SMFE (SecurityTube Metasploit Framework Expert)

the_hutch

Has anyone taken this exam? I've almost finished working through the entire publicly available course, and am trying to decide if I should take the exam. Has anyone here ever taken it? I know its hands-on, but I haven't been able to find any information on how difficult it is...

the_Grinch

Be the first!

cgrimaldo

What do you mean by publicly available course? Do you mean free content available on their site? Forgive my ignorance...

dmoore44

cgrimaldo wrote: »

What do you mean by publicly available course? Do you mean free content available on their site? Forgive my ignorance...

Correct - there's an Intro to Metasploit series - i've watched a few and they're pretty well done.

Hutch, if you decide to go for it, let us know your thoughts. I'd be interested in hearing about it.

And as an aside... does anyone outside the TechExams know anything about the SecurityTube certs? I'm still trying to determine if they're worthwhile...

gabypr

The material and the certification sounds very interesting. Im planing maybe after i finish my masters enroll on the class and try the exam. I like also the Offensive Security materials and certifications. With these two trainings a person should have a complete overview of security and pen testing.

If you take the course and exam let us know. Im interested.

the_Grinch

As far as the certs go, right now they would be fairly unknown. But if I were to put my money on it, they will become like OSCP is. The right people know what OSCP is and when they see it you are good to go.

YuckTheFankees

I watched all of the metasploit videos over the last week, pretty good material. I don't know if I would ever take the exam, I rather put the $250 towards another 30 days in the OSCP lab .

the_Grinch

If he covers creating exploits in Metasploit, I would pay for the certification because they is a soon to be hot skill to have.

the_hutch

the_Grinch wrote: »

If he covers creating exploits in Metasploit, I would pay for the certification because they is a soon to be hot skill to have.

I agree with this. This is really the only cert out there for metasploit. As far as notoriety, securitytube is more well known in the international community, and unfortunately just not as mainstream in the states.

YuckTheFankees

Vikem (I probably spelled his name wrong, sorry!) did mention that he's coming out with an exploit development certification sometime in the future, I'm excited for that!

the_hutch

YuckTheFankees wrote: »

Vikem (I probably spelled his name wrong, sorry!) did mention that he's coming out with an exploit development certification sometime in the future, I'm excited for that!

That's kinda what SPSE is....

YuckTheFankees

Ahhh, the course may have a little exploit development but I'm referring to a whole course dedicated to exploit development..

the_Grinch

I'd like to see him come out with an Metasploit Exploit Development certification. Python is great for an initial proof of concept, but a lot of companies like a Metasploit exploit so it can be run quickly. Plus, the companies that pay for exploits like that as well!

the_hutch

the_Grinch wrote: »

I'd like to see him come out with an Metasploit Exploit Development certification. Python is great for an initial proof of concept, but a lot of companies like a Metasploit exploit so it can be run quickly. Plus, the companies that pay for exploits like that as well!

I completely agree. You work in any real world pen testing environment, you are going to rely heavily on metasploit. This is honestly why I think OSCP should allow you to use it. I understand that prohibiting the use of metasploit contributes to the impressiveness of the certification. But at the same time, its not real world. Any pentester is going to have metasploit in their toolkit, regardless of whether you can complete objectives without. Its just more streamlined.

the_hutch

YuckTheFankees wrote: »

Ahhh, the course may have a little exploit development but I'm referring to a whole course dedicated to exploit development..

Its not just a little bit of exploit development, once you get past the two introduction modules, that's mostly all it is. Sniffers, traffic injectors, fuzzers, SQL injectors, cross-site scripting tools, etc... SPSE is about as close to an exploitation development course as you can get (with a few extra exercises on the development of security tools). The only way it could really be more general is if it covered exploitation development across multiple languages. Which sounds like a cool idea in theory, but doesn't seem realistic to me. Exploit development across multiple languages seems way too broad of scope for a single certification.

YuckTheFankees

We might have two different definitions of exploit development. To me, the type of exploit development course I am looking for will deal with buffer overflows, heap overflows, format string attacks dealing with DEP, bypassing ASLR, etc....The student would have to understand assembly, C/C++, and usually a scripting language (python).

