Yesterday Rapid7 released Metasploit 3.6. This edition of the Professional version of Metasploit has added some key features.
@sussuro has some great video walk-through you can find here: http://www.ethicalhacker.net/content/view/357/1/
Below I am going to highlight my favorite updates
Over the past 2 days, I have received 2 great resources for PCI compliance. The first is this You-Tube video. It helps to laugh in-between the tears.
The 2nd is the new report that Metasploit Pro includes. This is a key report that could not come too soon.
I fired up a test Windows 2000 SP4 to test the report. Below is an except.
As noted above, the following PCI requirements are tested with a result of pass/fail. Included in the report if further information. Looking at 6.1 we can see this box was not patched.
A month ago there was a move from post exploitation scripts to modules. Seeing the 3.6 update, I understand the method to the madness. The say "shell is only the beginning." With the new Post-Exploitation Modules, this saying has more truth then ever.
Once a session is generated on a box, the available Post-Exploitation Module is available on the Session tab. The use of the modules are extremely easy. Point, Click, Pwn!
A hidden gem feature is the ability to run Post-Exploitation Modules on all sessions generated.
Running the Module generates the results that my test machine was a VMware machine.
Revisiting my favorite Post-Exploit trick, UAC Protection Bypass. I generated a session on a Windows 7 machine.
Before the module we are #Losing.
After the module, we are #Winning.
A hidden gem that I noticed is with the Exploit Button. It has been described as Super AutoPwn. A new feature at the end of the Exploit Menu is the addition of a "Choose Exploits" button.
This allows the PenTester to customize which exploits are going to be fired at the target allowing for a focused attack.
Version 3.6 of Metasploit has many features and hidden gems. Abe Lincoln said "If I had eight hours to chop down a tree, I’d spend six sharpening my axe."
Version 3.6 is razor sharp out of the box!
Try it for 7 days with a full featured demo: http://www.rapid7.com/downloads/metasploit-pro.jsp