background image

xxii

Introduction

Why Do a Penetration Test?

Companies invest millions of dollars in security programs to protect critical 
infrastructures, identify chinks in the armor, and prevent serious data breaches. 
A penetration test is one of the most effective ways to identify systemic weak-
nesses and deficiencies in these programs. By attempting to circumvent secu-
rity controls and bypass security mechanisms, a penetration tester is able to 
identify ways in which a hacker might be able to compromise an organization’s 
security and damage the organization as a whole. 

As you read through this book, remember that you’re not necessarily 

targeting one system or multiple systems. Your goal is to show, in a safe and 
controlled manner, how an attacker might be able to cause serious harm to 
an organization and impact its ability to, among other things, generate reve-
nue, maintain its reputation, and protect its customers. 

Why Metasploit? 

Metasploit isn’t just a tool; it’s an entire framework that provides the infra-
structure needed to automate mundane, routine, and complex tasks. This 
allows you to concentrate on the unique or specialized aspects of penetration 
testing and on identifying flaws within your information security program.

As you progress through the chapters in this book and establish a well-

rounded methodology, you will begin to see the many ways in which Meta-
sploit can be used in your penetration tests. Metasploit allows you to easily 
build attack vectors to augment its exploits, payloads, encoders, and more 
in order to create and execute more advanced attacks. At various points in 
this book we explain several third-party tools—including some written by the 
authors of this book—that build on the Metasploit Framework. Our goal is to 
get you comfortable with the Framework, show you some advanced attacks, 
and ensure that you can apply these techniques responsibly. We hope you 
enjoy reading this book as much as we enjoyed creating it. Let the fun and 
games begin.

A Brief History of Metasploit

Metasploit was originally developed and conceived by HD Moore while he 
was employed by a security firm. When HD realized that he was spending 
most of his time validating and sanitizing public exploit code, he began to 
create a flexible and maintainable framework for the creation and develop-
ment of exploits. He released his first edition of the Perl-based Metasploit 
in October 2003 with a total of 11 exploits. 

With the help of Spoonm, HD released a total rewrite of the project, 

Metasploit 2.0, in April 2004. This version included 19 exploits and over 27 
payloads. Shortly after this release, Matt Miller (Skape) joined the Metasploit 
development team, and as the project gained popularity, the Metasploit Frame-
work received heavy backing from the information security community and 
quickly became a necessary tool for penetration testing and exploitation.