App Assessment the Metasploit Way

Presented at DEF CON 17 (2009), Aug. 1, 2009, 5:30 p.m. (30 minutes)

Metasploit has made life easy for penetration testers the world over but what most people don't know is how useful it is for application assessments. If you think of Metasploit as a large collection of APIs waiting to be put to work then Metasploit becomes a powerful tool for reverse engineering, blackbox and fuzzer development, and creation of the PoC. This talk wil highlight real examples of how Metasploit doesn't just help you to exploit vulnerabilities, it helps to find them. Examples of Metasploit in action will include creating a web proxy that can do rewriting of content on the fly, testing a DCE/RPC service, and reverse engineering a new file format. All of these examples will be done using nothing more than Metasploit and a basic knowledge of Ruby.


  • David Maynor
    David Maynor is a Senior Researcher, SecureWorks. He was formerly a research engineer with the ISS Xforce R&D team where his primary responsibilities include reverse engineering high risk applications, researching new evasion techniques for security tools, and researching new threats before they become widespread.


Similar Presentations: