Open-Source Tool Roots Out More Exploits

Metasploit Framework 2.3 contains a host of updated capabilities and an expanded library of custom-made exploits and payloads, usable against vulnerabilities in Windows, Linux and some Unix variants.

A group of security volunteers on Tuesday released a new version of an advanced open-source framework for developing, testing and using exploits.

The Metasploit Framework 2.3 is the latest evolution of a project that began as a lark and has turned into a serious tool for penetration testing and exploit development.

The framework, which is written in Perl and runs on most Unix systems and Windows, is a somewhat less formal version of pen-testing tools such as Core Security Technologies Inc.s Core Impact or Immunity Inc.s Canvas, but it is designed to be every bit as powerful and easy to use.

The new version contains a host of updated capabilities and an expanded library of custom-made exploits and payloads, usable against vulnerabilities in Windows, Linux and some Unix variants.

The framework is fronted by a clean user interface and it takes just a few clicks to get to the point where users can enter an IP address and port number and run an exploit against a target system.

Users can scroll through a Web interface that can be sorted by either exploits or payloads. Clicking on a specific exploit brings up a description of the vulnerability, including a link to the original advisory if there is one, and a list of vulnerable versions.

Users then can click on a version, such as Windows XP, and see a list of available payloads capable of exploiting the flaw.

After choosing a payload, the user is presented with a page asking for the name of the remote host and perhaps one or two other pieces of data, depending on the payload. One more click and the payload is on its way to the unsuspecting host.

/zimages/2/28571.gifClick here to read more about the Metasploit Framework.

In the past couple of years, user-friendly exploitation tools have become quite common and any aspiring cracker need only visit one of hundreds of security or underground sites to find not just the tools, but detailed instructions on how to find vulnerable targets and what to do once theyve gained access to a machine. The Metasploit Framework certainly could be used for those purposes as well, but it was designed for the use of administrators and security researchers interested in running exploits against their own systems.

And, it still requires a bit of knowledge and skill to find vulnerable target hosts and to know which payload is the right one to exploit a particular vulnerability. The systems main developer, HD Moore, who is well-known within the security community as a researcher, author and frequent speaker at security conferences, acknowledged that some people in the industry are nervous about the release of tools as powerful as the framework, but he said that the capabilities it provides to users are necessary.

"The framework is quickly becoming a standard tool for both penetration testing and security product validation. I believe that giving end users the power to test their own security measures restores a much-needed balance to the information security industry. The best-selling security products are all defensive in nature; the only way you can gauge their effectiveness is to actively test them," Moore said.

"There is a common argument that the framework allows less-skilled attackers to break into systems that they would not be able to access otherwise. Most of the exploit modules included with the framework are actually based on publicly available exploit code. Only rarely does the framework provide an attack vector that is not already available to the script kiddies at large.

"There have been a handful of cases where we released the first public exploit module for a vulnerability, only to discover that the underground cracking groups have had an exploit of their own for quite some time. The Framework gives the network administrator with the same capabilities as the people who are attacking their networks."

The Metasploit Framework also comes with a unique license that allows commercial vendors to integrate it into their own products and then resell it. Researchers also can write their own modules for the framework and sell them as commercial products.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.