Join us for in-depth talks, exclusive networking, and world-class training at Security Awareness Summit Dec 1-4!


SEC580: Metasploit Kung Fu for Enterprise Pen Testing

 Watch a free preview of this course

Course Syllabus  ·  12.0 CPEs  ·   Lab Requirements
Access Period: 4 months  ·  Price: 2,800 USD  ·  Instructor: Jeff McJunkin

Many enterprises today face regulatory or compliance requirements that mandate regular penetration testing and vulnerability assessments. Commercial tools and services for performing such tests can be expensive. While really solid free tools such as Metasploit are available, many testers do not understand the comprehensive feature sets of these tools and how to apply them in a professional-grade testing methodology. Metasploit was designed to help testers confirm vulnerabilities using an open-source and easy-to-use framework. This course will help students get the most out of this free tool.

SEC580 will show students how to apply the incredible capabilities of the Metasploit Framework in a comprehensive penetration testing and vulnerability assessment regimen, and according to a thorough methodology for performing effective tests. Students who complete the course will have a firm understanding of how Metasploit can fit into their penetration testing and day-to-day assessment activities. The course will provide an in-depth understanding of the Metasploit Framework far beyond simply showing attendees how to exploit a remote system. The class will cover exploitation, post-exploitation reconnaissance, anti-virus evasion, spear-phishing attacks, and the rich feature set of the Meterpreter, a customized shell environment specially created to exploit and analyze security flaws.

The course will also cover many of the pitfalls that a tester may encounter when using the Metasploit Framework and how to avoid or work around them, making tests more efficient and safe.

Course Content Overlap Notice:

There is a small amount of overlap between SEC580 and two other SANS courses, SEC504 and SEC560, as these other courses now cover Metasploit as a topic. However, they do not dive deep into its capabilities. Before noon on Day 1, SEC580 will have already surpassed the level of Metasploit knowledge and use covered in the other courses.

Course Syllabus

SEC580 is a hands-on class with many labs. Please review the laptop requirements before attending class!


Day 1 is designed to help attendees master the most heavily used exploitation framework on the planet and see how they can wield it effectively in professional penetration testing. We analyze some of the most powerful and yet often overlooked capabilities of the Metasploit Framework, using numerous exercises that make this one of the most hands-on courses ever developed by SANS.

On this first course day you will go from zero to exploit and beyond faster than you ever thought possible. For example, after this class day you will understand the Ruby foundations of Metasploit and how interacting with these underpinnings will greatly optimize and enhance your testing activities. Further, you will understand how far you can extend your exploitation activities through the effective use of some of the late-breaking features of the amazing Meterpreter. Finally, have you ever wondered how you can compromise an entire domain from simple Windows system access? After this day you will know exactly how to achieve this kind of result. After all, shell is only the beginning.

  • Guided Overview of Metasploit's Architecture and Components
  • Deep Dive into the Msfconsole Interface, including Logging and Session Manipulation
  • Careful and Effective Exploitation
  • The Ultimate Payload: The Metasploit Meterpreter In-Depth
  • Metasploit's Integration into a Professional Testing Methodology
  • Automation with Meterpreter Scripts to Achieve More in Less Time with Consistency
  • It's Not All Exploits - Using Metasploit as a Recon Tool
  • Using Auxiliary Modules to Enhance your Testing
  • Ultra-Stealthy Techniques for Bypassing Anti-Virus Tools
  • Client-Side Attacks - Using One-Liners instead of Executables
  • Port and Vulnerability Scanning with Metasploit, Including Integration with Nmap, Nessus, and Qualys
  • Capturing SMB Credentials and Metasploit's awesome PowerShell integration

SEC580 is a hands-on course with many labs. Please review the laptop requirements before attending!


On this second course day we build upon the deep foundations of day 1 to see how Metasploit can be used within a penetration tester's ecosystem of tools and techniques to attack systems in new and creative ways. We'll analyze the activities of the most effective bad guys to see how they target enterprises via complex and often non-traditional attack vectors so that we can model their behaviors in our penetration testing processes. Client-side attacks launched via email, phishing, and document payload attacks are currently some of the most heavily used attack vectors. The bad guys use these techniques because they almost always work. The course shows penetration testers how to wield such attacks with the goal of determining the business implications of vulnerabilities, all with the goal of improving the target organization's security stance.

