Pen testers swiss army knife
Updated November 04, 2016

Pen testers swiss army knife

Anonymous | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User

Overall Satisfaction with Metasploit

Our team uses Metasploit during all penetration tests. Metasploit is fantastic in cases where and organization has not performed regular updates. The pre-compiled exploits used by metasploit are a great way to provide a proof of concept to the client. Metasploit is also used when we've gained local shell on a machine or have RCE via a web application. Sometimes it is easier to create a reverse meterpreter shell then sending a bash shell back - this is more so the case when we have RCE on a windows client, as sending a reverse shell is much more challenging without meterpreter.
  • Create reverse shells
  • Test known exploits
  • Enumerating the target (meterpreter)
  • Better obfuscation of meterpreter payload
  • Options for obfuscation of meterpreter handler
  • More options for encrypting payloads
  • Metasploit has not directly had an ROI with my company, however its made PoC's easier to display to the client, which makes my company look good
Metasploit is written in Ruby, which is a fairly easy language to learn, so writing custom modules is fairly easy. The fact that you CAN write custom modules is also a huge plus. Most other software does not allow for "on the fly shells" which is the other main usage of our team
Metasploit is well suited in just about any pen test environment - however it should not be used in unauthorized environments and on machines where a pen test was not welcomed/authorized

Using Metasploit

15 - Penetration testing, vulnerability assessment
15 -  NessusMetasploitWiresharkSnortNmapNpingCain and AbleJohn the Ripper OpenVAS CSAM

Splunk AppscanAcunetix ReaverBurpSCAPHBSS ePOBigIPCiscokaliwebinspectBigFix

JuniperVSphereVMWareVirtualboxACASDITSCAPDIACAPVisioeMASSSecurityCenterSourcefireNetSparker
  • Penetration tests
  • Vulnerability assessments
  • network tests
  • red teaming
  • sometimes we modify the handler to obfuscate the connection back to the MSF handler
  • We sometimes modify the ruby modules based on the system we are attacking
  • We almost always use it for pivoting once we are sure there is no AV on the target machine
  • Buy the pro version
  • Buy individual licenses for the team
  • Start development of individual modules
It is an incredibly easy framework to use. We can have new testers come in and immediately start using Metasploit. Also it allows advanced users to customize modules so that the inexperienced testers can use the modules without having all the technical knowledge behind the actual exploit

Evaluating Metasploit and Competitors

Yes - We didnt replace anything but adding metasploit to our list of tool and were able to do more with newer testers. This made the whole team look better in the clients eyes as we all seem to be on the same level using something like this. It would be nice to have a reporting feature as well so that we could quickly generate reports for the client.
  • Price
  • Product Features
  • Product Usability
  • Product Reputation
  • Prior Experience with the Product
  • Vendor Reputation
  • Existing Relationship with the Vendor
  • Positive Sales Experience with the Vendor
  • Analyst Reports
  • Third-party Reviews
We use the free version most of the time. We use the paid version rarely because we are unable to use it individually on our machines. But it houses just about everything we need and its the first check we do, look for the low hanging fruit. It also integrates well with the sister product Nexpose. But still I would have to say the best feature is how easily this product is to use
Use Nexpose first to easily identify low hanging fruit and the associated Metasploit modules. Then, having purchased individual licenses for the enterprise version, we would attempt exploiting the target. It would also be nice if there was a reporting feature for it so that we could easily generate a report to use for the client. I dont know how easy this would be for Trustwave, but if they could make the process of writing a module a little easier that would be nice

Metasploit Implementation

I do not have many key insights regarding implementation of Metasploit, but it would be nice if the package was more friendly to other OS's outside of Debian and Ubuntu. When we install on Ubuntu and Debain (like a kali OS) it is incredibly simple. But if we install it on something such as Red Hat Enterprise Linux or FreeBSD, then we have a lot of issues getting it up and going.
  • Implemented in-house
We built the metasploit server ourselves because the client is very weary of vendors coming in and building things on our network. Nevertheless it was really easy to setup and we had it up and running within a day. Just make sure that you white list it with all of your IDS/IPS's on the network or else they will rain down alerts. Remember a lot of out of the box attacks are already well known signatures with these IDS/IPS's
No - We literally just did a team effort and built it in one day. We didnt want to segment the build because we wanted to use the free time we had wisely. If we had a longer period of free time, perhaps we would have taken more time and segmented it out. This would allow us to get all the features working full and would allow us to use less "duct taping" in the future
Change management was minimal - The client we work for is actually very good with allowing us to implement our tools as we see fit. They have basically given us free reign on our network to do what we need to do. When we have to sit on a production network, they are also good about allowing our laptops/VM's to sit on their network with minimal paperwork to do so. Most government organizations its next to impossible to do things like this.
  • Dependency issues based on the OS you decide to run this on
  • Database issues with metasploit
  • Scanner integrations can be a pain to get up and working

Metasploit Support

It is very easy to use. Just about any tester of any level of experience can use it, which makes me more confident on network tests. Experiences testers can also write modules fairly easy to let the more inexperienced once replicate their findings. Like I have said in my prior reviews, it is super scaleable for the whole team and modules can be written on the fly so that newer testers can replication senior tester results.
ProsCons
Quick Resolution
Good followup
Knowledgeable team
Problems get solved
Kept well informed
No escalation required
Immediate help available
Support cares about my success
Quick Initial Response
Need to explain problems multiple times
Yes - I cannot afford it, but the client I work for has the premium support. I wish the licenses extended to the users individual machines so we could use them remotely. However it still isn't bad to have in your arsenal. It would allow for more opportunity in gaining a foothold on the target machines
Yes - I have reported a bug with metasploit on their github page and was helped very quickly. The thread grew fast and the team behind the github page was very helpful. SO were the users who are not part of Trustwaves team. With the help of everyone I was able to resolve the isseue very quickly. Not only posting is helpful, but searching for your issues on the github page is also very helpful
I actually have posted on the metasplot github page and received very quick response. The issue I had was handled fairly quickly, same day! I mentioned this in my prior post but having the trustwave team monitoring the github and helping on the fly is great for the entire community. Just doing a google search with the issue using the "site:github.com" will usually resolve your issue fairly quickly as well

Using Metasploit

Super easy to use! Like I said in my prior ratings, this is perfect for newer testers to come right in and start testing. The more experienced testers can even write modules for the more advanced findings so that the newer testers are able to use the modules to accurately test the said findings. This is why it scales so well!
ProsCons
Like to use
Relatively simple
Easy to use
Technical support not required
Well integrated
Consistent
Quick to learn
Convenient
Feel confident using
None
  • low hanging fruit
  • public facing ports
  • local privilege exploitation
  • Writing ruby modules
  • integrating scanners to the msf framework
  • setting up the database