Course info
Jun 16, 2016
3h 37m

Metasploit is one of the most widely used tools for penetration testing, providing powerful attack simulations, security assessment management, and more. In this course, Introduction to Penetration Testing Using Metasploit, you'll learn to use Metasploit to enumerate available services, identify potential weaknesses, test vulnerabilities through exploitation, and gather evidence for reporting. First, you'll see how to install and configure the Metasploit Framework and several supporting tools on Kali Linux. Next, you'll explore how exploits and payloads work together to gain access to systems. Finally, you'll look at how Metasploit Framework releases are made available and how to maintain the latest version of the Framework. By the end of this course, you'll have a better understanding of how to use Metasploit to quickly assess the security posture of systems and networks to reduce risk.

About the author
About the author

Keith Watson is currently focused on assisting clients with their security needs as a Core Services Architect at Optiv Security and has been an active information security professional since 1997.

More from the author
Introduction to Information Security
2h 53m
Aug 14, 2018
Penetration Testing: The Big Picture
2h 22m
Oct 6, 2017
Section Introduction Transcripts
Section Introduction Transcripts

Course Overview
Hello! My name is Keith Watson, and I'm excited to start you on a path to developing penetration testing skills with my course, Introduction to Penetration Testing Using Metasploit. Penetration testing is a method of validating the security of an organization's network or discovering those minor weaknesses that lead to big compromises. It requires out-of-the-box thinking and detective work using an attacker's mindset and a toolbox of powerful tools. It's also quite a rush when you pop a shell on a supposedly secure system. In this course, we're going to explore the processes and techniques around penetration testing with emphasis on the Metasploit Framework and its suite of scanners, exploits, payloads, and post-exploitation tools. Some of the major topics covered include ethical considerations in the use of penetration testing tools, creating a penetration testing environment using Kali Linux, vulnerability information gathering and analysis, configuring payloads and launching exploits, and using post-exploitation tools and techniques. By the end of this course, you'll be familiar with the Metasploit Framework console and how to exploit network service vulnerabilities in target systems. Before beginning the course, you should be familiar with TCP/IP network concepts and have some experience using Linux. From here, you should feel comfortable diving into other penetration testing courses in the Pluralsight library. I hope you'll join me on this journey to learn penetration testing and the Metasploit Framework with the Introduction to Penetration Testing Using Metasploit here at Pluralsight

Installing and Configuring Metasploit
Welcome back! This is module 2, Installing and Configuring the Metasploit Framework. In this module, we will be getting our penetration testing environment ready. To do this, we will need to install and configure the Metasploit Framework and several other tools. Metasploit has a lot of flexibility in how it can be installed and used. Our discussion will focus on a simple way to get started. The Metasploit Framework can be used through a variety of ways. Since it's distributed as source code and is based on the Ruby programming language, it's easy to package up and install on a variety of systems. We will look at several ways in which you might want to use it. I will discuss a few of these options, but we will focus on the method that we will use in this course, a specially built operating system. Kali Linux, a Linux distribution for information security professionals, is the system that will make our lives easier. Kali includes all the tools we need for this course including the Metasploit Framework. The developers of Kali also keep these tools up to date. We will talk specifically about and demonstrate how to install and use Kali and the Metasploit Framework. Once we have Kali Linux installed, there're some configuration tasks needed to make Kali Linux and Metasploit work together. These are minor changes to enable services, configure the database, and testing to ensure that we're ready to go. Finally, there are additional tools in Kali that we will use to explore the target systems. These include identifying services and vulnerabilities that will help us determine which Metasploit Framework exploits to use. We will also get those configuration tasks completed so we have a working toolset for this course. Let's get started with looking at ways to use the Metasploit Framework.

Scanning the Network
Welcome back! This is module 3, Scanning the Network. In this module, we'll be looking for systems on the network and their vulnerabilities. For this, we will use the tools we configured in the previous module. We'll also dive more into the information we need and how to analyze the data once we've collected it. Our first focus will be on the objectives for scanning. We will look at the data that we need to acquire in order to learn more about these systems. We will use this data in an analysis in order to find ways into the target. The data is also needed for reporting. We will look at some of the auxiliary scanners that come with the Metasploit Framework. These are special purpose scanners that can gather information on a limited set of services. We talked briefly about NMAP and its integration with the Metasploit Framework in the previous module. Here we will use NMAP for its fast scanning capabilities. We will also show some of its unique scanning and scripting capabilities. We configured our vulnerability scanning software in the previous module. Now it's time to use OpenVAS for finding vulnerabilities in our target systems. Once we've used the Metasploit Framework, NMAP, and OpenVAS to gather a lot of detailed data about our target systems, we'll need to do some analysis. Determining which vulnerabilities to examine further and selecting those that are likely to be successful are needed for our next step--gaining access. Let's get started with finding those systems and figuring out how to attack them.

Gaining Access to Systems
Hello. This is module 4, Gaining Access to Systems. In this module, we'll be using the Metasploit Framework to select, configure, and launch exploits against our target systems. We'll also look at some tools to use once access is achieved. First, we'll look at the process of exploiting vulnerabilities in software to gain access. We'll look at how vulnerable systems are compromised. There are several methods used for taking advantage of system weakness, which we'll explore. We will also see how the user and weaknesses in their software clients can be used to gain access. Then we'll take a look at the Metasploit Framework exploits and how we can find and choose an exploit based on our gathered information for the target system. Remember, exploit code abuses the vulnerabilities in the target system to break in. Before that code can be used, there are some configuration steps needed. We will explore what's possible with exploits. Next, we'll need to choose payloads that will be used with the exploit. Payloads are needed to take advantage of the access that the exploit provides. Payloads are bits of code that can be used to gain a foothold into the system. There are a variety of payload types. Some are simple. Others are more sophisticated. Meterpreter is a special kind of payload. It provides a lot of capability for post-exploitation operations. We will talk more about what to do when you are on the target system and how you can use Meterpreter. With an exploit and payload selected and configured, we will attempt to gain access to the target system. Hopefully everything works, and we'll have the access we need. But sometimes it doesn't work. We'll look at some common issues that you may encounter. Once we have a working exploit, delivered a payload, and gained access to our target system, we'll need to take other actions. What we do will depend on our project scope, documentation requirements, and needs for managing the vulnerabilities in the system. We'll focus this section entirely on using Meterpreter, which gives us a wide range of capabilities for post-exploitation operations.

Maintaining and Expanding Metasploit
Hi there! This is the last module in this course, Maintaining and Expanding Metasploit. In this module, we'll be wrapping up our discussion on penetration testing using the Metasploit Framework with a focus on the maintenance of the toolkit, how you can expand some of its capabilities, and how you can find help and be an active participant in the community. First, we will look at the current Rapid7 release methodology for new versions of the Metasploit Framework. As we've mentioned several times, the Metasploit Framework is a rapidly moving target as new exploits, payloads, scanners, and post modules become available. Just looking at the number of new vulnerabilities discovered each day should give you an idea of the pace of change needed. We will focus on where to find information about each release and how to update your version of the framework. Then we'll look at how to add new capabilities to the Metasploit Framework. Why you may still be a beginner with the framework, it's helpful to understand how the code works under the hood. Later after you're a Metasploit master, you can use that understanding of the underlying software architecture to build your own modules. Finally, there's only so much information we can put into a course like this. You have to experiment and play on your own. At some point, you'll probably have questions that are not covered here. We'll look at some of the community resources available. The Metasploit community is open to newcomers, so you should be able to jump right in and get the assistance you need. I also encourage you to share what you learn to help keep the community strong.