Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

SANS SEC580: Metasploit Kung Fu for Enterprise Pen Testing – Post Mortem

At the end of my time in London I had the chance to sit in on the new SANS SEC580 class (Metasploit Kung Fu for Enterprise Pen  Testing).

This 2-day class is designed to “show students how to apply the incredible capabilities of the Metasploit Framework in a comprehensive penetration testing and vulnerability assessment regimen, according to a thorough methodology for performing effective tests”. With Ed Skoudis and John Strand behind the class I had high hopes for something that really goes into the depths of Metasploit.

Day One


The first day started off with a gentle introduction to Metasploit and the MSF project in general, before diving into msfconsole and covering the required commands and options. Even though I’ve taught a few Metasploit workshops, there were a few gems here that I’ve not played with before. Small things (like the connect feature for example), but still gems non the less.

After covering the “basics” the class focuses on using Metasploit in a 4-phase penetration test (Recon, Scanning, Exploitation, and Post-Exploitation).

By using the Recon phase as the basis for the afternoons labs, a number of the Metasploit auxiliary modules are discussed, with labs on dns_enum, port scanning, databases and db_autopwn.

The obligatory meterpreter overview was given, as well as some more detailed discussion about meterpreter scripts and their uses.

Day Two

Day two concluded the scanning section from the previous day (demo of netxpose scan and import), before moving on to the exploitation phase.

To provide an complete overview of exploitation, everything some client-side (file format, and browser_autopwn) through to Social Engineering Toolkit (SET) and remote network exploitation was covered in varying detail. Coverage of some of the additional Metasploit command-line tools (msfpayload, msfencode) was included, but wasn’t explored in too much detail outside of a few specific examples.

The labs in this section of the book are well written and really give a good feel as to how specific protections can be bypassed. It was also good to play with SET and sqlmap using MSF payloads. Surprisingly the File Format lab wasn’t on Adobe PDF exploitation, but on Office macros… which makes a change 😉

Moving into the final stages of the class we covered some of the inner workings of Post-Exploitation with meterpreter scripts and some irb scripting. Although the labs gave the chance to write a simple meterpreter script and interact with the irb shell, I would have liked to spend some more time covering Ruby basics and going a little more in-depth. Still, you can’t have it all!

To finish things off a number of sniffer and database modules were used to demonstrate Metasploit’s password sniffing/extracting capabilities.

Wrapping things up was a short discussion of Karmetasploit and the Metasploit web integration.


Overall I really enjoyed this class, even if it wasn’t quite at the “kung-fu” level the name hints at. I was a little disappointed that the Metasploit version used for the class (3.4.0) was so outdated, but I understand the problems keeping a course like this up to date, so fully understand the choices.

This class is certainly a winner if Metasploit isn’t your daily driver! If you get up everyday and pentest using Metasploit, then you’re not going to get the full effect of this class. Then again, there are some real gems in here if you take the time to look for them. I’ve taken a few hints and tips that I’ll be using in the future, so I’m sure there’s something for almost everybody here.

If I had my way, I’d slim down some of the “introduction to…” stuff, and spend a little more time covering Ruby basics and bring in some of the more advanced topics, like module writing (simple modules naturally) and maybe something on Railgun / Racket.

This class certainly motivated me to get moving on some of my (long standing) Metasploit projects. Since getting back I’ve finished up my adduser payload modifications as well as a number of SAP auxiliary modules I had waiting to be finished. So I guess that makes it a resounding success!

If you attend the class in 2011 please let me know what you think… I’m interested to see the transformation of the class over time, as Metasploit is ever changing!

Quote of the class: “Shine on you crazy diamond!”


5 responses to “SANS SEC580: Metasploit Kung Fu for Enterprise Pen Testing – Post Mortem

  1. rul3z December 21, 2010 at 12:52

    Thanks for your postmortem of this course,
    For me I get that:
    1- the course isn’t as “FU” as it is!
    2- that its outdated!

    So I highly recommend the SecurityTube Metasploit Megaprimer course instead on wasting a lot of money on such a course.

  2. ChrisJohnRiley December 21, 2010 at 13:01

    I’m sorry that those are the only things you took from the review…. personally I appreciate how hard it is for a course like this to stay up to date (a problem that the Metasploit Megaprimer will also being to suffer from sooner rather than later). Despite the rather cool name, kung fu in this instance doesn’t mean ninja skills. The class is a 500-level, so I guess that was more of a mistake on my part than anything else. (600 and 700 are the more advanced classes within SANS)

    With that said though, the class has it’s place and its good points! It all depends on the level you’re at and what you hope to get out of the course!

  3. Pingback: Week 51 in Review – 2010 | Infosec Events

  4. rul3z December 28, 2010 at 12:41

    Chris, sorry for miss understanding me!
    I didn’t mean that you wasted your money! And for sure the metasploit is in an ongoing update process, we can see that from the svn updates we get each day!

    What I mean is that for $1.5K we could get something that is near or equal to this course, specially when you noted that it “wasn’t quite at the “kung-fu” level the name hints at”! And that’s why I refered to the mega primer course from the security tube guys.

    Finally, it wasn’t your mistake at all, the review was perfect, specially in describing what should be expected from the course and the outside frame of it. And for sure these courses depend on what level you are!

    Wish you good luck, and I hope to see some articles about tech issues you learned from the SEC580 🙂

  5. ChrisJohnRiley December 28, 2010 at 21:38

    No problems rul3z… I just wanted to get across that making a course like SEC580 is hard work. I know that in the class I was in alone, we had people who’d come off the SEC660 Advanced Penetration Testing… and others that had come off more basic and/or management style classes. Getting the right level is hard for SANS as they try to make the classes accessible for all comers to a degree. Still… highly focused material like the mega primer is a great place to start. i hope they keep bringing it up to date as things move on (as they are at great speed already).

    I’ll be sure to post some Metasploit stuff soon… I’ve got a few things in the works 😉

%d bloggers like this: