(This guest blog comes to us from Louis Sanchez, a Network Systems Specialist that is employed at a Cancer Center in the North East)
In late February of this year, I was presented with the opportunity to participate in the new Metasploit Pro Specialist certification pilot. The goal of this new certification was to provide the training required to have a proficient understanding of Metasploit Pro. By providing a baseline of knowledge required to be certified, managers would be able to verify that their employees or potential employees would have the skills required to validate vulnerabilities. When I say vulnerabilities, I do not only mean vulnerabilities from a services or software version standpoint alone, but also from staff education through phishing and website coding by using a web app scanner.
When I was first introduced to pen-testing I spent almost all my time in the Metasploit Framework. I still use the framework today and find it an invaluable tool. I have been utilizing Metasploit Pro for over a year now, and it makes providing reports or automation so simple. Like many Rapid7 Metasploit Pro or any software vendor customers, I have had to call support and review some of the inner workings of Metasploit Pro from time to time. Between my framework experience and Pro experience I had a decent basic understanding of how Rapid7's Metasploit Pro worked. So, I agreed to take part in the pilot not only to learn the Metasploit Pro product, but also validate my knowledge. Sometimes it is easy to take for granted how things simply work, but after reviewing the details of how the different components communicate, I have a new found appreciation for the product. I spent several days reviewing and utilizing resources, such as the administrator guide to learn everything you could want to know about Metasploit Pro. I decided it was time to take the exam, and I passed!
After preparing for the certification exam, I learned more about utilizing tags, which has helped me become a more effective Metasploit Pro operator, as I can more meaningfully organize my targets. Also, I learned of several enhancements regarding the web application scanner, which I found to be a great step in the right direction. One of which was that now the scanner allows for URL blacklisting, this really helps prevent authenticated crawl from accidentally navigating to the log off button. Even though there have been several instances where I have been able to utilize the Metasploit Pro knowledge I gained through my certification, the one that sticks out to me is Open SSL vulnerability heartbleed. I was able to confidently utilize Metasploit Pro with its Nexpose integration to scan and prioritize remediation. As many of us know, not all vulnerabilities can be exploited and therefore it is critical to find the true risks to your organization first. I can say with confidence that taking the time to participate in the Metasploit pilot and become certified was well worth it.