RE: Metasploit perception

I don't think the Metasploit perception has anything to do with free vs. expensive.

Metasploit is maturing nicely, its loudest proponents perhaps less so.

It seems Metasploit's most vocal proponents are seen as young and inexperienced or even perhaps uncouth or lacking in professional experience. There is a perception that they are all high school and college kids blabbering about how cool Metasploit is or how well Metasploit works against XYX in a microcosm.

Metasploit is simply one very useful tool in the Kit. Keep in mind the tools you use should change depending on the target and the intended outcome.

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Matt Gardenghi
Sent: Monday, February 15, 2010 2:42 PM
To: woman
Cc: s3c.b3n; pen-test@xxxxxxxxxxxxxxxxx
Subject: Re: Pentesting lab

Um, you just said that Metasploit is a script kiddies tool. Not sure if
your define script kiddies tools as "free" and professional tools as
"expensive," but that statement is ludicrous. Most (all?) pros that I
have ever heard of/met/read use Metasploit. You can't go wrong with it
and frankly, I'd stand it up against Core Impact any day of the week.
The difference is that Core has a better interface.

But, seriously, Metasploit isn't a skiddie tool, it's a powerful tool
that happens to be free.


On 2/10/2010 5:25 PM, woman wrote:

Just keep your expectation on low level when you will tell at the work
interview about that you are using metasploit.
In the real word at the security companies this tool is considered as
tool for kids under age 12.

Additional thing:
Someone here wrote about malware analysis. I don't think that you have
to study both subjects at one time:
One subject is pen-testing and second subject is malware analysis.

For doing pen-testing you have to gain a huge knowledge NETWORKING -->
protocols and relevant RFC , devices; bridges, routers, switches, etc
For doing malware analysis you have to know Operating System
infrastructure --> processes, memory, etc ... and of course C and

My advise : just leave malware analysis for later time.


On Sat, Jan 9, 2010 at 7:20 PM, s3c.b3n<securitybender@xxxxxxxxx> wrote:

This link is really amazing.

Thanks a lot

On Tue, Jan 5, 2010 at 3:32 PM, charles watathi
<charleswatathi@xxxxxxxxx> wrote:


For a detailed review of what you can setup when coming up with a
pentesting lab, kindly check the link below. It includes most of the
labs you should setup,security challenges and where you can go and


On 1/4/10, Elliot Fernandes<elliotfernandes@xxxxxxxxx> wrote:

For pentesting windows your setup seems good, but not enough. Try to get
more, like: you'd need to test out attacking SNMP, bruteforcing SSH, ....
and also have a large wordlist ready for all of this, and generate some
rainbow tables. You'd need these for password attacks.

--- On Mon, 1/4/10, Swaminathan, Balaji<Balaji.Swaminathan@xxxxxxxxxxxxxx>

From: Swaminathan, Balaji<Balaji.Swaminathan@xxxxxxxxxxxxxx>
Subject: RE: Pentesting lab
To: "Elliot Fernandes"<elliotfernandes@xxxxxxxxx>, "s3c.b3n"
Cc: pen-test@xxxxxxxxxxxxxxxxx
Date: Monday, January 4, 2010, 5:01 PM

Exactly....I am doing the same thing in addition to running
Win Server
2k3...Backtrack and Metasploit as attacker are good and
flexible to use.
As you mentioned Netbios ports alone, I feel, are not
enough...Wat do
you say...? In addition i am installing SQL, SMTP, IIS and
etc and then
fine tuning them depending upon the exploit success rate.
Is that fine
or anything more left to be focused?

Thank you for pointing out malware testing.


Balaji Swaminathan .M

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
On Behalf Of Elliot Fernandes
Sent: Monday, January 04, 2010 2:04 AM
To: s3c.b3n
Cc: pen-test@xxxxxxxxxxxxxxxxx
Subject: RE: Pentesting lab

You could run vmware, and install windows xp service pack
2. service
pack 2 is used by most people in the windows world, they
completely shifted to vista or windows 7. It's already
vulnerable services mostly on ports 135,139, and 445 tcp.
You just need
the latest version of metasploit to test it. For analyzing
there's a script in python called malware analyzer . But
you will need
the PE module from google code in the
same folder. The malware analyzer is amazingly good for
botnet-binaries and viruses and such. You'll also need Olly
Debug and
IDA pro. Have two VMs ready, one windows for the victim,
and linux,
preferably backtrack for the attacker. That should about
do. Oh, you
could also have a Honeypot ready to catch exploits from the
wild. you
could have them separated from your normal network.

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

Relevant Pages

  • RE: Pentesting lab
    ... interview about that you are using metasploit. ... One subject is pen-testing and second subject is malware analysis. ... pentesting lab, ... Information Assurance Certification Review ...
  • RE: Pentesting lab
    ... Well it is not fair to say that Metasploit is designed for kids. ... One subject is pen-testing and second subject is malware analysis. ... actually do a proper penetration test. ... Information Assurance Certification Review ...
  • RE: Metasploit perception
    ... I use metasploit for IPS testing, if we were to do every test manually, there would be a variety of typos and variations that may make many product comparisons useless. ... One subject is pen-testing and second subject is malware analysis. ... pentesting lab, ... Information Assurance Certification Review Board ...