Replying to Avatar Ingwie Phoenix (aka. birb)

I am fully aware of that, and most definitively not a novice.

But the last time I dealt with this in a proper, non-theoretical way, was when Metasploit Framework was "the thing to use" - which it really isn't anymore, as far as I can tell.

So, I want to seek the proper alternatives. I have untill thursday to learn them, which is enough time to cover the basics, and probably more than enough for what I need.

This class assignment is rather basic, but I do want to deliver something - so, this is a great opportunity to learn those tools! ^^
Avatar
Skhron - VPS for Bitcoin, Lightning and Monero 1y ago

I didn't meant to offend you, it seems I incorrectly assumed that it is the task for your students to try to breach the school network.

As for Metasploit alternative and "Kali/ParrotOS + nmap being a no-brainer" - I think you are messing different stages of an attack as per cyberkill chain framework. There are a lot of scripts and tooling available and they are developed to solve some specific task well.

Metasploit is mostly used for a weaponization and exploitation stages. And personally I see nothing wrong with using it to demostrate a basic attack.

I don't think there are good open-source drop-in replacements for it, but I consider demonstration of a specific vulnerability exploitation manually is a good option, but I am not sure if your goal is to cover some technical aspects of red team or something else.

Reply to this note

Please Login to reply.

Discussion

Avatar
Ingwie Phoenix (aka. birb) 1y ago

All good! But you were half-right; I am the student, and it is indeed my task. =) And mine alone, since I am the only blind student in the class - its the alternative to the "physical hacking", if you will.

> Metasploit is mostly used for a weaponization and exploitation stages

Duely noted! That is what I had known about it too. But, as said, it's been a good while since I last put my eyeballs on it. Last time I had brought it up - here on Nostr, no less - I was told that it was "outdated". o.o

The stated goal of this assignment is to:

- Find any kind of data that a mere student shouldn't be able to find.

Granted, I _am_ allowed to utilize the full arsenal of my knowledge in Linux, networking and therein. So the goal given to me in particular is to:

- Find any kind of attack vector that would allow exfiltration of data that I shouldn't be able to get.

The class is about stuff like the GDPR and friends - and since the handling of private/sensitive data also includes securing it, this is where I come in to play. Simply said, I am supposed to pentest our school and see how much damage I can do by just hooking up my laptop to their LAN.

Assume this rather generic scenario: Dude walks in and masquerades as a student, plugs into a LAN outlet (theres more than enough of those around) and starts to "do stuff". I am supposed to do that stuff, and this is why I am looking into prepping.

Thank you for the pointers and insights, I will keep those in mind! :)

If you've got more, I'd be more than happy to have'em =)