This article can also be found in the Premium Editorial Download "Information Security magazine: Seven Outstanding Security Pros in 2012."
Download it now to read this article plus other related content.
Is there such a thing as a security tool that’s too effective? Sounds silly. You’d probably never hear of a firewall being called too effective or an encryption algorithm as being too un-crackable. However, some have, over the years accused the Metasploit penetration testing framework of being that: too fast at publishing exploits and too good at taking advantage of vulnerabilities in the networks it’s used against.
One recent example of why Metasploit raises concern involved a Java zero-day vulnerability that surfaced in August and affected millions of users of common Web browsers—Internet Explorer, Mozilla, Firefox, Safari on Windows, Linux, as well as Mac OS X systems. Attacks on the flaw made it possible to compromise at-risk systems. And, before Oracle released a patch for the flaw, publicly available exploit code was added to the Metasploit framework.
Such tools can be used to both help security pros and system owners strengthen and test their security, but they can also be used by criminals to break into vulnerable systems. This “dual-use” capability of Metasploit has made it controversial at times, and such tools have even been outlawed in some nations. One of the biggest concerns often cited is that when exploits are released, attackers can put them to use quicker than organizations can patch their dozens, or even tens of thousands, of systems.
Metasploit review: help or hindrance?
Not surprisingly, HD Moore, the creator of Metasploit, one of the founders and current chief architect of the initiative, and chief security officer at Boston-based security vendor Rapid7, has a much different view. Metasploit is maintained by Rapid7, which acquired the framework in 2009.
“Metasploit, like other dual-use security tools, is great at raising awareness and providing defenders with a way to measure their risk,” Moore says. “The availability of clean exploits to the public at large has helped level the playing field against criminals.” Additionally, Moore points out that nearly every recent client-side exploit (those found in Internet Explorer, Adobe Flash, Java, etc.) placed into Metasploit was discovered first in the wild, and then ported from that live sample into a clean version for the toolset.
Not everyone agrees with Moore’s assertion that Metasploit “helps to level the playing field.” “While it’s correct to say that individual organizations can reduce their own risk with tools like Metasploit, in the aggregate everyone’s risk is increased significantly,” argued Pete Lindstrom, research director at security research firm Spire Security. “The attackers can hit long before most organizations have time to patch.”
In-the-field practitioners and software vulnerability researchers, however, take a different view of Metasploit’s applicability. “You can’t be a car mechanic and fix an engine without tools. And you can’t be a penetration tester and fix bad system security without evaluating the security of those systems. If tools like Metasploit were not available, the bad guys would be writing their own tools anyway. That would leave the good guys unarmed,” says David Litchfield, chief security architect at Denver, Colo.-based security firm Accuvant Labs.
Marcus Ranum, chief of security at Columbia, Md.-based Tenable Network Security, says there are no easy answers when it comes to Metasploit.
“To properly answer the question whether Metasploit increases or decreases risk would take a matter days, and I’m not sure we’d get to a conclusive answer,” he says. “If you had asked me this question a few years ago, I would had of answered that Metasploit absolutely increases risk. It basically encourages weaponizing. It’s as if we are a people who are living in glass houses and it’s weaponizing stone throwers. It’s just not a good idea,” Ranum says.
“But I’ve come to realize that the relationship is more complex than that. It’s more of a co-evolutionary process,” he adds. “Tools like Metasploit do make it easier for people to exploit stuff, which then puts pressure on system owners to harden them. It may force an immune response from the community that you would not probably get otherwise.”
Metasploit review: pushing boundaries
Few security tools spark such diverse opinions. And that may be why few are more famous, or infamous, than Metasploit. Developed roughly a decade ago (2003), the toolset became the open source platform for developing software security exploits. Eventually, Metasploit grew to become a large community-based open source effort. According to Moore, on a typical month there are about 65,000 unique downloads of the Metasploit installer, with more than 170,000 additional unique IP addresses updating their Metasploit software. In the past year, more than one million unique downloaders have accessed the Metasploit update server. Today, it is one of the most recognizable tools used by security professionals to exploit vulnerable systems. Metasploit also contains tools used to thwart computer forensic investigations and to conduct attacks while evading intrusion detection systems.
A decade ago software vulnerability research was much more controversial than it is today. Most major software vendors were more defensive when it came to researchers identifying flaws in their code. Many—if they didn’t try to legally squash the voice of the researcher, or deny the flaw existed—would downplay the seriousness of the flaw. For these reasons, many in the software research community argued that tools such as Metasploit were necessary to demonstrate a vulnerability was real and that it was exploitable.
“Such tools were absolutely necessary for penetration testers to demonstrate that IT systems were vulnerable to attack,” says Shawn Moyer, practice manager at Accuvant Labs. “It played an important role then, and it still does today, at helping organizations to identify and reduce risk.”
At the time he created Metasploit, Moore was head of a penetration testing team, responsible for maintaining the team’s approved set of tools for customer engagements. “Exploit code in particular was hard to maintain, buggy, and often required major changes to adapt to a particular assessment,” he says. “The primary goal was to replace an in-house collection of exploits with a single tool that had a consistent user interface and was easier to maintain.”
