Metasploit has been created with the specific needs of a penetration tester in mind. The Metasploit workflow manager automates all penetration testing steps that security professionals would otherwise conduct manually, saving significant time, effort and expertise.

Other commercial products focus on being exploit execution platforms rather than providing focused penetration testing solutions. Metasploit is the world's first penetration testing solution that is accessible and practical for security professionals everywhere thanks to its built-in workflow manager.

Click to enlarge

Key Process Steps

• Discover Devices: Find hosts on IPv4 and IPv6, scan for open port, fingerprint the operating systems and services, and flag virtual hosts. Import scan data from Nexpose, Nmap and other solutions. Nexpose scans can also be initiated directly from within Metasploit.
• Gain Access: Gain access using brute force, automated and manual exploitation, social engineering campaigns, and custom web application scanning, auditing, and exploitation.
• Take Control: Control the device in the target environment with a command shell or Meterpreter session. Meterpreter is an advanced payload that enables penetration testers to take control of the target's screen using VNC and to upload and download files. Use proxy and VPN pivoting through a compromised target to gain access to additional targets.
• Collect Evidence: Gather proof of access and obtain authentication credentials to go even deeper. Unlike alternative solutions, which require the user to manually collect evidence, Metasploit gathers system information, screenshots, passwords, SSH keys and files, all just with one button. You can further automate the evidence collection with macros that run your choice of post-exploitation tools, e.g. a key logger. Additionally, you can extend the access of Metasploit by recycling and replaying capture authentication credentials to extend access to a greater number of targets.

  Click to enlarge

  
  
• Cleanup: Close all sessions and leave compromised machines without a trace of the security test. Payloads are in-memory only and do not change the state of the machines so they don't affect production environments or leave unintended backdoors for malicious attackers. To satisfy auditors and protect penetration testers, all activities are logged in the project activity report.
• Reporting: Create reports to inform all stakeholders of the findings. Metasploit includes standard reports for various audiences and regulations (PCI DSS, FISMA), but reports can also be fully customized.

Metasploit can also fully automate penetration tests. While nothing can replace a manual security assessment, especially if you are expecting advanced persistent threat (APT) attacks, the increased testing possible through automation can help catch high-risk exposure early. This is increasingly important as attackers are automating their attacks to find low-hanging fruit.

For example, you could run the following tasks every weekend:

1. Start a network discovery scan from the Metasploit console and automatically import the results. This will also discover all new, unauthorized, and BYOD devices.
2. Try to exploit all vulnerable hosts. Collect passwords and password hashes on machines that are exploitable.
3. Try default and guessable passwords on all hosts. Collect passwords and password hashes on machines with weak passwords.
4. Have the report emailed to you.

In addition to the standard workflows, penetration testers can import and use custom Metasploit scripts and modules.

Seasoned penetration testers who have become highly accustomed to the easy-to-use command-line interface of the Metasploit Framework but also require the powerful automation capabilities of Metasploit Pro, can use the Metasploit Pro Console. With the addition of advanced network discovery, automated exploitation, evidence collection, smart brute forcing, and reporting capabilities to the existing features of the Metasploit Console, the results are immediately visible through the standard web interface, allowing collaboration between team members using a mix of GUI and Console interfaces.