sessions, and then create PCI Reports and others based on the information that you have gathered.
The new version of Metasploit Pro has some great features to help speed up the pen-testing process. If you are doing large scale penetration tests, Metasploit Pro does a great job of helping you categorize the information and deal with the exploitation process.
Ryan Linn, CISSP, MCSE, GPEN – Ryan is currently an Information Security Engineer at SAS Institute. Employed in the computer industry since 1997, he has held positions ranging from web developer to Unix Systems Programmer at a large university to his current position in Information Security. Ryan has been responsible for working with large scale deployments of various flavors of *nix, high availability web and database clusters, as well as for application programming in high availability environments. In the past few years, Ryan has incorporated Windows security into his responsibilities, and is now part of the team responsible for information security globally in one of the largest privately held software companies in the world.
Article source: http://www.ethicalhacker.net/content/view/357/24/
We Have a Winner!!
With the help of Rapid7, we have once again set the bar at its highest level for the value of the prizes given away each and every month on EH-Net to top contributors. Back in April, Rapid7 gave you the chance to win your very own copy of Metasploit Express that includes the [...]
We Have a Winner!!
With the help of Rapid7, we have once again set the bar at its highest level for the value of the prizes given away each and every month on EH-Net to top contributors. Back in April, Rapid7 gave you the chance to win your very own copy of Metasploit Express that includes the full license support for 1 year. This time around, it’s a full 1-year license of Metasploit Pro with support included for a total value of $15,000! Check out the EH-Net Exclusive video with HD Moore giving a guided tour of the newest release of Metasploit Pro with a sneak peak at v4. For a little more on the Pro edition:
“Metasploit Pro helps enterprise defenders prevent data breaches by efficiently prioritizing vulnerabilities, verifying controls and mitigation strategies, and conducting real-world, collaborative, broad-scope penetration tests to improve your security risk intelligence.”
As we mentioned when announcing this great prize, we were going to step out a little and open the competition to more than just those who post a lot in the forums. So we looked at a number of people who help spread the word of EH-Net as well as help us in ways that simple forum posts can’t touch. One such member jumped out. He only has 3 posts in the forums, but has worked tirelessly behind the scenes to help many of my efforts even above and beyond EH-Net. So much so that even a $15,000 prize doesn’t even the score. With high praise and many thanks, I’m happy to announce that EH-Net member JustinKallhoff is our winner. Congrats!
Discuss in Forums
Participation is the ONLY way to win. Start a thread that sparks lots of interest; share thoughts and experiences; help a newbie… quality is more important than quantity.
Only members are eligible!
Registration Is FREE!
Article source: http://www.ethicalhacker.net/content/view/394/8/