By guest blogger Sean Duffy, IS Team Lead, TriNet
Rapid7 invited me to participate in pre-release testing of Metasploit 4.10, a process they call Tech Preview. They asked me to openly share my thoughts with the community.
Preparation and Logistics
I always enjoy working with Rapid7. Preparatory meetings and documentation made the installation and testing process a breeze. Rapid7 was also kind enough to extend my testing and feedback sessions when work so rudely intruded on the fun. Zero complaints.
Testing focused on improvements in Metasploit Pro's credential management. Metasploit Pro now contains a new Credentials menu that includes credential management. It offers one-stop shopping to
- Find previously obtained credentials from exploitation
- Clone and modify existing credentials
- Add new credentials
- Validate credentials by testing where they work
I liken the functionality a bit to credential management for sites in Nexpose. It is quite handy to have this screen for managing all the credentials for all the hosts in a project. In addition, there is new reporting specific to credentials, AND a John the Ripper module is now available with Metasploit (if you don't have it already). Christian Kirsch provides a detailed review of the functionality in his release blog post now available on ‘The Street.'
My testing did find a few bugs, but most were addressed by the end of the Tech Preview. I also went a bit off the reservation to see if there were changes or improvements in other areas such as vulnerability validation and phishing campaigns. Nope – all worked as before.
I believe that this functionality will facilitate penetration testing by making access to credentials much easier to access and verify. I hope that it serves as a springboard to future functionality (such as interfacing with Nexpose and credentials stored there). And if Rapid7 is able to provide more effective methods of testing against websites with credentials, I will be eternally grateful.
Thanks, Rapid7. I look forward to what comes next!
Note from Rapid7: Hear Sean talk on this video about how he uses Metasploit Pro and Nexpose at Trinet (also linked from the video still on this post)