Published: 01 Jul 2007
Metasploit Framework 3.0
REVIEWED BY PETER GIANNACOPOULOS
The Metasploit Framework is a platform for developing, testing and executing exploit code for all popular Unix, Linux and Windows platforms; it's an essential tool for the serious penetration tester or security professional. The latest release only serves to further cement its formidable capabilities.
Installation is a breeze: download the appropriate package (Windows or Linux) and execute. The Meta-sploit Framework can either be used via the familiar and capable console interface or the much improved Web interface. For a free product, it contains surprisingly good documentation for users and developers, so it's fairly easy to get productive quickly.
Metasploit has a searchable database of more than 180 exploits, targeting multiple processor architectures and operating systems, with more than 70 payloads that can be delivered to exploitable systems. Using the product is ridiculously simple: select the exploit via the Web or console GUI, specify target, payload and options, and run the exploit. It really is as easy as "point, click, own."
The payloads range from simply binding a reverse shell to injecting DLLs (like a VNC server) into the target's memory space to uploading and executing scripts or apps on the target. As if this isn't enough, there are also tools for building your own exploits, such as developing a NOOP sled to exploit a buffer overflow. Building new exploits is essentially writing code, so you'll need to have Ruby development skills (some C experience wouldn't hurt either). This shouldn't be a problem, since almost all of Metasploit's target audience will have some ability in this area or work with someone who does.
Exploits can be delivered either directly to the target host, or via a chain of proxies, which are nice for obfuscating attacks. Additionally, various browser hijacking routines will let you load malicious ActiveX controls (either your own or some that are bundled with Metasploit) to vulnerable Internet Explorer versions. One way or another, you will be able to gain a foothold in a vulnerable system and leverage it for greater access. Determining whether or not an exploit succeeds depends on the payload chosen. For example, if you elect to bind a shell, Metasploit will open a console session and connect back to the host via the specified port number.
Metasploit can continually update itself with the latest exploits and payloads developed by its sizable user community. Even if you don't possess the deep programming knowledge to make full use of its exploit development capabilities, you'll benefit from the work of others and stay current as new exploits come online and old ones are addressed by patches.
Metasploit isn't a shrinkwrap port scan or vulnerability assessment tool for the casual user. It's best to think of the product as a development environment akin to Visual Studio, but with a laser focus on developing usable exploit code. It is a serious pen tester's delight, but it's also the sort of tool that gives security officers nightmares, reinforcing the need for aggressive patching, layered defense and encryption of data at rest.
Testing methodology: We installed the Metasploit Framework console on a Windows XP SP2 and SUSE Linux 9.3 hosts with no hitches and used both platforms to successfully exploit vulnerable versions of Windows, Red Hat, SUSE and Fedora hosts.