March 28, 2007
This article was contributed by Jake Edge.
The
Metasploit Framework,
a popular open source framework for penetration testing and security tool
development, has just
released its 3.0 version that
provides many new features. The framework has been completely rewritten
from version 2, moving from Perl to Ruby in the process.
In many ways, Metasploit 3 seeks to be the swiss army knife of network
vulnerability research and testing, providing a wealth of tools for
security researchers.
At its core, Metasploit provides a means to launch an exploit at a particular
host, execute the payload and provide a shell that communicates with the
payload. The exploits provided with the framework are known vulnerabilities
for various operating systems and the payloads are different ways to execute
a shell on the exploited machine. This allows
users to probe hosts for susceptibility to known attacks and to combine
those attacks with different ways of getting a shell in an attempt to
avoid firewall and intrusion detection rules. In addition, Metasploit
makes it easy to add new payloads and exploits so that a researcher
can develop or work with entirely new vulnerabilities using the
familiar framework interface.
Once Metasploit has connected to an exploited system, an irb
(interactive ruby) shell from within the framework can be used to script
access to any accessible process on the remote system. Because it
provides a means to read and write the memory of those processes,
credentials like passwords could be grabbed or processes could be backdoored
in various ways. Another interesting feature allows an attacker to route all
Metasploit traffic through a compromised host, potentially bypassing
firewalls and routers. This is just a small sample of the tools that are
provided; this is a very potent toolkit.
There are two main interfaces to Metasploit, a console interface as well
as an AJAX-enabled web interface that is driven with
Ruby on Rails. Both provide
tab-completion of commands and arguments and are very convenient to use.
The web interface, however, feels rather sluggish, even running on the local
machine; it is mostly provided to allow demonstrations of using the tool.
There is also a command-line interface that can be used from scripts and the
like, but the console is the main interface workhorse.
The release comes with both a user and a developer guide and both are quite
readable and useful. The developer guide lays out the rationale behind
the switch to Ruby which makes for an interesting read. It notes
that Windows compatibility was one of the major reasons for the
switch, which makes it rather surprising that deficiencies in either Ruby
for Windows or Windows itself make some features (the entire console
interface for instance) usable only on Linux or other UNIX systems.
Metasploit was already an incredibly useful tool and it would appear that
version 3 takes a big step forward. As with all security tools, it can
be used for good or ill, but it is most certainly an essential arrow in
the quiver of anyone tasked with or interested in computer security.
Comments (3 posted)