Many contend that the ease of use provided by Metasploit has lowered the barriers to entry for the skills necessary to successfully conduct attacks. That’s the concept behind Joshua Corman’s theoretical, “HD Moore’s Law,” which states, “Casual attacker power grows at the rate of Metasploit.” Corman is the director of security intelligence at Akamai Technologies.
“That is exactly right. A tool like Metasploit really becomes the low bar, because anybody can download it; anybody can use it. It’s reasonably functional and getting even more so,” says Mike Rothman, an analyst and president at Phoenix-based IT security research firm Securosis. “If your company’s defense can’t protect from a fairly simplistic Metasploit attack, or from any open, well proliferated tools, it’s going to be a long day in the office when you are attacked. In that respect, Metasploit has helped to raise the bar in terms of where defenses are for the people that care and actually use it to test their program. I also think it’s made it easier for a lot of bad people to ultimately launch successful attacks.”
Metasploit's risk impact
The question remains whether, on balance, Metasploit has improved or reduced risk. “I honestly don’t think we know enough about the overlap of all of these mechanisms,” says Ranum, when considering the increased ease and availability of attack tools vs. the actions administrators take to secure and harden their systems when exploits and attacks surface.
The discussion over whether such tools increase or decrease risk harks back to the full vulnerability disclosure debate. Such arguments over the dangers of publicly available exploit code are not academic, as the attacks against unpatched versions of Java 7 this summer reminded everyone. This kind of attack activity has been going on for some time. In 2003, the SQL Slammer worm hit 75,000 systems and was based largely on a proof of concept (for which a patch was available) that exploited a buffer overflow developed and presented at the Black Hat conference by Litchfield. Today, Litchfield says the incident changed his perspective on vulnerability disclosure.
“When SQL Slammer appeared, it shook my academic bubble. I no longer viewed this work as merely an intellectual pursuit. Disclosure has real-world impact, and lives could even be at risk,” he says. “This isn’t a binary issue. It’s more octal. We need to conduct research, but have to consider the impact of our actions.”
Almost paradoxically, some see Metasploit and tools like it, as a possible defense against such attacks. “Once the exploit, virus or worm surfaces, the existence of these attacks means the existence of Metasploit isn’t as dangerous as it could be, because we are already working to protect from these attacks. Conversely, the existence of Metasploit also means these attacks aren’t as dangerous. Both sides of this equation are interfering with us in a way that’s unpleasant, but perhaps it beats the alternative of these attacks coming out of the blue more often,” Ranum says.
A pound of prevention
Some governments don’t view the issue objectively. A number have striven to outlaw the publication of exploits, malware and security research tools. For instance, the Japanese government recently passed a law that criminalized the creation and dissemination of certain types of computer malware. In 2007, Germany passed a law that outlawed computer exploits and “hacking tools.”
In the U.S., similar laws have made little headway, although attempts to control security tools have surfaced. For instance, following a series of worm outbreaks, software developer Tom Liston created an application dubbed LaBrea that trapped attacking worms and hackers. He temporarily pulled the tool’s availability after an Illinois law made it illegal to create a device that was capable of disrupting communication services without the authorization of the service provider. Other laws, such as the Digital Millennium Copyright Act (DMCA) of 1998 and a number of state variants have cooled security research over the years.
Many believe such laws have the reverse impact of their intention to improve safety. “The countries that have the harshest regulations for security tools have actually seen a marked decrease in overall security awareness and innovation,” Moore argues.
Still, few would expect the call for such laws to wane any time soon. With the recent attention on cyberwar, the idea of software exploits and hacking tools as weapons of war is increasing. As such, there is a greater call for tools to be banned or regulated by international treaties. Some argue those treaties will be of little value; that hacking tools are too easy to create and hide. Late last year, members of the Shanghai Cooperation Organization, which include China, Russia, Kazakhstan, Kyrgyzstan and others proposed the International Code of Conduct for Information Security, but was rejected by the U.S. over free speech concerns.
“Banning cyberweapons entirely is a good goal, but almost certainly unachievable,” wrote Bruce Schneier, IT security author and chief security technology officer at BT, in a U.S. News & World Report essay. “More likely are treaties that stipulate a no-first-use policy, outlaw un-aimed or broadly targeted weapons, and mandate weapons that self-destruct at the end of hostilities. Treaties that restrict tactics and limit stockpiles could be a next step. ... Yes, enforcement will be difficult. Remember how easy it was to hide a chemical weapons facility? Hiding a cyberweapons facility will be even easier.”
However, such talk around restricting security research, hacking and attack tools will do little to directly protect the typical enterprise, which is also engaged in a smaller arms race of its own. In fact, enterprises may be much better off using tools like Metasploit to protect their own environments.
“There will always be thoughts around trying to secure infrastructure by controlling access to information and these tools,” Rothman says. “Consider the vulnerability scanners SATAN, Nmap or Nessus. Look back through information security history and there are always new tools that enabled attackers and defenders to do things better and faster. You can’t stop progress.”
As part of that progress, Metasploit is about to turn 10. Are we more secure as a result? The best answer may not be a simple yes or no, but rather: If we want to be.
George V. Hulme writes about IT security from his home in Minneapolis. Send comments on this feature to email@example.com
This was first published in October 2012