Legend has it that when security researcher H.D. Moore found himself unable to afford commercial exploits or penetration testing software, he started an open source project to create those tools. Nearly three years later, the Metasploit Project produces the Metasploit Framework (MSF). By number of sheer downloads, it's the most popular penetration testing platform around. In version 3.0, Metasploit is changing its code base (from Perl...
to Ruby) and, most controversially, changing its license.
The Metasploit Project and the MSF penetration platform were started in the summer of 2003 by H.D. Moore, a founder of risk assessment firm Digital Defense Inc. Moore (who insists his given first name is 'H') says he bootstrapped Metasploit to the tune of about $5,000, and two to four hours per night of coding for the last two and a half years. The project is a response to what Moore calls a dried-up well of affordable exploits. While vulnerability information is freely distributed by researchers (we've noted before that security researchers use vulnerability publication as an effective guerrilla marketing method), until Metasploit, exploits were increasingly commercial, proprietary code. Moore says that companies and independent researchers unable to afford commercial penetration testing platforms and, more important, their exploits, were hard-pressed to compete.
Many of the exploits to date have been written by the project's four core developers. Two of them, Moore and researcher Matt Miller of Skape fame, currently lead development.
The Metasploit Project is, now, a limited liability company in Texas, which owns copyrights to all of its developers' code, trademarks and domain names. From version 3.0, the product will be shipped under a proprietary license. It will still be open source in the sense that users are given the entire source code and granted the right to modify, distribute the original version (with any modifications separated) and share without limitation. However, neither Metasploit nor any module may be sold for more than distribution cost or released as its own product.
Moore says he was attempting to walk a line between true open source, where sales are kosher, and proprietary licenses similar to those of Tenable and Sourcefire, which he considered to be fraught with community peril because of issues like charging for the latest updates or closing the source. To avoid individuals or companies taking the source code, rebranding and selling it under another name – making some modifications and selling or distributing it as 'Bob's Metasploit,' for example – the new license was created. When the LLC was formed in early 2006, the core developers signed over their copyrights to it, and were immediately granted full licenses to develop the technology they contributed. Moore says he crafted the first draft of MSF's new license, then had an Austin-based attorney (who charged about $1,000) rip it apart and make it sensible. After that, the fledgling Hacker Foundation (a Stanford, California-based nonprofit organization) contributed legal resources to complete the new license draft.
All versions of MSF (see Technology, below) run on Linux, Unix and Macintosh, and under Windows using Cygwin. The download is currently about 2.5 MB, and the product is free and includes full source code regardless of license. It should be noted that Metasploit downloads run heavily in favor of Windows -- to be precise, in the month of July 2006, 41,000 people downloaded the Windows edition of MSF v 2.6, while 4,900 downloaded the Unix/Linux edition.
With open source projects such as this one, distinguishing actual users from the merely curious is very difficult, but one good method is to count as users those signed up to receive online updates. As of July 2006, that number was 48,000.
MSF v2.6 was written in Perl with components written in C, Assembler and Python. As of version 3.0, it is written in Ruby. Both flavors have command line and Web interfaces.
There are several key differences between Metasploit and its commercial counterparts. For starters, no attempt has yet been made to provide scanning or reconnaissance capabilities – though typing a command in a Metasploit terminal that Metasploit doesn't recognize drops the user down to the equivalent of a bash shell, allowing users to call other programs, like nmap, at will. In version 3.0, scanner output will then be wrapped and saved locally within Metasploit's local database. In the current version, exploits run one at a time, so running concurrent exploits requires running concurrent instantiations of MSF.
Meterpreter clients (which run on Perl in v. 2.6 and on Ruby in v. 3.0) offer basic communications, packet transmission and management to the libraries, and the ability to interact with the registry and file system, command execution and other functionality. Users may, for example, read all the processes in memory on exploited host. In v.3.0, a Ruby script interface is available, allowing users to drop to a programming prompt at any time. Listing and copying files from that, one can script utilities -- Moore says he's made one to copy the hard drive from a remote system.
As we said, the competition here is in reverse: when a company commits to bringing pen testing in house, at some point there's a meeting where someone says, 'Well, why should we buy [insert product name], when Metasploit does all this free?' There are, of course, many legitimate answers to that question, having to do with quality control, frequency of updates, predictability and (again) quality control of exploits, warranty, user interface, documentation, support and other factors. But the question is, without a doubt, asked.
So, rival products would include Core Security's Impact, Immunity's Canvas, Saint Corporation's Saintexploit, and commercially available exploits from companies like Gleg and Argeniss. To an extent, Metasploit competes as well with open source fuzzers like eFuzz, Fuzz, FileFuzz, Spike, Spikefile, notSpikefile, Mangle and others (that target formats and protocols) and commercial fuzzers and/or testing appliances like Mu Security's Mu-4000 Security Analyzer, Beyond Security Ltd's beStorm, ProtoVer Professional test suite from Gleg and products from Codenomicon and from HD Moore's daytime employer, BreakingPoint Systems (currently just emerging from stealth, but planning the release of a product tester involving fuzzing, protocol analysis and a bit more; stay tuned).
Web application pen testing comes from SPI Dynamics, Watchfire, Cenzic, Protegrity (Kavado), Acunetix and WhiteHat Security.
The Metasploit Project provides useful information to penetration testers, IDS signature developers and exploit researchers. The Metasploit Framework is a free platform for developing, testing and using exploit code. Seeing as how it's free, it's difficult to assess MSF in terms of competition. However, MSF is a rival to all the non-free products out there for pen-testing and commercial exploits.
Metasploit is innovative technology that we believe will stay true to its open source roots despite the license change. As such, it will be perennially underfunded, short on development resources and behind the curve in terms of regularly produced and quality-tested exploits.
It's probably true that every customer of Immunity's Canvas, and most customers of Core Impact, own and run a copy or six of Metasploit, and that's great. We're more encouraged that the project can claim about 50,000 users, and that most are getting the Windows version. This is reason to believe that Moore and his team are accomplishing their goal: creating a useful and free platform that newbie and expert security researchers alike can use to learn more about vulnerabilities and exploits.
Nick Selby is a Boston-based analyst covering enterprise security for The 451 Group.
Editor's note: This article was changed to correct a SearchSecurity.com copyediting error. Version 3.0 of Metasploit is based on Ruby, not Ruby on Rails.