Metasploit Pro 3.6 was released today with a slew of new features aimed at facilitating pen testers throughout the entire penetration testing process. One such new feature is asset tagging of groups of hosts, so that they can be grouped together easily. Utilizing another new feature, global search, makes managing large engagements a breeze. In addition to a free webinar on March 22 with James "egyp7" Lee on the Metasploit Framework, EH-Net regular columnist,Ryan Linn, explores Metasploit Pro. He not only shows off some of those new features but also walks the viewer through the basic steps of performing a pen test with Metasploit Pro with the following 3 videos:
- Getting Started With Metasploit Pro
- Post Exploitation
- Reporting and Cleaning Up
As we all know, a pen test is not over when the hacking is done. Rapid7 realizes this as well, so the new reporting capabilities are a very welcome addition. It is now easy to generate PCI compliance notes based on the findings throughout the penetration test. These reports indicate exactly where the failures are and actually provides evidence to support those findings. For those that need more detailed reports on all of the activity performed throughout a penetration test, the activity report shows all commands issued and all gathered evidence. These two reports alone can save a lot of time for testers who need to present this type of information to their clients.
For those that haven't learned to 'stop worrying and love the GUI,' Metasploit Pro now has a console mode where you can interact with Metasploit Pro just like the Community Edition. For those that have embraced the GUI, the addition of tags allows for easy grouping of assets, and the tags can be used in many of the fields as shortcuts for specifying specific IP addresses. This really speeds up every step in the process.
So let's get a feel for Metasploit Pro as a whole as well as the new features of v3.6.
Read on...
I recently had the opportunity to travel toColorado Springs, Co. and took the Information Security Assessment Methodology (ISAM) course by Security Horizon. The ISAM, which was formerly the NSA-IAM\IEM, course has now been merged into a combined 3-day, 24-hour course.
The ISAM was created by examining the processes and techniques implemented within the information security community by seasoned assessors from both industry and government sectors. The purpose of the ISAM is to provide a detailed systematic standard for the community to perform an information security assessment by thoroughly examining cyber vulnerabilities. Unlike other courses, the ISAM concentrates heavily on the actual methods and processes of an assessment and is not a tool-based or theory-heavy course.
Although no class can teach the fundamentals or give the experience of being able to communicate effectively with the target audience, the ISAM provides a roadmap on how to deal with flaky answers from executives and scared employees that fear their answers may end up putting them out of a job.
Read on...
These days, it’s hard to perform a penetration test without attempting some sort of online social engineering, and most often, this takes the format of some type of phishing attack (whether targeted or across a wide user base).
While we spend epic amounts of time getting our exploits and payloads perfect (even if we’re using SET), far too often we see testers using stock emails or variants of canned emails that they’ve been taught to use without thinking about the real keys to getting their emails read and acted upon.
These are my five most-often overlooked secrets to making sure that your email phishing works...
Read on... Stay Tuned:
- Webcast Video: Deep Dive into Red Teaming with the Metasploit Framework- RUaNinja? - Winners & Analysis
- Course Review: Hacker Training Online by InfoSec Institute
- Book Review: Kingpin by Wired.com's Kevin Poulsen
- More Course & Book Reviews
No comments:
Post a Comment