Metasploit: A penetration testing tool you shouldn't be without

Have you ever wondered how you can execute the ever so vague "arbitrary code" that Microsoft lists in its vulnerability descriptions to see if your systems are really vulnerable? Maybe you've wanted to dig deeper into the higher-level flaws found by vulnerability assessment tools such as Nessus and QualysGuard? Perhaps you're in the business of ethical hacking and performing penetration tests against your own (or your customer's) computer systems? If any of these apply to you, there's a powerful security testing tool that you can't miss.

I'm talking about the Metasploit Framework. It's not new -- in fact, it has been around for a couple of years. However, it has recently started to pick up traction and command attention from information security professionals and software developers alike. Many of us are realizing that Metasploit is an indispensable tool that provides a solution to some vexing information security issues from exploit conception to execution.

Interestingly, the Metasploit Framework started out as a portable network game (don't ask me). Recently, it has evolved into a formidable tool for performing security vulnerability research, developing exploit code and (the really cool part) automating the process of exploiting vulnerable software. Its well-written documentation is only 34 pages long -- quite surprising for a tool of this caliber. Most white hat security professionals don't have the patience, time and often the expertise to code their own exploits. In addition, many of us want to take our testing to the next level or streamline our methodologies to make things easier. Every now and then developers and security experts come together and provide a great solution to fill in the gaps. The Metasploit Framework does just that.

Metasploit is similar to the commercial penetration testing products -- CANVAS by Immunity Inc. and CORE IMPACT by Core Security Technology -- with one big difference: It's open source, so ...

[IMAGE]
Figure 1 – The Metasploit Framework console interface

Msfconsole is where you select and customize various exploits and payloads based on the system you're testing. Metasploit also has a command line interface (msfcli) and even a built-in Web server (msfweb) for those who want to use the tool via a happy-clicky GUI Web browser. Based on where your test system is located, you can run exploits either inside or outside a firewall, which can be very beneficial. Adding to its testing flexibility, Metasploit allows you to send various attack payloads (code that runs on the exploited system) depending on the specific exploits you run.

Currently, a half-dozen or so exploits in Metasploit exploit Windows-specific vulnerabilities. However, there are many others that apply to software that runs on Windows such as Exchange, SQL Server, IIS, BackupExec, BlackICE and AOL Instant Messenger -- quite likely software that's running on your network. Metasploit isn't just for Windows shops either -- there are exploits for practically every popular operating system platform.

Metasploit is a powerful tool that can be abused if it's in the wrong hands -- but that's an age-old problem that we have little control over in a free society. If you use it in an ethical fashion, the way it was intended, you can prove that idle vulnerabilities are indeed exploitable. And, there's hardly any better way to get the attention of management or those administering the system than a problem that really does exist. It's hard for anyone to argue against hard evidence (via a few telling screen captures) showing how easily a system can be owned or taken down.

This is just the tip of the Metasploit Framework iceberg from a penetration perspective. In a future tip, I'll outline how you can use its testing capabilities in some real-world scenarios.

About the author: Kevin Beaver is an independent information security consultant, author and speaker with Atlanta-based Principle Logic LLC. He has more than 17 years of experience in IT and specializes in performing information security assessments. Beaver has written five books, including Hacking For Dummies (John Wiley & Sons, Inc.), the brand new Hacking Wireless Networks For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach Publications). He can be reached at kbeaver@principlelogic.com.

This tip orginally appeared on SearchWindowsSecurity.com

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Application and Platform Security,   Enterprise Vulnerability Management,   Vulnerability Risk Assessment,   Security Testing and Ethical Hacking,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Vulnerability Risk Assessment What patch management metrics does Project Quant use? Screencast: How to launch an OpenVAS scan Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat Newest malware threats Are Web application penetration tests still important? PCI compliance requirement 6: Systems and applications Cybercrime and threat management Vulnerability Risk Assessment Research Security Testing and Ethical Hacking H.D. Moore speaks about Metasploit Project deal, Release 3.3 Could Metasploit popularity erode? Metasploit Project acquired by vulnerability management firm Rapid7 Should management processes change based on a patch release schedule? Does an EULA make it truly illegal to decompile software? Screencast: BackTrack 4 offers an arsenal of penetration testing tools Security testing firm uncovers XML vulnerabilities Screencast: Samurai offers pen-testing nirvana The requirements needed to make an external penetration test legal McAfee to acquire Solidcore Systems for whitelisting RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary gray hat  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.