Visit http://community.rapid7.com to post questions, read documentation, and search for answers.

L
a
s
t

u
p
d
a
t
e
d

0
4
/
2
2
/
2
0
1
3
Welcome
This guide covers some of the most common penetration testing tasks that you can perform with Metasploit
Pro. The goal is to walk you through some of the most common task confgurations and give you a brief
overview of some of the most important concepts in Metasploit Pro.
Practice Target
If you need a vulnerable target to practice on, you can download Metasploitable or Metasploitable 2. Both
targets are intentionally vulnerable Ubuntu virutal machines that have been specifcally created for testing
Metasploit Pro and other Metasploit editions.
Metasploitable 2 is the latest distribution from Rapid7 and contains more vulnerabilities than Metasploitable.
It is recommended that you use Metasploitable 2 instead of Metasploitable. For information on setting up
Metasploitable 2, read Metasploitable 2 Exploitability Guide.
If for some reason, you really want to practice against Metasploitable, you should read the Metasploitable
Set Up Guide for more information.
Metasploit Pro Workfow
Product Terminology
Bruteforce Attack An attack that attempts a large number of user name and password combinations
for targeted services to gain access to hosts.
Discovery Scan The Metasploit internal scanner that combines Nmap and several Metasploit
modules to scan and enumerate targets.
Exploit A program that takes advantage of a specifc vulnerability and provides an attacker
with access to the target system. An exploit typically carries a payload and delivers
the payload to the target system.
Module A standalone piece of code, or software, that extends functionality of the Metasploit
Framework. Modules automate the functionality that the Metasploit Framework
provides and enable you to perform tasks with Metasploit Pro.
Project A container for the targets, reports, and data that are part of a penetration test.
A project represents the workspace that you use to confgure the tasks for a
penetration test.
Target A term that represents a single host, multiple hosts, a network range, or an entire
network. In social engineering, a target refers to a human target.
Quick Start Guide
Getting Started with Metasploit Pro
2
Visit http://community.rapid7.com to post questions, read documentation, and search for answers.
Task 1: Create a Project
1. Open a web browser and go to https://localhost:3790 if Metasploit Pro runs on your local machine. If
Metasploit Pro isnt installed locally, replace localhost with the address of the remote machine.
2. Select Project > Create New Project from the Main menu.
What is a project? A project contains the workspace for the penetration test. You perform all tasks for a
penetration test from within a project, including scanning, exploitation, bruteforcing, and social engineering.
3. When the New Project window appears, specify a name, description, and network range for the project.


Do I need to specify a network range? No, you only need to defne a network range if you want to require
that targets to fall within a specifc address range. Otherwise, Metasploit Pro uses the network range to
autofll the target address feld for some tasks, like scans, bruteforce atttacks, and exploits.
4. Choose the team members that you want to access the project.
5. Create the project.
3
Visit http://community.rapid7.com to post questions, read documentation, and search for answers.
Task 2: Run a Discovery Scan
1. From the Project Overview page, click the Scan button.

2. When the New Discovery Scan page appears, enter the addresses that you want to scan in the Target
addresses box. You can enter a single IP address, an IP range described with hyphens, or a standard
CIDR notation.

3. Use the default discovery scan settings.
Setting Advanced Options To fne-tune the scan, you can confgure the advanced options. For
example, you can specify the IP addresses that you want to include and exclude from the scan, as well
as the target ports, services, scan speed, and scan mode for the discovery scan.
4. Run the scan. The Task log appears and shows you the status of the scan.
5. After the scan completes, visit the Hosts page to see the results of the scan.

4
Visit http://community.rapid7.com to post questions, read documentation, and search for answers.
Task 3: Exploit Targets
1. From the Analysis page, click the Exploit button. This will launch the Automated Exploit feature.

What is automated exploitation? Automated exploitation is Metasploit Pros method of matching
exploits to vulnerabilities and open services. Metasploit Pro cross references open services,
vulnerabilities, and fngerprint data to matching exploits to create an attack plan against the targets. This
process removes most of the legwork that you would normally perform for manual exploitation.
2. When the New Automated Exploitation Attempt page appears, enter the addresses that you want
to exploit in the Target addresses box. You can enter a single IP address, an IP range described with
hyphens, or a standard CIDR notation.

3. Choose Great for the Minimum Reliability (or module ranking).
Whats a rank? A rank that indicates the reliability and stability of an exploit. The higher the ranking, the
less likely the exploit will crash a service. We recommend that you always use Great or Excellent.
4. Use the default exploit settings for the automated exploit.
Setting Advanced Options If you want to customize the exploit, you can confgure the advanced
options to customize the payload and exploit types. Just click on the Show Advanced Options button to
see the options that are available for you to customize.
5. Launch the exploit. Successful exploits will open a session with the compromised target. To see a list of
open sessions, click on the Sessions tab.
5
Visit http://community.rapid7.com to post questions, read documentation, and search for answers.
Task 4: Bruteforce Services
1. From the Analysis page, click the Bruteforce button.

2. When the New Automated Bruteforce Attempt page appears, type the addresses that you want to
bruteforce in the Target addresses box. You can enter a single IP address, an IP range described with
hyphens, or a standard CIDR notation.

3. Choose a depth for the bruteforce attack.
Whats the depth? The depth controls the number of password and user name combinations that
the bruteforce attack attempts. To limit the number of attempts, set the depth to quick or defaults only.
Otherwise, the default setting, normal, is a good starting point.
4. Select the services that you want to bruteforce. By default, Metasploit Pro preselects the services that
the discovery scan identifed as active.

5. Use the default bruteforce attack settings.
Setting Advanced Options If you want to customize the bruteforce attack, you can confgure the
advanced options to customize the credentials and payloads that the attack uses.
6. Launch the bruteforce attack. If the bruteforce attack guesses the credentials for a service, Metasploit
Pro uses the credentials to open a session. To see a list of all open sessions, click on the Sessions tab.
All open sessions will be listed under the Active Sessions area.
6
Visit http://community.rapid7.com to post questions, read documentation, and search for answers.
Task 5: Collect Evidence
1. Click the Sessions tab.
2. When the Sessions window appears, click the Collect button.

3. Select the active sessions you want to use to collect evidence.

4. Use the default evidence collection options. This will collect system information, such as
password hashes, SSH keys, and screenshots of desktop environments.
5. Collect the system data.
7
Visit http://community.rapid7.com to post questions, read documentation, and search for answers.
Task 6: Generate the Report
1. Choose Reports > New Standard Report from the Tasks tab.
2. Choose Audit Report as the report type.

Which Report Do I Generate? Metasploit Pro provides several reports with varying levels of detail.
Although engagement is different, you should at least present an overview of your fndings, a detailed
report, and raw data from your tests. Therefore, at a minimum, you should generate the Audit,
Compromised Hosts, an Authentication Tokens, and a Collected Evidence reports. These reports should
cover most of the information you need to disclose.
3. Choose the format you want the report to use. PDF is a good choice.
4. Give the report a unique and descriptive name. This is the name that displays on the Reports page.

5. Leave the Included and Excluded target felds blank to include all targets in the project in the report.

8
Visit http://community.rapid7.com to post questions, read documentation, and search for answers.
6. Keep all of the default report settings.

7. Generate the report.
8. To view the report, click on the Reports tab, and click the View button next to the report name.