14
Chapter 2
For example, here we run the tool and request the opcodes for the
jmp
esp
command, which
nasm_shell
tells us is FFE4.
root@bt:/opt/framework3/msf3/tools#
./nasm_shell.rb
nasm >
jmp esp
00000000 FFE4 jmp esp
Metasploit Express and Metasploit Pro
Metasploit Express and Metasploit Pro are commercial web interfaces to
the Metasploit Framework. These utilities provide substantial automation
and make things easier for new users, while still providing full access to the
Framework. Both products also provide tools that are unavailable in the
community editions of the Framework, such as automated password brute
forcing and automated website attacks. In addition, a nice reporting back-
end to Metasploit Pro can speed up one of the least popular aspects of
penetration testing: writing the report.
Are these tools worth purchasing? Only you can make that choice. The
commercial editions of Metasploit are intended for professional penetration
testers and can ease many of the more routine aspects of the job, but if the
time savings from the automations in these commercial products are useful
for you, they might justify the purchase price.
Remember, however, as you automate your work, that humans are better
at identifying attack vectors than automated tools.
Wrapping Up
In this chapter, you learned a little bit of the basics of the Metasploit Frame-
work. As you progress through this book, you will begin using these tools in a
much more advanced capacity. You’ll find a few different ways to accomplish
the same tasks using different tools. It will ultimately be up to you to decide
which tool best suits your needs.
Now that you have the basics under control, let’s move to the next phase
of the pen testing process: discovery.