JDMurray

It sounds like you guys are talking about discovering exploitable vulnerabilities versus developing code to exploit known vulnerabilities. The latter is far more interesting.

the_hutch

YuckTheFankees wrote: »

We might have two different definitions of exploit development. To me, the type of exploit development course I am looking for will deal with buffer overflows, heap overflows, format string attacks dealing with DEP, bypassing ASLR, etc....The student would have to understand assembly, C/C++, and usually a scripting language (python).

Yeah, I think JD underlined it pretty well. I guess you're talking more along the lines of target specific exploit code. That would be actually be a pretty killer course. However, something that I don't think I'd be nearly prepared to take at this time.

YuckTheFankees

After your view of the SPSE course, I bought it. lol

the_Grinch

I think OSEE would probably be what you are looking for in the realm of exploit development. In regards to Metasploit, I understand why they ban it's use. Years ago, with just some a couple of Google searches and a couple of hours I was able to setup the automated exploitation. This was prior to Backtrack and specifically Fasttrack being out. But yes in the real world you would definitely use it to nail some low hanging fruit and ultimately if you can develop for it, it is nice to be able to hand your team new exploits as you discover them.

the_hutch

YuckTheFankees wrote: »

After your view of the SPSE course, I bought it. lol

I think you'll like it. I've been pretty happy with it so far.

the_hutch

the_Grinch wrote: »

I think OSEE would probably be what you are looking for in the realm of exploit development. In regards to Metasploit, I understand why they ban it's use. Years ago, with just some a couple of Google searches and a couple of hours I was able to setup the automated exploitation. This was prior to Backtrack and specifically Fasttrack being out. But yes in the real world you would definitely use it to nail some low hanging fruit and ultimately if you can develop for it, it is nice to be able to hand your team new exploits as you discover them.

I think OSEE would be awesome. But I don't really see myself doing it anytime in the near future, just because there is no online version.

the_Grinch

Yeah I am wondering if they will do any online version at some point. My guess is they won't, but I guess you never know!

I2Secure

the official course is you have to purchase but the free ware is also much same in premiun u ll learn much things

the_hutch

I2Secure wrote: »

the official course is you have to purchase but the free ware is also much same in premiun u ll learn much things

What did you just say? To clarify...all of Vivek's courses (with the exception of SPSE) have videos that are openly available. Actually purchases the course will give you access to additional forums, access to labs (usually at an additional cost), and the test and certification. And you do have to purchase the course to take the exam. You cannot just purchase the test (I already asked).

Jinverar

After watching the first two modules of the SPSE, I also bought into the Metasploit Expert course. I am just waiting for the go ahead email. It's going to be a challenge to try both at once for the Fall time. Plus handling all the ladies who love IT Security guys. I am very good with metasploit as it is. I showed a few people up during the Sans 504 Capture the flag events. I managed to capture all flags. I relied heavily on armitage during that. I already know i'm going to love this course. Probebly more than the SPSE.

The SPSE was ticking me off a bit because the forum seems to be hard to navigate though the modules on the forum side of the house. Basically you have to navigate your own file stucture and the instructors. Not sure if the metesploit expert is the same....

the_hutch

agreed...the forums are terrible. I logged into them once, and haven't gotten on since. I pretty much use outside resources for any questions I've had

Jinverar

Has anyone done the exam for the metasploit framework expert certification? I just got the mock exam pictures...It's fun to know when and what your next hack will be. It seems like a fully hands on practical exam using metsploit to break into multiple routers and servers.


The feeling is excitment knowing you have more computers to penetrate and the goal is exploitation. Is that why Lukes father joined the dark side? Is that why IT Security is so sexy? Pretty sure you just post these pictures up in your living room and invite a girl over. Then let Security Tube do the rest haha. I will test that out on the weekend.

JayTheCracker

interesting.....

can show us some screen shots??

Jinverar

Registered in taking the exam on 8th january 2013....Can I get any advice from people who have taken it?

chrisone

Metasploit cert? sounds interesting. Those courses seem good! I will definitely check those out.