Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Metasploit Framework 3.0 Product Review

In this product review, learn everything about the Metasploit Framework 3.0, a penetration testing tool for Linux and Windows platforms.


Metasploit Framework 3.0

Metasploit LLC
Price: Free

The Metasploit Framework is a platform for developing, testing and executing exploit code for all popular Unix, Linux and Windows platforms; it's an essential tool for the serious penetration tester or security professional. The latest release only serves to further cement its formidable capabilities.

Installation is a breeze: download the appropriate package (Windows or Linux) and execute. The Meta-sploit Framework can either be used via the familiar and capable console interface or the much improved Web interface. For a free product, it contains surprisingly good documentation for users and developers, so it's fairly easy to get productive quickly.

Metasploit has a searchable database of more than 180 exploits, targeting multiple processor architectures and operating systems, with more than 70 payloads that can be delivered to exploitable systems. Using the product is ridiculously simple: select the exploit via the Web or console GUI, specify target, payload and options, and run the exploit. It really is as easy as "point, click, own."

The payloads range from simply binding a reverse shell to injecting DLLs (like a VNC server) into the target's memory space to uploading and executing scripts or apps on the target. As if this isn't enough, there are also tools for building your own exploits, such as developing a NOOP sled to exploit a buffer overflow. Building new exploits is essentially writing code, so you'll need to have Ruby development skills (some C experience wouldn't hurt either). This shouldn't be a problem, since almost all of Metasploit's target audience will have some ability in this area or work with someone who does.

Exploits can be delivered either directly to the target host, or via a chain of proxies, which are nice for obfuscating attacks. Additionally, various browser hijacking routines will let you load malicious ActiveX controls (either your own or some that are bundled with Metasploit) to vulnerable Internet Explorer versions. One way or another, you will be able to gain a foothold in a vulnerable system and leverage it for greater access. Determining whether or not an exploit succeeds depends on the payload chosen. For example, if you elect to bind a shell, Metasploit will open a console session and connect back to the host via the specified port number.

Metasploit can continually update itself with the latest exploits and payloads developed by its sizable user community. Even if you don't possess the deep programming knowledge to make full use of its exploit development capabilities, you'll benefit from the work of others and stay current as new exploits come online and old ones are addressed by patches.

Metasploit isn't a shrinkwrap port scan or vulnerability assessment tool for the casual user. It's best to think of the product as a development environment akin to Visual Studio, but with a laser focus on developing usable exploit code. It is a serious pen tester's delight, but it's also the sort of tool that gives security officers nightmares, reinforcing the need for aggressive patching, layered defense and encryption of data at rest.

Metasploit Framework is a mandatory tool for every security professional. This brief overview offers a glimpse of its capabilities.

Testing methodology: We installed the Metasploit Framework console on a Windows XP SP2 and SUSE Linux 9.3 hosts with no hitches and used both platforms to successfully exploit vulnerable versions of Windows, Red Hat, SUSE and Fedora hosts.

Article 9 of 14
This was last published in July 2007

Dig Deeper on Information security policies, procedures and guidelines

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All