May 15, 2013

What is Metasploit? Whiteboard Wednesday

In today's Whiteboard Wednesday, Chris Kirsch explains what Metasploit is and how you can use this penetration testing software to protect your network. Chris will dive into each edition and explain what each has to offer. You will also learn how to install Metasploit and get up and running quickly. What is Metasploit? Let Chris tell you!

Read Video Transcript

Hello and welcome to this Whiteboard Wednesday. My name is Chris Kirsch, and I work on the Metasploit Team here at Rapid7. Today I would like to give you a brief introduction about what Metasploit is. If you're reading the papers every day, then you're probably seeing a lot of reports of companies getting hacked. So why are they getting hacked? Well, basically because the attackers are getting past the defenses.

So how do you test that your defenses are actually working? Well, there is a technique called offensive security or penetration testing that you can apply, and that enables you to safely test the defenses and see if they hold up against an attack.

So Metasploit is a solution that does exactly that. Metasploit started out as an open source project, and there are three additions that I will walk you through because it can be a little bit confusing when you're first getting into this topic.

Metasploit Framework is the open source version of Metasploit. That's how it all started out. It's now led by Rapid7. We're collaborating a lot with the open source community, getting a ton of content here. So thank you very much if you're one of the collaborators. Metasploit Framework is a command line only version. It's free and open source. You can download it at anytime and use it. Typically, the people I see using Metasploit Framework are the more advanced users, typically even developers that are creating new exploits and testing them out, tweaking a lot, so very deep down in the technology.

If you are just starting out with Metasploit, than Metasploit Community edition might be the better fit for you. For example, if you're a student or a professional who would like to get into penetration testing, then here with Metasploit Community, we've got a free version. It's free for private use and for commercial use. It includes a graphical UI that will walk you through some of the steps. So a great place to start.

If you want to get more serious about penetration testing and offensive security, then I recommend Metasploit Pro, which is the fully featured version. It's the commercial version that we offer at Rapid7. There is also a seven day trial available if you want to try it out.

What does Metasploit Pro offer you that the other editions don't? Well, there are a few different things. Let me summarize. First of all, usability. With Metasploit Pro you, for example, you have some wizards that help you through penetration tests. For example, the Quick Pen Test Wizard is a great place to get started. Then also we have some productivity features for those people who are already very familiar with Metasploit and might have been using the Metasploit Framework before but are now reaching the limits of how large a pen test they can do with Metasploit Framework.

So here its all about data management, all about work flows and productivity, and we have a lot of features in there.

If you are running a vulnerability management program with a vulnerability scanner, such as Nexpose, then you might get quite a long list of vulnerabilities in your report. With Metasploit, you can import the information from these vulnerability scanners, verify that a vulnerability is real and can actually be exploited in your environment, and shorten the list and prioritize on what is really important because those are the areas where your defenses are down and you need to move quickly and fix it.

The also, after you applied a patch or implemented some other remediation measure, you can validate that the defenses are now working properly. You can also simulate phishing attacks on your user base to test whether or not your users are susceptible to phishing attacks or maybe measure progress after you run a training campaign for example. You can also test web applications or audit the passwords. At the end you can create reports that will enable you to share the information that you found with your colleagues and with your management so that you can address the issues.

You can download Metasploit at Rapid7.com. The download includes all three editions so you don't need to choose before the download. You will be prompted halfway through when you're inside the UI. I do recommend that you install it on a virtual machine, because the way Metasploit works and the kind of techniques it uses, it conflicts with firewalls and anti-virus solutions. So you should use a machine where you can safely switch off anti- virus and your firewall.

If you're looking for a vulnerable target, then Metasploitable is a great option. It's a virtual machine that's intentionally vulnerable. You will be able to test some of the techniques inside Metasploit against this target and see what it actually looks like when you're successfully compromising a host.

If you're having any questions about installing Metasploit, using Metasploit and so on, then please go to our Security Street Community at Community.Rapid7.com. You can ask questions there. We've got tons of documentation, blog posts and so on. I hope to see you there.

Free Metasploit Download

Protect your network with the leading penetration testing tool

Download Now
Whiteboard Wednesdays Logo

Subscribe to our weekly
Whiteboard Wednesday videos