Part 1.1 - Introduction

Video Activity

This video and the next provide an introduction to the Metasploit course taught by Dean Pompilio. The course is an introduction to pentesting based on the Metasploit framework from Rapid7. Dean lays out the fundamental components used in the course, where to obtain them, and how they should be configured. The components are Kali Linux available for...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
5 hours 38 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Description

This video and the next provide an introduction to the Metasploit course taught by Dean Pompilio. The course is an introduction to pentesting based on the Metasploit framework from Rapid7. Dean lays out the fundamental components used in the course, where to obtain them, and how they should be configured. The components are Kali Linux available for download from kali.org and Metaspoitable from Offensive Security.

Video Transcription
00:03
>> Hello, everyone. My name is Dean Pompilio.
00:03
We are about to embark on a Metasploit adventure.
00:03
I've got a bunch of great things I
00:03
want to show all of you.
00:03
We're going to learn a lot of different techniques,
00:03
get to see a lot of different tools,
00:03
and hopefully give you a chance to build up
00:03
your pen testing confidence in your pen
00:03
testing toolkit to the point where you feel
00:03
comfortable sitting down and going to work right away.
00:03
Where do we begin?
00:03
Metasploit. This is a Rapid7 product.
00:03
Some of you may be familiar with the company.
00:03
They also make fantastic scanners like Nexpose.
00:03
Unfortunately, Nexpose is not currently
00:03
compatible with the version of
00:03
Kali that I'm using for this course.
00:03
If I decide to run it on a separate Windows VM later,
00:03
maybe we'll compare some scan results
00:03
between Nexpose and Nessus, for instance.
00:03
In any case, Metasploit is
00:03
the penetration testing
00:03
framework that we'll be exploring.
00:03
There's a lot of different aspects to Metasploit.
00:03
As we can see, there is a free download.
00:03
This is basically the equivalent
00:03
of what you get when you install Kali Linux.
00:03
We'll cover that just here in a minute.
00:03
But the one thing that you can get by
00:03
downloading this free version
00:03
of Metasploit is the community edition,
00:03
which is a web-based interface for Metasploit.
00:03
The web-based interface is
00:03
pretty handy for a lot of different things.
00:03
We'll start out with the text-based interface,
00:03
but eventually we will work our way over to the GUI.
00:03
We'll also explore Armitage,
00:03
which is another GUI interface.
00:03
That one's actually older
00:03
than the web-based interface from my knowledge anyway.
00:03
We'll try both of those.
00:03
Then we'll also do a lot of work with the command line.
00:03
I personally prefer the command line.
00:03
I think that you can
00:03
learn the tool much better and more thoroughly.
00:03
You can also understand at a lower level how
00:03
the different actions take place within
00:03
the framework and the interaction with
00:03
the database is much more direct.
00:03
We'll start there and then work our way up to some of
00:03
the time saving features of using the GUIs.
00:03
Unto Kali.
00:03
If you'll notice, I'm at kali.org.
00:03
This is the website where you can download
00:03
your pen testing platform.
00:03
What we'll be doing here in
00:03
this next segment is going over
00:03
the basic setup to get
00:03
your penetration testing lab up and running.
00:03
There's several components
00:03
>> which are required in order to
00:03
>> make this course possible.
00:03
Well, the first things you want to think
00:03
about is VMware Workstation.
00:03
I have Workstation 12 Pro.
00:03
I highly recommend it if you have the money
00:03
to spend on a product like this.
00:03
It's a huge time saver
00:03
if you do a lot of work with virtual machines.
00:03
I'm not sure about the exact price
00:03
because I've upgraded a few times,
00:03
but I think it's about $250-300.
00:03
Otherwise, if you don't have
00:03
the need to use Workstation Pro,
00:03
you can always go to vmware.com,
00:03
and go to their download section.
00:03
You'll notice that you have VMware player.
00:03
>> There it is.
00:03
>> VMware player is free, which is nice.
00:03
You can get this for Windows
00:03
or Linux systems as you can see.
00:03
The player really does offer
00:03
a similar amount of functionality to a workstation.
00:03
Some of the big differences are VMware player does not
00:03
allow you to capture a snapshot, for instance.
00:03
There's a couple other advanced features
00:03
that the workstation offers;
00:03
the ability to have all of
00:03
your VMs in a tabbed interface, for instance,
00:03
and just some other nice features,
00:03
being able to set up a server
00:03
for VMware clients to connect to.
00:03
We're likely going to really use two
00:03
any of those features rather for this course.
00:03
But regardless, VMware players here are available.
00:03
If you have another player that you'd like to use,
00:03
you can certainly try
00:03
to use the same VMs with that player of your choice.
00:03
If you like the Microsoft Hyper-V player
00:03
or VirtualBox from Oracle,
00:03
for instance, you might go to find
00:03
