Review: Metasploit Framework -- ADTmag

Review: Metasploit Framework

August 23, 2004

Metasploit Framework 2.2
Free
metasploit.com

You know, of course, that there's a steady stream of patches to Windows (and other software) that you need to install. But perhaps you're a bit hazy on the reasons why you need to install these patches. System vulnerabilities follow a well-defined lifecycle these days. First, someone finds a way to sneak some code on to a system - perhaps a buffer overflow, perhaps some other problem. Then, someone creates an "exploit": a way to tune this snuck-in code to do something nefarious, like take over the entire system. Metasploit is a framework that makes it easy to go from the overflow stage to the exploit stage, and to check whether particular systems are vulnerable to particular exploits. It's frighteningly effective.

The system is written in Perl; if you're running on Windows, it installs a stripped-down Cygwin version to run things. There's also a *nix version that works the same way. In either case, you get a console-based workbench and a selection of exploits and payloads. Exploits are the fully-tuned ways to get code on to a target system. For example, there's an exploit for the MS04-011 LSASS overflow, one for a recent Apache problem, one for SQL Server, and so on. Payloads are the things that you can shove down a system's throat with an exploit. These range from simple command shells to complete VNC servers that let you see, and take over, the target system's desktop. You can control all of this from the command line interface, or (if that's too complicated) from a built-in web server.

The whole is pluggable, so that third parties can define exploits and payloads. The Metasploit team, too, will be able to update the tool as new vulnerabilities come down the pike.

Does it work? Yes. Do the install, read the quick start manual, type in a few commands and BOOM, you can own an unpatched system. I was testing in virtual machines behind my firewall, and it's an eye-opener how easy it is to get this stuff going. Coupled with the recent news that an average unpatched box on the Internet has a lifetime of under half an hour, the Metasploit Framework is a powerful argument for having a security policy in place and followed. There are clearly good uses for this tool - for example, to make sure you have properly patched your perimeter systems - but remember, the bad guys have copies too.