Lead Image © bluebay, 123rf.com
Hunt down vulnerabilities with the Metasploit pen-testing tool
Security Tools
Metasploit: Just hearing the word brings sweat to the brow of some, whereas others regularly use this hacking tool to test their own systems for vulnerabilities (pen testing). This kind of level pegging in the cyber arms race is essential to maintaining secure operations – and not just for critical systems. Vulnerability management is a big market, and the skills of experienced pen testers are in demand; strategies for red team/blue team training and catch-the-flag setups fill entire books.
The Metasploit Framework, a modular penetration testing platform that "contains a suite of tools that you can use to test security vulnerabilities, enumerate networks, execute attacks, and evade detection" [1], has been written up in a number of books. Linux Magazine reported more than 12 years ago [2] about how the Dalai Lama and many a government had exploits foisted on them in PDFs [3]. Metasploit is everywhere.
Charly Kühnast also covered the topic in his Linux Magazine sys admin column [4], writing that caution is advisable: "If you mess around with a pen-testing tool on your own network, you might survive the consequences, but chances are you'll take the prize for outstanding recklessness." Charly's advice: "Use Metasploitable, perhaps the most broken Linux ever."
My experience with careless pen testing came when an overzealous OpenVPN course participant at Linuxhotel used a pen-testing tool and started scanning around on the training cloud at Hetzner with a slightly off netmask. Within minutes, the monitoring tools identified this undesirable behavior and simply shut down the training network – rounded off by a warning message mailed in UPPERCASE to the course instructor.
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Slipping your pen test past antivirus protection with Veil-Evasion
The Veil pen-testing platform provides some powerful tools that will hide your attack from antivirus scanners – and Veil even supports Metasploit payloads. -
How to Hide a Malicious File
The best way to stop an attack is to think like an attacker. We’ll show you how to use the Metasploit framework to create a malicious payload that escapes antivirus detection.
-
Improved defense through pen testing
Discover indicators of compromise with open source pen testing tools. -
Discovering SQL injection vulnerabilities
Hardly a day goes by without reports of hackers breaking into government, military, or enterprise servers. If you analyze the details of the hacker's approach, you will see that, in 90 percent of all cases, SQL injection was the root cause of a server's compromise. -
Pen Test Tips
The powerful Metasploit framework helps you see your network as an intruder would see it. You might discover it is all too easy to get past your own defenses.