Review: Metasploit: the penetration tester’s guide

By David Kennedy, Jim O’Gorman, Devon Kearns and Mati Aharoni. Published by No Starch Press (ISBN: 978-1-59327-288-3). Price: $49.95, 300pgs, paperback.

Metasploit has been such a key weapon in the penetration tester’s armoury for so long that a book like this is long overdue. Yes, there are other titles that provide a general guidance to the software, but this one is very focused on the needs and methods of pen-testers.

The Metasploit Framework (MSF) is a complex set of tools, so 300 pages isn’t going to be enough to provide an in-depth manual for the software. But it is enough to get you up to speed on the fundamentals of how it works, how all the pieces fit together and how you would typically use the software in a pen-testing environment. So that’s exactly what the authors do.

Those authors have highly appropriate pedigrees for this job. David Kennedy is CISO at Diebold and a key member of the team at Offensive-Security that produces BackTrack, the Linux distribution for pen-testers and security professionals. Jim O’Gorman is a pen-tester with CSC’s StrikeForce, co-founder of Social-Engineer.org and an Offensive Security instructor. Devon Kearns is also an Offensive-Security instructor and one of the developers of BackTrack. And Mati Aharoni created BackTrack and founded Offensive-Security.

The book doesn’t just cover Metasploit. It touches on other tools that are typically deployed in conjunction with MSF in pen-testing situations, many of them accessible from with MSF itself. For example, NMAP is to go-to tool during target enumeration and this book shows not only how to run it from the MSF command line but also how to record its output in a database. Similarly, it briefly covers tools such as Nessus and NeXpose, and gives over whole chapters to the Social-Engineer Toolkit and the Python-based Fast-Track tool, which uses MSF for payload delivery and client-side attacks.

It’s worth noting that MSF can be used on a number of platforms and with a variety of database backends. On BackTrack, for example, you may find that it’s installed using MySQL as the database engine. This book, however, largely assumes that you’re running the software on Linux and are using PostgreSQL for your database. It also assumes that you will have enough technical knowledge to adapt the examples given for your own environment, should it differ from this - not unreasonable given the intended readership.

An introductory chapter on the basics of penetration testing is mercifully brief and mostly points readers to the Penetration Testing Execution Standard (PTES). From there, it’s straight into hands-on coverage of actually using Metasploit. The authors have made a wise decision to focus on the free, command-line version of MSF. Rapid7, which now owns the rights to Metasploit, also markets the paid-for Express and Pro versions, which offer additional capabilities, ease of use and integration with other tools. However, the book is aimed at those just getting to know MSF and who are unlikely to be at the stage where it is a professional tool of such value that they can justify expensive software licences.

After a run-through of the basics of how to issue commands, select exploits, load payloads and so on, the book quickly gets into how it is used in pen-testing environments. This starts with target enumeration and vulnerability scanning before moving on to executing exploits - the job for which Metasploit is best known. Meterpreter, which is capable of providing a shell on the target system running in memory, gets a chapter to itself, which is appropriate considering how important it is to stealthy intrusion. And talking of stealth, the next, short chapter covers the important topic of avoiding detection. 

It’s obvious from the way the book is constructed that this is a practical publication. It’s not a manual for Metasploit, nor a comprehensive reference work for what is, after all, a highly complex suite of utilities. This is a guide for people who really want to use the software in real-world scenarios. And so following chapters include: exploitation using client-side attacks; Metasploit’s auxiliary modules (including how to write them); the Karmetasploit wireless tools; how to build your own modules and create your own exploits; and Meterpreter scripting.

Thanks to numerous screenshots and command examples, the authors make it very easy to understand how all this works, so it’s impossible to get very far into the book without wanting to fire up Metasploit and try the techniques for yourself. As Metasploit is all about exploiting vulnerabilities, practising these techniques against other people’s systems would be unethical and, in many cases, illegal. And trying them out on your own production systems would be unwise: make a mistake and you could bring them crashing down.

The answer is to read Appendix A before you really get started on the main contents of the book. This guides you through the process of setting up a target system running virtualised versions of Windows (preferably an unpatched version of Windows XP Service Pack 2) and Linux. This provides a safe environment in which to learn the intricacies of Metasploit.

This isn’t the only resource that will help you do that. One of the issues that book publishers have to face these days is competition from the web. Indeed, much of the information in this book - and much, much more - is freely available on the Metasploit Unleashed website, some of it supplied by the same authors. The website is also more easily updated - something highlighted by the fact that this book is based around MSF3 and version 4 of the framework was released very shortly after its publication.

However, this book provides all the key information you need to get going with Metasploit in one easily read and referenced package. In practical terms, the differences between MSF3 and MSF4 are sufficiently minor that, at least for the beginner, you’re unlikely to hit any major problems.

The conciseness of the book, its step-by-step tutorial style and simple, clear writing style mean that it’s easier to get to grips with MSF than trying to wade through the massive amount of information available at Metasploit Unleashed. Once you understand the basics, and are comfortable with Metasploit’s environment, commands and concepts, you can them move on to the website, or perhaps Offensive-Security’s highly regarded training courses.

This post is based on a review in the September issue of Network Security.

Metasploit: the penetration tester’s guide is available from Amazon.com and Amazon.co.uk.