How Is Metasploit Used In Practice (Rather Than Theory)

[dingo_boy]

I am not in the security business so the following question may seem naive.

ISTM that Metasploit is held up as the tool that can best identify network insecurities.

The idea is, AIUI, that the pen-tester (or attacker) identifies the IP range, scans it with Nmap or perhaps Nessus, then uses Metasploit to exploit these results and gain a shell (ideally Meterpreter) which provides almost total control over the victim. There is a good set of videos on Security Tube which detail the immense power of Meterpreter (http://www.securitytube.net/video/1175).

The problem I have with this video series is that the focus is on what happens after the exploit has been successful. The first video shows that the exploit is performed on an unpatched XP box and, quite understandably, the exploit works and shell access is granted.

But this is a test - it is not real. Similarly, "Metasploit: The Penetration Testers Guide" (2011) runs the test exploit against a XP SP2 box.

This does not strike me as particularly up-to-date.

Here is my question: is it likely these days that a pen-tester or an attacker would successfully deploy Metasploit against an IP:port combination.

By "successfully", I mean obtain a shell.

Let's say that Nmap showed something like this:

80/tcp open http Apache httpd 2.2.3 ((CentOS))

443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS))

3389/tcp open ms-wbt-server Microsoft Terminal Service

Or this:

21/tcp open ftp Solaris ftpd

80/tcp open http Apache httpd 1.3.37 ((Unix) FrontPage/5.0.2.2634 mod_ssl/2.8.28 OpenSSL/0.9.8d)

Or this:

80/tcp open http Apache httpd 2.2.9 ((Debian) mod_wsgi/3.3 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0)

443/tcp open ssl/http Apache httpd 2.2.9 ((Debian) mod_wsgi/3.3 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0)

I've searched in msfconsole and, IMO, there are so many caveats or restrictions for the Apache exploits (many of which are years old) that even the older versions of Apache could not be exploited.

The same applies to other popular web services like IIS.

Maybe I am missing something in the way that professionals use Metasploit.

Am I?

[hexophrenic]

Metasploit is a great starting point for exploitation, but the strength is really in your ability to write custom modules and exploits for use. Monitoring exploitdb or bugtraq or the like to find vulnerabilities and then write custom exploits with defined payloads is where metasploit really shines for professionals. OOTB, yeah, many of the exploits are old.

[dustbyter]

Additionally, metasploit has a nice interface once you have gained access to a machine to perform post exploitation activities. In many cases the demo's show an unpatched machine being compromised because they want to show something that can be done post exploitation.