The metaterpreter has more power than people give it credit for.
You could also use it to up a local version of the framework and
compile it, and then use it to access the local framework.
On 6/24/05, Chris Byrd <cbyrd01@gmail.com> wrote:
It is possible to do rudamentary pivoting using Metasploit, however it
lacks the easy point and click interface of Impact. Check out the
portfwd command in the Meterpreter network module for redirecting
ports.
http://www.metasploit.com/projects/Framework/docs/meterpreter.pdf
By the way, according to
http://cansecwest.com/core05/core05_metasploit.pdf more robust
pivoting is planned for Metasploit 3.0.
- Chris
On 6/23/05, Daniel Miessler <daniel@dmiessler.com> wrote:
On Jun 21, 2005, at 12:27 PM, securityfocus@benmansour.net wrote:
You might also want to look at the following open source project :
Metasploit
http://www.metasploit.com/
"The Metasploit Framework is an advanced open-source platform for
developing, testing, and using exploit code."
Except for the GUI, it offers comparable functionality and a broad
choice of exploits.
Actually, while I think Metasploit is an impressive framework and use
it often, it lacks a main feature that IMPACT has. Namely, IMPACT is
able to do something they call "pivoting". This allows a tester to
select an exploit in the GUI, launch it, and then upload the IMPACT
agent to the newly compromised system.
From there, you now have the same GUI from which you can re-scan and
exploit from that vantage point; rinse and repeat. In my view, this
is what sets this tool apart from the others.
Of course, this isn't a replacement for a truly skilled pentester in
complex situations, but when the network is full of three year old
vulnerabilities and you're trying to make a point to a client's
management, it's quite effective.
--
Daniel R. Miessler
M: daniel@dmiessler.com
W: http://dmiessler.com
G: 0x316BC712
