At the end of my time in London I had the chance to sit in on the new SANS SEC580 class (Metasploit Kung Fu for Enterprise Pen Testing).
This 2-day class is designed to “show students how to apply the incredible capabilities of the Metasploit Framework in a comprehensive penetration testing and vulnerability assessment regimen, according to a thorough methodology for performing effective tests”. With Ed Skoudis and John Strand behind the class I had high hopes for something that really goes into the depths of Metasploit.
The first day started off with a gentle introduction to Metasploit and the MSF project in general, before diving into msfconsole and covering the required commands and options. Even though I’ve taught a few Metasploit workshops, there were a few gems here that I’ve not played with before. Small things (like the connect feature for example), but still gems non the less.
After covering the “basics” the class focuses on using Metasploit in a 4-phase penetration test (Recon, Scanning, Exploitation, and Post-Exploitation).
By using the Recon phase as the basis for the afternoons labs, a number of the Metasploit auxiliary modules are discussed, with labs on dns_enum, port scanning, databases and db_autopwn.
The obligatory meterpreter overview was given, as well as some more detailed discussion about meterpreter scripts and their uses.
Day two concluded the scanning section from the previous day (demo of netxpose scan and import), before moving on to the exploitation phase.
To provide an complete overview of exploitation, everything some client-side (file format, and browser_autopwn) through to Social Engineering Toolkit (SET) and remote network exploitation was covered in varying detail. Coverage of some of the additional Metasploit command-line tools (msfpayload, msfencode) was included, but wasn’t explored in too much detail outside of a few specific examples.
The labs in this section of the book are well written and really give a good feel as to how specific protections can be bypassed. It was also good to play with SET and sqlmap using MSF payloads. Surprisingly the File Format lab wasn’t on Adobe PDF exploitation, but on Office macros… which makes a change 😉
Moving into the final stages of the class we covered some of the inner workings of Post-Exploitation with meterpreter scripts and some irb scripting. Although the labs gave the chance to write a simple meterpreter script and interact with the irb shell, I would have liked to spend some more time covering Ruby basics and going a little more in-depth. Still, you can’t have it all!
To finish things off a number of sniffer and database modules were used to demonstrate Metasploit’s password sniffing/extracting capabilities.
Wrapping things up was a short discussion of Karmetasploit and the Metasploit web integration.
Overall I really enjoyed this class, even if it wasn’t quite at the “kung-fu” level the name hints at. I was a little disappointed that the Metasploit version used for the class (3.4.0) was so outdated, but I understand the problems keeping a course like this up to date, so fully understand the choices.
This class is certainly a winner if Metasploit isn’t your daily driver! If you get up everyday and pentest using Metasploit, then you’re not going to get the full effect of this class. Then again, there are some real gems in here if you take the time to look for them. I’ve taken a few hints and tips that I’ll be using in the future, so I’m sure there’s something for almost everybody here.
If I had my way, I’d slim down some of the “introduction to…” stuff, and spend a little more time covering Ruby basics and bring in some of the more advanced topics, like module writing (simple modules naturally) and maybe something on Railgun / Racket.
This class certainly motivated me to get moving on some of my (long standing) Metasploit projects. Since getting back I’ve finished up my adduser payload modifications as well as a number of SAP auxiliary modules I had waiting to be finished. So I guess that makes it a resounding success!
If you attend the class in 2011 please let me know what you think… I’m interested to see the transformation of the class over time, as Metasploit is ever changing!
Quote of the class: “Shine on you crazy diamond!”