Metasploit mailing list archives
Metasploit Penetration Testing Examples
From: patrick at aushack.com (Patrick Webster)
Date: Sun, 24 Jun 2007 22:56:52 +1000
Hi jag, Metasploit is a framework for developing exploits. While it supports the autopwn automation of system penetration, traditionally it would not be considered a complete penetration test. As you've already mentioned, a pen-test may include things such as: Info gathering * searching of public directories, IP address space registrars for port scanning, technical mailing lists (*@target-company.com<*@target-company.com>), google for information of interest (e.g. site: www.target-company.com "mysql errors") * examining the target website and html comments. * specific targeting of certain individuals (e.g. the IT manager) * social engineering (e.g. account password reset) * PABX style attacks (voice mail PIN of 1234) and calling all numbers to check for electronic answering devices such as modem or fax. * checking routers, firewalls, target OS * outsourcing of IT functions. Once you've gathered enough information, you can then start targeted attacks (this is where metasploit comes in handy) etc to reach your goal... You'd then typically write a pretty report with an executive summary and technical findings/recommendations for management. As you can see, pen-testing is too broad a subject to be handled completely by MSF. Take a look at the Hacking Exposed book Table of Contents (I couldn't find anything else) for some ideas: http://search.barnesandnoble.com/booksearch/isbninquiry.asp?z=y&ean=9780072260816&displayonly=TOC The closest you'd get to a report in MSF is: sessions -l -v which lists all the open sessions and what module resulted in the successful exploitation. But there is nothing stopping you writing a reporting module for metasploit! -Patrick -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070624/af8d3cef/attachment.htm>
Current thread:
- Metasploit Penetration Testing Examples jag (Jun 24)
- Metasploit Penetration Testing Examples Patrick Webster (Jun 24)
- Metasploit Penetration Testing Examples jag (Jun 24)
- Metasploit Penetration Testing Examples Felipe Chang - Digiware (Jun 24)
- Metasploit Penetration Testing Examples jag (Jun 24)
- Metasploit Penetration Testing Examples Jerome Athias (Jun 24)
- Metasploit Penetration Testing Examples jag (Jun 25)
- Metasploit Penetration Testing Examples Jerome Athias (Jun 25)
- Metasploit Penetration Testing Examples jag (Jun 24)
- Metasploit Penetration Testing Examples Patrick Webster (Jun 24)