  • Merciless Pivoting: Routing Through Exploited Systems
  • Exposing Metasploit's Routing Using SOCKS Proxies
  • Privilege Escalation Attacks
  • Metasploit Integration with Other Tools
  • Making the Most of Windows Payloads
  • Advanced Pillaging - Gathering Useful Data from Compromised Machines
  • Evading Countermeasures to Mimic Sophisticated Attackers
  • Scripting Up the Meterpreter to Customize Your Own Attacks
  • Persisting Inside an Environment
  • Carefully Examining Your Attack's Forensic Artifacts
  • Integration with CrackMapExec, a Stand-alone Testing Tool

Additional Information

Important! Bring your own system configured according to these instructions!

We ask that you do 5 things to prepare prior to class start. This early preparation will allow you to get the most out of your training. One of those five steps is ensuring that you bring a properly configured system to class. This document details the required system hardware and software configuration for your class. You can also watch a series of short videos on these topics at the following web link

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

Host Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below. It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices. Those who use a Linux host must also be able to access exFAT partitions using the appropriate kernel or FUSE modules.

You also must have 8 GB of RAM or higher for the two virtual machines to function properly in the class.

It is critical that your CPU and operating system support 64-bit instructions so that our 64-bit guest virtual machine will run on your laptop.

In addition to having 64-bit capable hardware, AMD-V, Intel VT-x, or the equivalent must be enabled in BIOS/UEFI.

Download and install either VMware Workstation Pro 15.5.x, VMware Player 15.5.x or Fusion 11.5.x or higher versions before class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.

Other virtualization software, such as VirtualBox and Hyper-V, are not appropriate because of compatibility and troubleshooting problems you might encounter during class.

VMware Workstation Pro and VMware Player on Windows 10 is not compatible with Windows 10 Credential Guard and Device Guard technologies. Please disable these capabilities for the duration of the class, if they're enabled on your system, by following instructions in this document.


  • CPU: 64-bit 2.0+ GHz processor or higher-based system is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)
  • BIOS/UEFI: VT-x, AMD-V, or the equivalent must be enabled in the BIOS/UEFI
  • RAM: 8 GB (gigabytes) of RAM or higher is mandatory for this class (Important - Please Read: 8 GB of RAM or higher is mandatory)
  • Wireless Ethernet 802.11 B/G/N/AC
  • USB Type-A Port
  • Disk: 60 Gigabytes of free disk space
  • Latest version of Windows 10, macOS 10.15.x or later, or Linux
  • VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+

Both Windows and Linux virtual machines will be provided in class.

Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

If you have additional questions about the laptop specifications, please contact

  • IT Security Engineers
  • Penetration Testers
  • Security Consultants
  • Vulnerability Assessment Personnel
  • Vulnerability Management Personnel
  • Network Security Analysts
  • Auditors
  • General Security Engineers
  • Security Researchers
  • Custom distribution of the Linux SANS Slingshot Linux virtual machine containing Metasploit and other tools, additional PowerShell modules, and a custom exploit module
  • Custom Windows 10 Professional virtual machine containing vulnerable software, post-exploitation targets, and additional software and information for pillaging
  • Step-by-step lab instructions that you can use anywhere, anytime
  • MP3 audio files of the complete course lecture

Author Statement

"Metasploit is the most popular free exploitation tool available today. It is in widespread use by penetration testers, vulnerability assessment personnel, auditors, and real-world threat actors. However, most of its users rely on and understand only about 10 percent of its functionality, not realizing the immensely useful other features that Metasploit offers. This course will enable students to master the 10 percent they currently rely on (applying it in a more comprehensive and safe manner), while unlocking the other 90 percent of features they can then apply to make their tests more effective. By attending this course, students will learn how to make a free tool achieve the power of many much more costly commercial tools."

- Jeff McJunkin

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.

Price Options
2,800 USD