Since Metasploit is so dynamic and still changing frequently with full time employees, it is best to just sync a local file tree to the latest code branch when you plan to use it. You can use the /usr/ports/security/metasploit port, but you will find it lagged far behind the latest SVN tree.

Anyways, we need to install subversion to download the Metasploit Framework.

1. # cd /usr/ports/devel/subversion
2. # make install clean distclean

Now make room for Metasploit and download the tree.

1. $ mkdir ~/.msf3
2. $ cd ~/.msf3
3. $ svn co https://www.metasploit.com/svn/framework3/trunk framework

Finally, drag in Ruby and a few supporting modules.

1. # cd /usr/ports/databases/rubygem-activerecord
2. # make install clean distclean
3. # cd /usr/ports/devel/ruby-rreadline
4. # make install

First, install the necessary dependencies:

1. $ sudo apt-get install ruby subversion libyaml-ruby libzlib-ruby libopenssl-ruby libreadline-ruby libiconv-ruby rubygems

Technically, to use the GUI you need to install libgtk2-ruby and libglade2-ruby, but the GUI is now deprecated and will no longer be developed or updated. I encourage you to forget about using it.

It is great to have a database backend to keep up with data from session to session. A simple sqlite3 backend will do for most, but if you need more robustness and performance, MySQL and Postgres are available to you. Simply install the database server and supporting Ruby library for that specific database server.

1. sudo apt-get install sqlite3 libsqlite3-ruby

1. sudo apt-get install mysql-server libmysql-ruby

1. sudo apt-get install postgresql libpgsql-ruby

Now sync the Metasploit subversion tree into a directory of your choice.

1. $ mkdir ~/.msf3
2. $ cd ~/.msf3
3. $ svn co https://www.metasploit.com/svn/framework3/trunk framework

You should now have the latest and greatest Metasploit tree. For now on, you can simply use the command svn update inside the ~/.msf3/framework directory (or where ever else you synced the svn tree to) and it will sync the latest changes in the repository to your existing Metasploit installation.

1. $ cd ~/.msf3/framework
2. $ svn update

Often times, administrators and default installations of various DNS servers (on all platforms) leave the DNS server susceptible to zone transfers. What this basically means is that the DNS server will allow someone to download a dump of all DNS records served for a specific domain. This can obviously pose a moderate to high security risk (but can be disabled on the server quite easily).

The information gained with a successful zone transfer can be very helpful for an intelligence gathering attacker and can ultimately expose the addresses of a huge number of hosts that administrators might not want the public (internet) to know about (and that no one planned to be exposed to internet traffic!).

For example, I have seen zone transfers that listed multiple development servers that were freely accessible, exposing security flaws due to incomplete code. Development boxes are also a good candidate to look for files with incorrect permissions to gain even more information out of the host.

Also, bare in mind the situation where someone gets their hands on a decent sized transfer. Thousands of hosts belonging to a single domain can be easily gleaned in seconds. I think it is also neat how you can quickly read over most zone transfers and easily pick out the devices that belong to the core infrastructure and even addresses of important services used in the domain (due to the verbosity some administrators use in coming up with a hostname).

I wrote a small Perl tool, dig-shovel, to automate the process of finding the list of nameservers for a domain, attempting a domain transfer from each, and finally parsing the addresses contained in the zone transfer into something easily readable and exportable. The tool I wrote can be directly downloaded form this site by with this link (right-click, Save As...) or click through to this post to get the details on dig-shovel.

On occasion, I like to get my hands dirty with SQL injection (learning in a controlled environment, of course). If you have ever read about or done SQL injection, you often have to convert text into various other forms to either make the HTTP request happy or avoid one of the server's sanitize methods.

The following are a few that I find useful to have a tool for. Feel free to let me know your ideas on new features and options. I will try to add more as I find the need!