Metasploit tutorial.

As a network security person it is important to keep up to date on the tools that are available, both for offense and defense. Metasploit is a tool for penetration testing. It is rapidly developing. It is really a framework that allows many separate modules to work together. I found this recent video tutorial that gives an overview of Metasploit at http://www.securitytube.net/video/7854. Metasploit has scanning tools for to discover vulnerabilities.  Then there is a large database of exploits to attack those vulnerabilities. The exploit then delivers a payload which is the result desired from the attack. This can include opening a remote session to a computer or installing a backdoor. Metasploit also includes encoders. These encoders scramble the code of the attack program to try to sneak past anti-virus programs.

He went over a new tool call the Social Engineer Toolkit (SET). I tried it out on Backtrack Linux. This tool is amazing. It has everything you need to set up a social engineer attack. There are so many tools. It can set up phishing emails, complete with handy templates. There are a number of ways to load malware on to documents such as PDFs. It allows the attacker clone websites and load exploits on them. It even sets the website up for you. These fake websites can steal credentials or launch malware. It has a Java program that can be installed on the fake website. The Java program presents a credible looking fake certificate to user and when the user press okay, bam. You can create infectious USB/CD/DVD drives. There are even SMS attacks and malicious QRcode generators. It will allow you to set up malicious AP.

The speaker warns against misuse of the tool. He state that, “The difference between penetration testing and hacking is permission.”