Metasploit

METASPLOIT: THE ATTACKER’S PLAYBOOK

TEST YOUR DEFENSES MORE EFFICIENTLY WITH METASPLOIT

Knowing your opponents’ moves helps you better prepare your defenses.

Metasploit, backed by a community of 200,000 users and contributors, gives you that insight. It’s the most popular penetration testing solution on the planet. With it, you find your weak point before a malicious attacker does.

Conduct penetration tests 45% faster

Skilled penetration testers are hard to find, so using their time effectively is important. Yet, much of their time is spent on repetitive tasks and writing custom scripts, taking time away from identifying security issues and providing insights and advice.

ms1

Metasploit Pro helps penetration testers conduct assessments more efficiently by accelerating common tasks, such as discovery, exploitation, brute-forcing and reporting, provides advanced evasion and post-exploitation methods, and efficiently managing the vast amounts of data generated in large assessments.

Security professionals new to penetration testing will find it easier to become productive with Metasploit Pro than with open source alternatives.

Validate vulnerabilities to prioritize remediation

Vulnerability scanners can determine installed software and its vulnerabilities but not whether it poses a high risk in the context of your network. This can be dangerous because IT teams don’t know which vulnerabilities need to be remediated first.

ms2

Vulnerability validation tests the exploitability of vulnerabilities to demonstrate risk in an objective way, eliminating debates over whether a vulnerability is a high risk.

Metasploit Pro closes the vulnerability validation loop by returning results to Nexpose, where exploitability of a vulnerability can be used to create reports and prioritize vulnerabilities for remediation.

Manage phishing awareness to reduce user risk

Phishing is the third most popular attack vector, and phishers primarily target credentials, which themselves rank as the #1 attack vector. Yet, organizations struggle to measure their phishing exposure and gauge the effectiveness of their training and technical controls – a risky blind spot in any security program.

ms3

Rapid7 Metasploit Pro measures the effectiveness of security awareness trainings by running simulated phishing campaigns, helping to manage exposure to this common attack vector.

Metasploit Pro integrates with Rapid7 User Insight to provide phishing risk in the context of a more comprehensive user risk, including network access, cloud service usage, and compromised credentials.

METASPLOIT: PENETRATION TESTING SOFTWARE

TEST YOUR NETWORK’S DEFENSES BEFORE SOMEONE ELSE DOES

Complete engagements 45% faster through higher productivity

Penetration testers need to use their valuable expertise efficiently. In a survey with more than 2,000 Metasploit users, Metasploit Pro users said they save 45% of time on average compared to using Metasploit Framework. Productivity features include:

  • Discovery, smart exploitation, and credentialsbrute forcing and cracking
  • Wizardsfor standard baseline audits
  • Task chainsfor automated custom workflows
  • MetaModulesfor discrete tasks such as network segmentation testing

ms4

Leverage the Metasploit open source project and its leading exploit library

Rapid7 manages the Metasploit project, the largest collection of code-reviewed exploits, backed by a community of over 200,000 members.

Leading the Metasploit project gives Rapid7 unique insights in to the latest attacker methods and mindset. Rapid7 works with the community to add an average of 1.2 new exploits per day, currently counting more than 1,300 exploits and a total of more than 2.000 modules.

ms5

Manage data in large assessments

Conducting an assessment and managing data in networks over 100 hosts can be challenging.

Metasploit Pro scales to support thousands of hosts per project on engagements. Its robust data management helps you find the needle in your haystack.

ms6

Uncover weak and reused credentials

According to the Verizon Data Breach Investigations Report, credentials have become the #1 attack vector for attackers. With Metasploit Pro, you can test your network for weak and reused passwords. Going beyond just cracking operating system accounts, Metasploit Pro can run brute-force attacks against over 20 account types, including databases, web servers, and remote administration solutions.

ms7

Evade leading defensive solutions

Create dynamic payloads to evade detection by anti-malware solutions. Metasploit Pro evades leading anti-virus solutions 90% of the time, with no solution detecting all options. Dynamic payloads are seamlessly integrated into exploitation, credentialed log-ins, and phishing and can be used stand-alone. Get past firewall and IPS using traffic-level evasion techniques.

ms8

Control compromised machines and take over the network

Completely take over a machine you have compromised. In the post-exploitation step, you choose from over 200 modules, from stealing credentials and accessing files to installing key loggers and using the web cam.

Post-exploitation macros can automate your preferred steps when a new machine is compromised.

After the first machine, you’ll soon own the entire network, especially when you use VPN pivoting to get full local network access.

ms9

Automatically generate reports of key findings

Writing reports is often the most frustrating part of the job and takes up to 30% of time on an assessment.

Automatically record actions and findings from your network and application-layer assessment to save valuable time otherwise spent on cutting and pasting. Generate reports to show your findings and sort them by regulations such as PCI DSS and FISMA.

ms10

Create prioritized closed-loop remediation reports

Deliver closed-loop vulnerability reports that prioritize remediation based on the exploitability of vulnerabilities in your environment.

Metasploit Pro’s Vulnerability Validation Wizard greatly simplifies the integration with Rapid7 Nexpose and guides the user through the validation process.

ms11

Improve security by prioritizing exploitable vulnerabilities

Find out which vulnerabilities could be exploited by an attacker in your specific environment and therefore pose a risk to your network and should be prioritized for remediation.

In Nexpose, filter reports for validated vulnerabilities so you can focus your remediation efforts on them.

ms12

Demonstrate risk exposure to prioritize remediation and get buy-in

When other departments question the validity of scan results, demonstrate that a vulnerability puts systems and data at risk of compromise by simulating an attack. Get quick buy-in for remediation measures and build credibility with stakeholders.

ms13

Prove effectiveness of remediation or compensating controls to auditors

Verify that remediations or compensating controls implemented to protect systems are operational and effective. Create vulnerability exceptions based on hard evidence that easily pass your next audit.

ms14

Get comprehensive visibility of user risks by integrating with Rapid7 UserInsight

Get a unique full picture of a user’s accounts, network activity, cloud services, mobile devices, network activity, and phishing risk.

Metasploit Pro’s integration with UserInsight unifies valuable security data normally scattered across systems.

ms15

Assess overall user awareness and deliver targeted training

Measure conversion rates at each step in the phishing campaign funnel, such as how many people clicked through a phishing email, how many entered username and password on a cloned website, and how many systems were compromised.

Get advice on how to address risk at each step in the social engineering funnel. When users take a dangerous action, they can be redirected to a training site on the spot.

ms16

Test the effectiveness of security controls

Measure the effectiveness of technical controls such as anti-malware solutions and URL blockers in addition to the user awareness.

If desired, phishing web pages or email attachments can contain exploits that test patch levels, security configurations, and network-based defenses.

ms17

Simulate phishing campaigns for thousands of users

Send and track emails to thousands of users with Metasploit Pro’s scalable phishing campaigns. Clone web application login pages with one click to harvest credentials.

Easily budget for your phishing awareness program – Metasploit Pro includes a flat rate for unlimited phishing emails during your licensing term.