Last week, we had a live webcast to talk about how Metasploit Pro helps pentesters be more efficient and save time. There were so many attendees, which made it possible to have great conversation. First of all, I want to thank you folks who have taken the time from their busy schedules to watch us live. There were many questions our viewers asked us, and we were not able to answer all of them due to time limitations. In this post, you will find the answers for those questions.
First things first. If you would like to read a recap of the webcast, go here: Top 3 Takeaways from the "Escalate your Efficiency: How to Save Time on Penetration Testing" Webcast, and if you would like to watch the webcast go here: .On Demand Webinar: Escalate Your Efficiency: How to Save Time on Penetration Testing.
Questions and Answers
In order to protect identities of our attendees, we taken out any identifiable information from the questions. Thus, some questions may have been reworded.
Is there a tutorial available for some of the finer points of using Metasploit Pro?
There are quite a bit of content available. We will continue to generate new content as we add new features in the future. Feel free to start here: Metasploit Online Help.
Is Metasploit Pro licensed specifically for a named user or can it be licensed to support a moderate scale remotely located pen test group arrangement?
As of right now, we only support licensing based on number of users. However we are investigating different licensing options, and we will take your suggestion into consideration.
Does Metasploit Pro license limit how many IP addresses that can be added to a project?
No, it does not. Our licensing model is based on number of users. There are no license limitations around number of IP addresses. Please keep in mind that if you plan to test a large network, we strongly suggest you run Metasploit Pro on a beefy machine to prevent any performance issues.
Is one of the UI improvements the ability to pause scanning to accommodate multiple small testing windows?
Yes. We have recently released the Pause & Resume feature to Metasploit Pro. Currently it is only available for the Credential Reuse task. However we are planning to extend the feature to other tasks in the future.
Our organization is just about to train our ISSO to conduct internal penetration testing in house utilizing Metasploit Pro. What features should we begin testing to introduce us "newbies" to the world of pentesting?
Metasploit Pro comes with an easy to use web interface to simplify pentesting as much as possible. Personally, I would start with a phishing/social engineering campaign to quickly assess your employees since this type of testing requires a lot less technical knowledge. Additionally, an easy win may be scanning your network for vulnerabilities with Nexpose and validating found vulnerabilities with Metasploit to determine which vulnerabilities you should focus on fixing first. Here is a good read to get started: Introduction to Penetration Testing.
Can I develop an exploit in Metasploit Pro?
You actually do not need Metasploit Pro to develop an exploit. Metasploit Pro is not a tool for reverse engineering an application to look for zero day vulnerabilities and write exploits. It is an application to consume available exploits in an efficient manner. If you would like to learn how to write exploits, feel free to start with following pages:
What are the learning curves between the editions? I have used Metasploit Framework several years ago so I am not totally new to pentesting.
Metasploit Pro consumes same modules that Framework does, so as far as exploit content goes, there is not much difference. However, Metasploit Pro comes with some additional features, most of which we talked about during the webinar, that might require some reading and learning. We know that many of our users have used Framework in the past and they are used to command line, thus, we are going to bring some of those commands to Metasploit Pro web interface in 2015 to make it even easier to use. Overall, the learning curve is not that steep.
Can I use my own word list when I customize a bruteforce attempt?
Yes, you can. Even though bruteforce functionality does not take a wordlist as an input, a wordlist can be used to generate a list of credential pairs which then can be imported to be used for bruteforce.
Is there an option for passwords in different languages for bruteforce?
Currently there is not. You can however create your own custom list of credential pairs from any language wordlists, and then import it for bruteforce.
How can I customize the password mutation feature for a bruteforce attempt?
Password mutation feature comes with several mutation options. Currently we do not support adding customized mutation rules, however this is something we are looking to implement in the future.
What can I expect in a typical 100 PC network including servers and workstations to spend in hours when performing bruteforcing? Does speed changes between Metasploit Editions, say Community vs. Pro?
We would very much like to give you an answer for this; however, it really depends on many factors such as network speed, mutation rules, password combinations, number of services, etc. The best way to learn is to actually try this on your own network with your custom configuration. This way you can create your baseline and go from there. Running speed of any task does not differ between versions.
Do you have any suggestion for a good place to get a good username and password list to use?
Here is a collection of mirrors: https://wiki.skullsecurity.org/Passwords.
If you are interested in building personalized wordlists for specific situations, here is a good starting point: Errata Security: Extracting the SuperFish certificate.
We started using task chains extensively and at some point realized that they don't function as setup when we update the machines. Are task chains dependent on the projects created?
