Skip navigation
All Places > Metasploit > Blog > Authors kelly_garofalo


3 Posts authored by: kelly_garofalo Employee

Penetration Testing is a complex process that requires attention to detail, multi-tasking, extensive knowledge of different attack vectors, available vulnerabilities and exploits, and patience. Recently erayymz, Senior Product Manager at Rapid7 spoke with pen testing professionals Leon Johnson, Senior Consultant at Rapid7, and Dustin Heywood, Manager of Security Assurance at ATB Financial. They discussed how to take advantage of automation with Metasploit Pro to simplify penetration testing processes in the webcast "Escalate your Efficiency: How to Save Time on Penetration Testing". Read on for the top 3 takeaways from their technical, in-depth conversation:

1) Metasploit is to a Pen Tester as a Scalpel is to a Surgeon Not using automation for penetration testing is akin to a surgeon performing surgery without using tools. Historically, pen testing was a step by step approach with the ever increasing attack surface adding more steps all the time. It is immeasurably more difficult and time-consuming to keep your security strong when bogged down by the repetitive tasks required by penetration testing. Metasploit Pro makes it possible for security professionals to get extremely repetitive and labor-intensive tasks done with just a few clicks, enabling users to spend more time on customized solutions, targeted pen tests, or any other project on their plate that will ensure greater security for their organization.

2) Credential Security Flaws can be Confronted Credentials continue to be the #1 attack vector when it comes to compromising networks. With this in mind, the Metasploit team has added a credentials management system to the Pro edition of Metasploit. Features like the Credentials Domino MetaModule and simplified bruteforcing provide huge time-savings and improved security visibility for penetration testers so that credentials are no longer an unmanageable blind spot. (These features are demo'd in the webcast - check it out now.)

3) Compliance is but a framework to build upon Requirements in frameworks like PCI and HIPAA provide a minimum standard checklist for organizations. Truly strong security is dependent on the strength and ability of a penetration tester getting to go off script and check out possible weaknesses in networks and infrastructures beyond what regulatory guidelines cover. Tools like Metasploit Pro take away the busy legwork in the process, allowing penetration testers to get the job done more thoroughly and quickly.

The juiciest parts of the webcast were the Q&A with the live audience and getting to dive into the product to see how Metasploit Pro gets tasks like credential management, bruteforcing, AV evasion, VPN pivoting, and task chains done in a few simple clicks. To experience the full broadcast: view the on-demand webcast now.

This week, Christian Kirsch enlightened us about the latest trend in attacker methodologies: Credentials. In the webcast, "Credentials are the New Exploits: How to Effectively Use Credentials in Penetration Tests", we learned why credential abuse is in vogue, and what penetration testers can do to tackle this head on with as much efficiency and proficiency as possible so that risk assessment quality doesn't suffer. In case you missed it, here are some of the top takeaways from the session:


  1. Productivity, hurt by creds management, is critical for solving security problems Credential management has been a very manual and time intensive process thus far. It creates a lot of inefficiencies and pain for penetration testers, therefore increasing risk and decreasing productivity. To solve this, you must either hire more penetration testers, (not an easy feat, such a specialized skill set!) or help the penetration testers at hand become more efficient. More efficient penetration testers means more thorough risk assessments and/or more risk assessments completed in general.
  2. Credential management can be simplified and streamlined After speaking with internal and external penetration testers struggling to manage credentials, Rapid7 made it a priority to simplify the process. Penetration testers can now use Metasploit Pro to manage, validate, re-use, and report on credentials. Clear and concise reports will track everything a penetration tester is doing on a job so that actions taken and findings are comprehensively laid out at the end of an assessment. Automating credential management and reporting will allow penetration testers more time to use their brain power and unique skill set to anticipate new attack vectors and to think about how to stop attackers. They'll be better equipped to give the best risk assessment and recommendations possible to customers on how to secure their environments at the end of a job.


To learn about and see a demonstration on how you can use credentials in penetration tests to better secure and assess your networks: view the on-demand webcast now.

Earlier this week we heard from ckirsch, Senior Product Marketing Manager for Metasploit at Rapid7, on the pressure penetration testers are facing. (Hint: it's a lot!). With the increase in high profile breaches and their costs, more and more emphasis is being put on the pen tester and security in general. Read on if you'd like to get the top takeaways from this week's webcast so that you aren't left in the dark about, "7 Ways to Make Your Penetration Tests More Productive":


  1. Pen testers are in higher demand than ever – Pen testers are extremely highly skilled professionals. Hard to train, harder to find. With the latest developments to PCI enforcing stricter rules around penetration testing methodologies, remediation, and re-testing, pen test costs will be high and the tester's time will be extremely valuable since schedules will book up quickly as organizations clamber to prepare for their audits. This means that security professionals must increase productivity and do more with the same resources, or use expertise in more meaningful ways to get the job done. Increased productivity will allow them to complete more assessments, reduce backlog, enable businesses more quickly, and increase their own market value.
  2. Automation + Scalability = Time SavingsWith Metasploit Pro, pen testers can save 45% of their time through many simplified and expedited processes that don't sacrifice quality or thoroughness. You can even set up your own custom workflows to automate additional processes. In particular, the tool allows for automated:
    • Tracking of all data (large sets gathered by both Metasploit and outside sources included!)
    • Baseline pen tests
    • Web app tests
    • Vulnerability validation
    • Post-exploitation modules
    • Social engineering
  3. Reporting is king – Reporting can be the biggest headache when it comes time to pen test your network. Metasploit Pro tracks every action of a pen test for easy audit trails. Some popular reports include compromised hosts, credentials, web app testing, PCI DSS, and FISMA. Features like this allow security professionals to be more efficient and focused fully on their assessment.


To learn how your organization can be more secure by making penetration test processes more productive, efficient, scalable, and automated, and to see a demonstration of how each of the 7 tips can be accomplished in Metasploit Pro, view the webcast on-demand now.

Filter Blog

By date: By tag: