20 July 2007 | 227,216 views

Learn to use Metasploit – Tutorials, Docs & Videos

Check For Vulnerabilities with Acunetix

Metasploit is a great tool, but it’s not the easiest to use and some people get completely lost when trying to get the most out of it.

To help you guys out here is a bunch of links, videos, tutorials and documents to get you up to speed.

You can start with this, a good flash tutorial that shows you step by step how to use it:

Metasploit at Iron Geek

This video covers the use of Metasploit, launched from the Auditor Boot CD, to compromise an unpatched Windows XP box by using the RPC DCOM (MS03-026) vulnerability.

There’s a presentation by HD Moore himself at Cansecwest 2006:

csw06-moore.pdf

And a couple of videos spawned from that here:

Computer defense – TASK Presentation

The most up to date video for Metasploit 3 can be found here:

Exploring Metasploit 3 and the New and Improved Web Interface – Part 1

Exploring Metasploit 3 and the New and Improved Web Interface – Part 2

The Metasploit site itself also has some fantastic documentation, a good place to start is here:

http://framework.metasploit.com/msf/support

The Metasploit book is a good start too:

Using Metasploit

The Security Focus article is a good reference too if a little outdated:

Metasploit Framework, Part 1
Metasploit Framework, Part 2

So get hacking, Metasploit is great!



Recent in Exploits/Vulnerabilities:
- XML Quadratic Blowup Attack Blows Up WordPress & Drupal
- Password Manager Security – LastPass, RoboForm Etc Are Not That Safe
- Hacking Your Fridge – Internet of Things Security

Related Posts:
- Metasploitable – Test Your Metasploit Against A Vulnerable Host
- Armitage – Cyber Attack Management & GUI For Metasploit
- Security Freak Video Lectures – Hacking, Programming, Networking & More

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 227,216 views
- AJAX: Is your application secure enough? - 119,081 views
- eEye Launches 0-Day Exploit Tracker - 85,044 views

Low-cost VPS Hosting

24 Responses to “Learn to use Metasploit – Tutorials, Docs & Videos”

  1. backbone 20 July 2007 at 1:37 pm Permalink

    it’s a great resource list, and mostly practical because everything is shown… and when I think of the script kiddies who don’t want to learn and read… this will be a perfect resource for them…

  2. Bogwitch 20 July 2007 at 7:25 pm Permalink

    Backbone, my thoughts exactly.

    Darknet – should you be promoting this sort of thing?

    “Don’t learn to hack – hack to learn”

    Yeah, OK, the skiddies are more likely to be on Irongeek than Darknet and obscurity is no security but all the same….

  3. backbone 20 July 2007 at 8:38 pm Permalink

    hehe Bogwitch the motto could be interpreted in many ways…

    I think darknet should make an article stating:

    “We do not promote scrip kiddying!”

  4. Bogwitch 20 July 2007 at 8:54 pm Permalink

    I’ve got to admit, I use Metasploit during pen tests because it’s easy. However, I still feel guilty – like I’m cheating in some way. That said, my customers prefer the smaller bills and as a practical demonstration to them, it is almost guaranteed to get them to sign for the remedial work necessary! :-)

  5. backbone 21 July 2007 at 4:22 pm Permalink

    you should not feel like your cheating because you are using it in a pen-test (it was made for this kind of job), and as a pen-tester you at least know what actually metasploit does ;)

  6. CG 22 July 2007 at 10:37 pm Permalink

    thanks for posting my vid as “most updated MSF video”

    there is actually a 2nd part on EthicalHacker.net :

    http://www.ethicalhacker.net/content/view/136/24/

  7. Darknet 23 July 2007 at 6:53 am Permalink

    Yeah well I do use Metasploit in pen testing too, if clients need a PoC it’s sometimes the easiest way to do it.

    I like to share info though, if it enables the script kiddies to do bad stuff, well that’s tough for the people with insecure machines.

    But I prefer to think of it as educating, you can’t ban guns just because some people might shoot each other ;)

    CG: Thanks for the info, will add it in.

  8. SN 23 July 2007 at 7:29 pm Permalink

    cool

  9. backbone 23 July 2007 at 8:33 pm Permalink

    Darknet I agree with you, but trust me if it where a non video tutorial, less script kiddies would have tried to learn metasploit that way =)

  10. TheRealDonQuixote 24 July 2007 at 5:03 am Permalink

    Fer wut itz worth:
    @DRKNT – Nice collection of info on Metasploit. I say Darknet is better off teaching “Hack To Learn”, in order to convert a skiddie. After all, history has taught us, the best way to fight an idea is with another idea.

    @bckbn – Video Tuts on everything from Metasploit to simple kismet wardriving are everywhere, and they only become more prolific with the amount of traffic that skiddies generate trying to get “learn” an easy hack. Yep, the skids can be problematic, but trying to hinder them is like trying to hold back the ocean with your hand. In fact its better to let the skids learn a hard lesson or two as most will get hacked trying to take the easy way, more and more black hats are preying on them and their uber vulnerable pay pal accts. Either way, a skiddie will usually burn out from being too lazy to learn or getting hacked too many times, or they move on up the chain and start being proactive about knowledge and the power of information.

    However, in light of the possible maladies a skiddie may generate, one has to start somewhere, maybe even (dare I say) as a skiddie. I was too dumb to be a skiddie, so I had to learn by doing and reading actual paper books, plus I was always a bit paranoid about the fedz. Anyway, not all of us are old enough to have started futzing with computers during the dawn of the internets.

    To be honest, I don’t mind skiddies all that much, because they are in a place where people like Darknet can influence them into another level of learning and knowledge. Of course, not everyone is on the path to righteousness…

    L8s
    TRDQ

  11. Christophe Vandeplas 24 July 2007 at 11:16 am Permalink

    H D Moore also gave a talk at FOSDEM 2007.

    You can find the slides here: http://fosdem.org/2007/slides/maintracks/metasploit.pdf
    and the video/recording here: http://video.fosdem.org/2007/FOSDEM2007-Metasploit.ogg

  12. Sandeep Nain 25 July 2007 at 1:59 am Permalink

    Hey Darknet,
    Thanks for the videos. They are awesome and and very helpful for beginners in security field.

    Keep posting such videos…

    CG: Its a great video… kudos to you

  13. moons 25 July 2007 at 12:01 pm Permalink

    ah yes metasploit, theres another tool called SecurityForest Exploitation Framework, available at :
    http://www.securityforest.com/wiki/index.php/Category:ExploitTree which is rather similar to the metaploit framework as well.

    good videos.

  14. Sandeep Nain 25 July 2007 at 12:31 pm Permalink

    Hi moons

    thanks a lot.. videos are pretty good and helpful…

    as i said earlier…such videos great for security newbies…

  15. backbone 25 July 2007 at 8:51 pm Permalink

    I didn’t know of SecurityForest Exploitation Framework, but I suppose that metasploit has a bigger community that it…

  16. Sandeep Nain 26 July 2007 at 6:13 am Permalink

    secirutyforest exploitation framework is similar to meta exploit but has a lot of preconfigured exploits available at exploit tree…

    its not very popular yet as its still in beta.

  17. Darknet 26 July 2007 at 8:07 am Permalink

    We have mentioned Security Forest and their BETA exploitation framework before in April 2006 when FrSIRT starting charging for access.

    Alternatives to FrSIRT – Where to Download Exploits?

    It’s also been linked in our sidebar since we started :)

    I guess that was before many of you started reading though.

    Christophe: Thanks for the additional links!

    TheRealDonQuixote: I agree, better to share so everyone is aware rather than try and hide it and keep it away from certain people.

  18. backbone 26 July 2007 at 6:44 pm Permalink

    Darknet: just a little mention, if you have got the time try do search for video tutorials on how to secure system first, then how to exploit them ;)

    I really think that will have much more success…

  19. Sandeep Nain 27 July 2007 at 12:01 am Permalink

    Well i think, if someone knows how to exploit a system it becomes much more easier for him/her to secure the syetem. so such tutorials are must.

  20. TheRealDonQuixote 27 July 2007 at 12:02 am Permalink

    Man, I was sooooo pissed when FrSIRT went all money. That’s where I got the source for my first exploit, THE JPEG OF DEATH.

    I didn’t know about “Security Forest” either. Sorry I didn’t see it earlier DKNT :|
    @Moons – thx for bringing SF back to our attention!!

    @BKBN – One question. How can one completely secure their system, without knowing all the holes to plug first? I think, hopefully, DKNT and I are in agreement that its better to show everyone, all the security holes we can find, so that they know what it is they need to secure. How would anyone know to block or monitor port 23, if they didn’t know that naughty black hats check that port first for simple telnet hacks? Ok so that was two questions. :D

    Sorry I’m so long winded on this subject (informing people vs keeping some info for those “in the know”). I had a big flame fest over a post on my blog, titled “How To Make Crack and Freebase Cocaine”. Everyone was going nuts cause I had found the info via google and then reposted it. The point was that any kid COULD find this info, and that parents need to monitor their kids habits on the net, cause the info is and will always be there somewhere. But I got slammed from all sides about how little kids could be reading my blog and seeing this. The point was lost because peeps had an instant emotional reaction instead of realizing that if a total N00b like me could find it then anyone could.
    Again, sorry so long.
    TRDQ

  21. Sandeep Nain 27 July 2007 at 12:12 am Permalink

    Backbone: just telling the security professionals, that you should filter the input/output for HTML and javascript to stop XSS attacks won’t be enough till the time they see how it can be exploited..
    and we all know filtering the ‘

  22. mike 17 August 2007 at 11:17 pm Permalink

    hey, i know this is a little out of context, but for the past month or so, i have become really interested in the world of hacking and would love to better my knowledge of how security systems work and how to exploit vulnerabilities. i am not one of those stereotypical losers who think they have the rite to just ask around so they can get into their friends’ box, but i am genuinely interested in this. i have downloaded metasploit on my laptop and would like to test it out on another comp connected to my wireless network, to see how hard/easy it is to get into my own system, but i dont have a clue how to use this, would it be possible if you could point me in the rite direction maybe to a tutorial for newbies, where there is a step by step explanation and how it all works.

  23. CG 27 August 2007 at 2:53 am Permalink

    thanks for the props guys!