ways to get the software to work.
00:03
But the class is designed around
00:03
VMware Workstation and Kali Linux,
00:03
>> and they're Metasploitable.
00:03
>> You might be wondering what Metasploitable is.
00:03
I know I'm going to jumping around here a little bit,
00:03
but I think you'll agree that
00:03
Metasploitable is a fantastic resource.
00:03
We can see Offensive Security offers this,
00:03
and you can download it
00:03
>> from a bunch of different places.
00:03
>> But you do you have to register
00:03
with Rapid7's website in order to get Metasploitable.
00:03
What this is, is a virtual machine
00:03
which has intentional vulnerabilities.
00:03
These vulnerabilities are due to things like
00:03
lack of packaging or
00:03
using software that has known bugs that just
00:03
hasn't been removed or shutdown.
00:03
There are several different ways to go about
00:03
attacking this virtual machine.
00:03
I think that if you can
00:03
grab this VM in addition to the Kali VM,
00:03
you should be able to replicate
00:03
all of the labs that we'll be doing
00:03
>> and the demonstrations that I'll be doing
00:03
>> throughout this course.
00:03
>> There are some basic things to think about.
00:03
For instance, let's go back to our Kali Linux.
00:03
We can download Kali Linux from the kali.org website.
00:03
You'll notice we have several different versions here.
00:03
Depending on if you have
00:03
VMware Workstation or VMware player,
00:03
you can download pre-built virtual machines
00:03
that will work with those pieces of software.
00:03
I have a little bit of trouble
00:03
with the latest version of Kali,
00:03
downloading it as a VMware image.
00:03
But in any case,
00:03
downloading the ISO image is pretty straightforward.
00:03
You simply download this,
00:03
save it to a location of your choosing,
00:03
just going to cancel that since I don't need it,
00:03
and then you simply open up the image
00:03
>> in your VMware player or in VMware Workstation.
00:03
>> Going back to workstation.
00:03
Once I have the ISO image downloaded,
00:03
I just create a new virtual machine.
00:03
This is similar if you have VMware player.
00:03
Then we just pointed to
00:03
the ISO image file, wherever that is.
00:03
There's my Kali Linux ISO image.
00:03
It'll take a moment to read the file.
00:03
It tells me it cannot detect the operating system.
00:03
>> That's fine.
00:03
>> If you're using VMware player
00:03
and you want to do the same operation,
00:03
you basically go to the File menu.
00:03
There should be an option there that says Open
00:03
>> or New, and you do the same thing,
00:03
>> you point to the ISO image.
00:03
>> We'll click "Next".
00:03
>> This is a guest operating system of Linux,
00:03
Debian 6 64-bit, should do the job.
00:03
You have a lot to choose from here.
00:03
But Kali Linux is based on Debian,
00:03
and version 6 64-bit is
00:03
the setting that I use with the last version.
00:03
We'll go ahead and click "Next".
00:03
I'll call this Kali test
00:03
because I already have my Kali image,
00:03
but we're going to just step through this
00:03
a little bit so you can see what it looks like.
00:03
Onto the disk size.
00:03
The default comes up with 20 gig.
00:03
If you've got the space on your hard drive,
00:03
I recommend upping that to 30.
00:03
You can also use the buttons here if you'd like.
00:03
But 30 gig is good because if you build
00:03
a fully functional pen testing instance
00:03
of Kali and you start adding more tools,
00:03
and if I've got some databases,
00:03
once you review information,
00:03
the size can grow, it's better to just plan ahead.
00:03
I always prefer to have my disk as a single file
00:03
>> if you're moving VMs around.
00:03
>> This is a little bit more convenient,
00:03
and depending on how you partition your disk
00:03
>> or how you provision your disk rather,
00:03
>> you might have some different considerations
00:03
for how much space you'll eventually use.
00:03
I've always change this to store the disk
00:03
>> as a single file.
00:03
>> We'll look at hardware.
00:03
Notice that the network setting is NAT.
00:03
This is important.
00:03
>> I'm at my settings for the VM right now.
00:03
>> If you want to keep your pen testing
00:03
VM relatively safe from the network that you're on,
00:03
you should at least be using NAT mode.
00:03
This means that I'll be sharing my IP address
00:03
>> to my host.
00:03
>> I am allowed to get out to the Internet from this VM.
00:03
But I'm just basically using different source ports
00:03
>> when I make connection to the outside.
00:03
>> If you're concerned about complete isolation
00:03
>> and complete privacy for doing
00:03
>> your pen testing work,
00:03
>> then you can go into host only mode.
00:03
When the VM boots, it'll get an address
00:03
>> that's local to your host itself
00:03
>> and cannot get to the outside network.
00:03
>> For our purposes, we're going to use
00:03
NAT because we want to be able to get to the Internet.
00:03
We want to be able to do certain things
00:03
which require Internet access.
00:03
By the way, got a great t-shirt on here.
00:03
I want to show everyone. Hope you're
00:03
having fun with the Cybrary.
00:03
I know it's a nice pleasure
00:03
to be able to contribute to the videos.
00:03
I know a lot of people really
00:03
are getting a lot of benefit from this.
Up Next