Manage Learn to apply best practices and optimize your operations.

When to use the service features of the Metasploit hacking tool

In this expert response, Michael Cobb explains why offloading resource-intensive penetration testing tasks to Metasploit may be an attractive option.

I heard that the Metasploit hacking tool is going to be delivered as a service. Is it smart for security folks, however, to send over their critical data to an outside provider?
The Metasploit hacking tool, or the Metasploit Framework to give it its correct title, is an open source vulnerability development framework for developing, testing and executing exploit code against a remote machine. It's a sub-project of the Metasploit Project, which aims to provide information about security vulnerabilities, as well as resources for aiding in penetration testing and IDS signature development.

One of the reasons Metasploit is the tool of choice for so many is that it has a big user base that actively updates it. It's not unknown for software vulnerability advisories to be accompanied by a third-party Metasploit exploit module that highlights the exploitability, risk and remediation steps of that particular bug. Exploit code is a necessary evil for penetration testers, IDS signature developers and network administrators wanting to verify an installed patch actually works.

In order to improve on the current feature set, Metasploit is intending to add service-based features, such as a password cracker and the opcode (operation code) database. Certain exploits, such as buffer overflows, usually require precise knowledge of the position of certain machine language opcodes in the program or library being attacked. These added services from Metasploit will allow an exploit developer to test his code against multiple versions of a piece of software when only one version of the software is available.

Your question is whether you want to share any of your information with an outside provider. Critical data should only be shared with a third party if you are satisfied with their service-level agreement (SLA) and are confident the provider will deliver on it. Additionally, certain data you process may be covered by various regulatory and compliance rules restricting how, where and to whom data can be sent. The people behind Metasploit have said they may require registration and telephone confirmation to prevent abuse of the new services, but the framework is an open source project, and they are unlikely to offer an SLA.

Like similar commercial exploitation tools, such as Core Impact and Canvas, Metasploit is provided for solely legal security research and testing purposes, but can just as easily be used by malicious hackers as genuine researchers. You may feel more comfortable with a commercial relationship, but if no sensitive data is involved, then offloading resource-intensive penetration testing tasks to Metasploit looks to be an attractive option.

This was last published in July 2009

Dig Deeper on Productivity apps and messaging security