This article can also be found in the Premium Editorial Download "Information Security magazine: CISO survival guide: 18 of the best security tips."
Download it now to read this article plus other related content.
The payloads range from simply binding a reverse shell to injecting DLLs (like a VNC server) into the target's memory space to uploading and executing scripts or apps on the target. As if this isn't enough, there are also tools for building your own exploits, such as developing a NOOP sled to exploit a buffer overflow. Building new exploits is essentially writing code, so you'll need to have Ruby development skills (some C experience wouldn't hurt either). This shouldn't be a problem, since almost all of Metasploit's target audience will have some ability in this area or work with someone who does.
Exploits can be delivered either directly to the target host, or via a chain of proxies, which are nice for obfuscating attacks. Additionally, various browser hijacking routines will let you load malicious ActiveX controls (either your own or some that are bundled with Metasploit) to vulnerable Internet Explorer versions. One way or another, you will be able to gain a foothold in a vulnerable system and leverage it for greater access. Determining whether or not an exploit succeeds depends on the payload chosen. For example, if you elect to bind a shell, Metasploit will open a console session and connect back to the host via the specified port number.
Metasploit can continually update itself with the latest exploits and payloads developed by its sizable user community. Even if you don't possess the deep programming knowledge to make full use of its exploit development
Metasploit isn't a shrinkwrap port scan or vulnerability assessment tool for the casual user. It's best to think of the product as a development environment akin to Visual Studio, but with a laser focus on developing usable exploit code. It is a serious pen tester's delight, but it's also the sort of tool that gives security officers nightmares, reinforcing the need for aggressive patching, layered defense and encryption of data at rest.
Testing methodology: We installed the Metasploit Framework console on a Windows XP SP2 and SUSE Linux 9.3 hosts with no hitches and used both platforms to successfully exploit vulnerable versions of Windows, Red Hat, SUSE and Fedora hosts.
This was first published in July 2007