Yes, task chains are project dependent and cannot be replicated across projects.
How often are you utilizing embedded outdated, insecure components of applications and systems for exploitation (similar to GHOST)?
When there is a high impact vulnerability becomes available, the turnaround is usually pretty fast. When Shellshock came out, there was an exploit released within 24 hours. The turnaround time really depends on how difficult (or easy) the issue is to exploit. If there's a reasonable network vector (rather than a mere local-only vulnerability), and the likely impact of the vulnerability.
If the Metasploit framework is unable to break a hash, say an MD5 hash, what other resources would you use or how would you go about using Metasploit to figure out how to crack the hash?
We have recently added a tool to lookup MD5 hashes on publicly available databases: https://github.com/rapid7/metasploit-framework/pull/4601
Additionally, you can combine John the Ripper and Metasploit to attack MD5 hashes with this module: modules/auxiliary/analyze/jtr_linux.
Could you add a service to find default login credentials for Tomcat?
There is a Metasploit module already for Tomcat to perform login attempts. It is called "Tomcat Application Manager Login Utility" and its path is "auxiliary/scanner/http/tomcat_mgr_login". Additionally, here is our module database. Feel free to search for other modules.
With the release of msfvenom, is there going to be any compatibility with users who have developed payloads and tools in msfencode and msfpayload?
We don't anticipate any gaps in functionality -- msfvenom has been in "public beta" for years now, and there should already be a 1:1 feature parity. That said, if you notice something not working for your use case between msfpayload + msfencode and msfvenom, please open a GitHub issue here.
When will GPU password cracking be available?
Currently, we do not have any plans on adding GPU password cracking as a feature. However, John the Ripper has some excellent toolchains for this, and Metasploit can import the results pretty easily.
Metasploit is a great tool however it is only a tool. PCI V3 requires that the pentest is "based on industry-accepted penetration testing approaches (for example, NIST SP800-115)". What is the penetration testing methodology used by your pentesters with Metasploit?
We believe that there is no single methodology for PCI compliance. Generally, companies use a vulnerability management solution to try to fix as many vulnerabilities as they can. Some also performs initial penetration testing and this is where Metasploit Pro can help. Finally, consultants can come in to provide pentesting. We actually like this order because consultants should help you find the things you could not. I would not call this a methodology, however if you approach a PCI engagement in this order, then you can get the most out of your compliance engagement, not just PCI check in the box. Feel free to read more about this topic starting with this article: What You Should Take Away from the PCI DSS 3.0.
Is it simpler to run a WiFi penetration test using Pineapple with Metasploit Pro compared to Metasploit Framework? | Can you add WiFi pentest integration?
Once you have a connection to a WiFi network though Pineapple or any other tool, then you can use Metasploit Pro or Metasploit Framework as intended since the WiFi becomes just another network. In this case, all additional features of Pro will be available for you to use. However, as far as getting access to a WEP or WPA protected WiFi network, Metasploit Pro or Framework has no functionality to do this, and we are not planning on adding this functionality at this time.
So some of your experts are stating that you shouldn't focus all your work on automated tools such as your own Metasploit, that you should spend the time to learn the tools individually/manually, however other experts are touting Metasploit as the be all end all tool to use. What are your thoughts on this?
Metasploit Pro can replace many tools for various tasks thereby makes the user more efficient. Additionally, we can make the argument that if you know Metasploit very well, you may not have to spend time on learning bunch of other tools. The reality is, as long as pentesting stays as a broad and complicated subject, there will always be many tools out there for different purposes, and a good pentester should always be familiar with different options.
Is there a set of questions or a methodology that can be used to interview a good pentester?
There are many approaches to interviewing a pentester. Here are two examples:
- Hands On, Practical Interview | Interviewee is given access to a lab network with various systems along with couple pentesting tools, and various objectives which interviewee is expected to complete. With this approach, interviewer can observe the interviewee while interviewee executes a small size pentesting while utilizing different tools and techniques.
- Theriocal, Story Telling Interview | Interviewee is asked a list of questions to assess the overall knowledge (this step can be combined with practical interview). Interviewee is also expected to share several examples of past work and discuss various situations that the person had to overcome.
Interview questions will vary depending on the interviewee; however I find this article a good read.
This is it for this blog post. As always, feel free to reach out to us @metasploit if you have further questions. Thank you Metasploit Team for assisting me with these answers.
Eray Yilmaz - @erayymz
Sr. Product Manager, Metasploit