background image

14

Chapter 2

For example, here we run the tool and request the opcodes for the 

jmp 

esp

 command, which 

nasm_shell

 tells us is FFE4.

root@bt:/opt/framework3/msf3/tools# 

./nasm_shell.rb

nasm > 

jmp esp

00000000  FFE4              jmp esp

Metasploit Express and Metasploit Pro

Metasploit Express and Metasploit Pro are commercial web interfaces to 
the Metasploit Framework. These utilities provide substantial automation 
and make things easier for new users, while still providing full access to the 
Framework. Both products also provide tools that are unavailable in the 
community editions of the Framework, such as automated password brute 
forcing and automated website attacks. In addition, a nice reporting back-
end to Metasploit Pro can speed up one of the least popular aspects of 
penetration testing: writing the report.

Are these tools worth purchasing? Only you can make that choice. The 

commercial editions of Metasploit are intended for professional penetration 
testers and can ease many of the more routine aspects of the job, but if the 
time savings from the automations in these commercial products are useful 
for you, they might justify the purchase price. 

Remember, however, as you automate your work, that humans are better 

at identifying attack vectors than automated tools.

Wrapping Up

In this chapter, you learned a little bit of the basics of the Metasploit Frame-
work. As you progress through this book, you will begin using these tools in a 
much more advanced capacity. You’ll find a few different ways to accomplish 
the same tasks using different tools. It will ultimately be up to you to decide 
which tool best suits your needs.

Now that you have the basics under control, let’s move to the next phase 

of the pen testing process: discovery.