Visit http://community.rapid7.com to post questions, read documentation, and search for answers.

Last

upd

ated

04/

22/2

013

WelcomeThis guide covers some of the most common penetration testing tasks that you can perform with Metasploit Pro. The goal is to walk you through some of the most common task configurations and give you a brief overview of some of the most important concepts in Metasploit Pro.

Practice TargetIf you need a vulnerable target to practice on, you can download Metasploitable or Metasploitable 2. Both targets are intentionally vulnerable Ubuntu virutal machines that have been specifically created for testing Metasploit Pro and other Metasploit editions.

Metasploitable 2 is the latest distribution from Rapid7 and contains more vulnerabilities than Metasploitable. It is recommended that you use Metasploitable 2 instead of Metasploitable. For information on setting up Metasploitable 2, read Metasploitable 2 Exploitability Guide.

If for some reason, you really want to practice against Metasploitable, you should read the Metasploitable Set Up Guide for more information.

Metasploit Pro Workflow

Product Terminology Bruteforce Attack An attack that attempts a large number of user name and password combinations

for targeted services to gain access to hosts.Discovery Scan The Metasploit internal scanner that combines Nmap and several Metasploit

modules to scan and enumerate targets.Exploit A program that takes advantage of a specific vulnerability and provides an attacker

with access to the target system. An exploit typically carries a payload and delivers the payload to the target system.

Module A standalone piece of code, or software, that extends functionality of the Metasploit Framework. Modules automate the functionality that the Metasploit Framework provides and enable you to perform tasks with Metasploit Pro.

Project A container for the targets, reports, and data that are part of a penetration test. A project represents the workspace that you use to configure the tasks for a penetration test.

Target A term that represents a single host, multiple hosts, a network range, or an entire network. In social engineering, a target refers to a human target.

Quick Start GuideGetting Started with Metasploit Pro

2

Visit http://community.rapid7.com to post questions, read documentation, and search for answers.

Task 1: Create a Project

1. Open a web browser and go to https://localhost:3790 if Metasploit Pro runs on your local machine. If Metasploit Pro isn’t installed locally, replace localhost with the address of the remote machine.

2. Select Project > Create New Project from the Main menu.

What is a project? A project contains the workspace for the penetration test. You perform all tasks for a penetration test from within a project, including scanning, exploitation, bruteforcing, and social engineering.

3. When the New Project window appears, specify a name, description, and network range for the project.

Do I need to specify a network range? No, you only need to define a network range if you want to require that targets to fall within a specific address range. Otherwise, Metasploit Pro uses the network range to autofill the target address field for some tasks, like scans, bruteforce atttacks, and exploits.

4. Choose the team members that you want to access the project.

5. Create the project.

3

Visit http://community.rapid7.com to post questions, read documentation, and search for answers.

Task 2: Run a Discovery Scan

1. From the Project Overview page, click the Scan button.

2. When the New Discovery Scan page appears, enter the addresses that you want to scan in the Target addresses box. You can enter a single IP address, an IP range described with hyphens, or a standard CIDR notation.

3. Use the default discovery scan settings.

Setting Advanced Options To fine-tune the scan, you can configure the advanced options. For example, you can specify the IP addresses that you want to include and exclude from the scan, as well as the target ports, services, scan speed, and scan mode for the discovery scan.

4. Run the scan. The Task log appears and shows you the status of the scan.

5. After the scan completes, visit the Hosts page to see the results of the scan.

4

Visit http://community.rapid7.com to post questions, read documentation, and search for answers.

Task 3: Exploit Targets

1. From the Analysis page, click the Exploit button. This will launch the Automated Exploit feature.

What is automated exploitation? Automated exploitation is Metasploit Pro’s method of matching exploits to vulnerabilities and open services. Metasploit Pro cross references open services, vulnerabilities, and fingerprint data to matching exploits to create an attack plan against the targets. This process removes most of the legwork that you would normally perform for manual exploitation.

2. When the New Automated Exploitation Attempt page appears, enter the addresses that you want to exploit in the Target addresses box. You can enter a single IP address, an IP range described with hyphens, or a standard CIDR notation.

3. Choose Great for the Minimum Reliability (or module ranking).

What’s a rank? A rank that indicates the reliability and stability of an exploit. The higher the ranking, the less likely the exploit will crash a service. We recommend that you always use Great or Excellent.

4. Use the default exploit settings for the automated exploit.

Setting Advanced Options If you want to customize the exploit, you can configure the advanced options to customize the payload and exploit types. Just click on the Show Advanced Options button to see the options that are available for you to customize.

5. Launch the exploit. Successful exploits will open a session with the compromised target. To see a list of open sessions, click on the Sessions tab.

5

Visit http://community.rapid7.com to post questions, read documentation, and search for answers.

Task 4: Bruteforce Services

1. From the Analysis page, click the Bruteforce button.

2. When the New Automated Bruteforce Attempt page appears, type the addresses that you want to bruteforce in the Target addresses box. You can enter a single IP address, an IP range described with hyphens, or a standard CIDR notation.

3. Choose a depth for the bruteforce attack.

What’s the depth? The depth controls the number of password and user name combinations that the bruteforce attack attempts. To limit the number of attempts, set the depth to quick or defaults only. Otherwise, the default setting, normal, is a good starting point.

4. Select the services that you want to bruteforce. By default, Metasploit Pro preselects the services that the discovery scan identified as active.

5. Use the default bruteforce attack settings.

Setting Advanced Options If you want to customize the bruteforce attack, you can configure the advanced options to customize the credentials and payloads that the attack uses.

6. Launch the bruteforce attack. If the bruteforce attack guesses the credentials for a service, Metasploit Pro uses the credentials to open a session. To see a list of all open sessions, click on the Sessions tab. All open sessions will be listed under the Active Sessions area.

6

Visit http://community.rapid7.com to post questions, read documentation, and search for answers.

Task 5: Collect Evidence

1. Click the Sessions tab.

2. When the Sessions window appears, click the Collect button.

3. Select the active sessions you want to use to collect evidence.

4. Use the default evidence collection options. This will collect system information, such as password hashes, SSH keys, and screenshots of desktop environments.

5. Collect the system data.

7

Visit http://community.rapid7.com to post questions, read documentation, and search for answers.

Task 6: Generate the Report

1. Choose Reports > New Standard Report from the Tasks tab.

2. Choose Audit Report as the report type.

Which Report Do I Generate? Metasploit Pro provides several reports with varying levels of detail. Although engagement is different, you should at least present an overview of your findings, a detailed report, and raw data from your tests. Therefore, at a minimum, you should generate the Audit, Compromised Hosts, an Authentication Tokens, and a Collected Evidence reports. These reports should cover most of the information you need to disclose.

3. Choose the format you want the report to use. PDF is a good choice.

4. Give the report a unique and descriptive name. This is the name that displays on the Reports page.

5. Leave the Included and Excluded target fields blank to include all targets in the project in the report.

8

Visit http://community.rapid7.com to post questions, read documentation, and search for answers.

6. Keep all of the default report settings.

7. Generate the report.

8. To view the report, click on the Reports tab, and click the View button next to the report name.