Chapter 1. Approaching a Penetration Test Using Metasploit
Penetration testing is an intentional attack on the computer-based system with the intension of finding vulnerabilities, figuring out security weaknesses, certifying that a system is secure, and gaining access to the system by exploiting these vulnerabilities. A penetration test will advise an organization if it is vulnerable to an attack, whether the implemented security is enough to oppose any attack, which security controls can be bypassed, and so on. Hence, a penetration test focuses on improving the security of an organization.
Achieving success in a penetration test largely depends on using the right set of tools and techniques. A penetration tester must choose the right set of tools and methodologies in order to complete a test. While talking about the best tools for penetration testing, the first one that comes to mind is Metasploit. It is considered to be one of the most effective auditing tools to carry out penetration testing today. Metasploit offers a wide variety of exploits, an extensive exploit development environment, information-gathering and web testing capabilities, and much more.
This book has been written in a manner that it will not only cover the frontend perspectives of Metasploit, but it will also focus on the development and customization of the framework as well. This book assumes that the reader has basic knowledge of the Metasploit framework. However, some of the sections of this book will help you recall the basics as well.
While covering the topics in this book, we will follow a particular process as shown in the following diagram:
This chapter will help you recall the basics of penetration testing and Metasploit, which will help you warm up to the pace of this book.
In this chapter, you will:
Gain knowledge about the phases of a penetration test
Set up a penetration test lab for Metasploit exercises
Recall the basics of the Metasploit framework
Gain knowledge about the working of traditional exploits
Learn about the approach to penetration tests with Metasploit
Gain knowledge about the benefits of using databases
An important point to take a note of here is that we might not become an expert penetration tester in a single day. It takes practice, familiarization with the work environment, ability to perform in critical situations, and most importantly, an understanding of how we have to cycle through the various stages of a penetration test.
Throughout this chapter, we will dive deep into the fundamentals of penetration testing with Metasploit. We will also cover the traditional good old Metasploit exploits that were commonly used for years since the Metasploit framework was invented. In this chapter, we will look at:
How these good old exploits actually work
What services they target
How a system is compromised using these exploits
When we think about conducting a penetration test on an organization, we need to make sure everything is set perfectly and is according to a penetration test standard. Therefore, if you feel you are new to penetration testing standards or uncomfortable with the term Penetration testing Execution Standard (PTES), please refer to http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines to become more familiar with penetration testing and vulnerability assessments. According to PTES, the following diagram explains the various phases of a penetration test:
Note
Refer to the http://www.pentest-standard.org website to set up the hardware and systematic phases to be followed in a work environment; these setups are required to perform a professional penetration test.
