Metasploit 3.0

The Metasploit Framework, a popular open source framework for penetration testing and security tool development, has just released its 3.0 version that provides many new features. The framework has been completely rewritten from version 2, moving from Perl to Ruby in the process. In many ways, Metasploit 3 seeks to be the swiss army knife of network vulnerability research and testing, providing a wealth of tools for security researchers.

At its core, Metasploit provides a means to launch an exploit at a particular host, execute the payload and provide a shell that communicates with the payload. The exploits provided with the framework are known vulnerabilities for various operating systems and the payloads are different ways to execute a shell on the exploited machine. This allows users to probe hosts for susceptibility to known attacks and to combine those attacks with different ways of getting a shell in an attempt to avoid firewall and intrusion detection rules. In addition, Metasploit makes it easy to add new payloads and exploits so that a researcher can develop or work with entirely new vulnerabilities using the familiar framework interface.

Once Metasploit has connected to an exploited system, an irb (interactive ruby) shell from within the framework can be used to script access to any accessible process on the remote system. Because it provides a means to read and write the memory of those processes, credentials like passwords could be grabbed or processes could be backdoored in various ways. Another interesting feature allows an attacker to route all Metasploit traffic through a compromised host, potentially bypassing firewalls and routers. This is just a small sample of the tools that are provided; this is a very potent toolkit.

There are two main interfaces to Metasploit, a console interface as well as an AJAX-enabled web interface that is driven with Ruby on Rails. Both provide tab-completion of commands and arguments and are very convenient to use. The web interface, however, feels rather sluggish, even running on the local machine; it is mostly provided to allow demonstrations of using the tool. There is also a command-line interface that can be used from scripts and the like, but the console is the main interface workhorse.

The release comes with both a user and a developer guide and both are quite readable and useful. The developer guide lays out the rationale behind the switch to Ruby which makes for an interesting read. It notes that Windows compatibility was one of the major reasons for the switch, which makes it rather surprising that deficiencies in either Ruby for Windows or Windows itself make some features (the entire console interface for instance) usable only on Linux or other UNIX systems.

Metasploit was already an incredibly useful tool and it would appear that version 3 takes a big step forward. As with all security tools, it can be used for good or ill, but it is most certainly an essential arrow in the quiver of anyone tasked with or interested in computer security.