Shortly following the confirmation of a new exploit, I often see that it is quickly added to the Metasploit Framework....
What does that mean? Is it a sign that an exploit is particularly dangerous or just very common?
Ask the expert
SearchSecurity expert Michael Cobb is ready to answer your application security questions -- submit them now! (All questions are anonymous.)
New vulnerabilities, particularly zero-days, often hit the headlines with quite a fanfare describing the damage that an attacker could cause should they exploit it. When a new exploit is made public, there's a race between administrators and hackers to find networks and systems that are vulnerable -- with administrators hoping to mitigate the vulnerability before hackers can exploit it.
Unfortunately, there's no way for an enterprise to immediately review, assess and deal with every new threat that emerges on its own. It's hard enough for overstretched security teams to quickly determine whether any new vulnerability exists within their networks and if it can actually be exploited. Knowing which vulnerabilities to remediate immediately vs. which are low-risk and can be dealt with at a later date is very important; otherwise time can be wasted reconfiguring a firewall, changing intrusion detection defenses or installing patches to protect against a vulnerability that has already been mitigated or can't actually be exploited due to existing defenses or system configurations.
This is where a tool like the open source Metasploit Framework, an incredibly powerful penetration testing toolkit, comes in handy. It allows a security team to simulate an attack against its network, using the same methods as an outside attacker would, to test existing enterprise defenses and see if potential vulnerabilities can actually be exploited -- and therefore pose a real threat to the network and corporate data.
Metasploit is the tool of choice for many security teams because its large user base actively updates it with new exploit modules, often within hours or days of when they become public. This allows security teams to test if a large number of potential vulnerabilities exist on their systems. Software vulnerability advisories often are issued along with proof-of-concept exploit code and a Metasploit exploit module to help administrators determine risk to their network. It is important to note, however, that just because an exploit module is made available on Metasploit doesn't necessary mean that the exploit is particularly dangerous or common -- but it is often the case.
Metasploit can also be used to verify whether a newly installed patch actually works. Though typically a vulnerability scanner checks to see if a patch for a known vulnerability is installed, it doesn't actually test whether it has genuinely fixed the problem based on the operating system and application versions running and permission settings.
Attackers can obviously abuse Metasploit's auditing and testing features to attack systems that have not yet been secured. But for those administrators serious about strengthening their defenses, Metasploit is an excellent tool to help prioritize and focus attention where it matters most.
Related Q&A from Michael Cobb
Expert Michael Cobb explains how an HTTP referer header affects user privacy and outlines changes that can be made to ensure sensitive data is not ...continue reading
Expert Michael Cobb explains the difference between the REESSE3+ and IDEA block ciphers and explores when each is applicable in an enterprise setting.continue reading
While cookies are critical to delivering personalized Web content, they are a privacy concern. Learn how adding Bloom filters to cookies can help ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.