Review of the Metasploit Project
It's not quite as simple as that, of course, so let's begin at the beginning. Back in ye olden days of yore, pentesting involved a lot of repetitive labor that Metasploit now automates. Information gathering? Gaining access? Maintaining persistence? Evading detection? Metasploit is a hacker's Swiss army chainsaw (sorry, Perl!), and if you work in information security, you're probably already using it. Better still, the core Metasploit Framework is both free and libre software and comes pre-installed in Kali Linux. (It's BSD-licensed, in case you're curious). The framework offers only a command-line interface, but those wanting GUI-based click-and-drag hacking — plus some other cool features — can drop a bundle for per-seat licenses to Metasploit Pro.
Is there such a thing as a security tool that’s too effective? Sounds silly. You’d probably never hear of a firewall being called too effective or an encryption algorithm as being too un-crackable. However, some have, over the years accused the Metasploit penetration testing framework of being that: too fast at publishing exploits and too good at taking advantage of vulnerabilities in the networks it’s used against. One recent example of why Metasploit raises concern involved a Java zero-day vulnerability that surfaced in August and affected millions of users of common Web browsers—Internet Explorer, Mozilla, Firefox, Safari on Windows, Linux, as well as Mac OS X systems. Attacks on the flaw made it possible to compromise at-risk systems. And, before Oracle released a patch for the flaw, publicly available exploit code was added to the Metasploit framework. Such tools can be used to both help security pros and system owners strengthen and test their security, but they can also be used by criminals to break into vulnerable systems. This “dual-use” capability of Metasploit has made it controversial at times, and such tools have even been outlawed in some nations. One of the biggest concerns often cited is that when exploits are released, attackers can put them to use quicker than organizations can patch their dozens, or even tens of thousands, of systems.“Metasploit, like other dual-use security tools, is great at raising awareness and providing defenders with a way to measure their risk,” Moore says. “The availability of clean exploits to the public at large has helped level the playing field against criminals.” Additionally, Moore points out that nearly every recent client-side exploit (those found in Internet Explorer, Adobe Flash, Java, etc.) placed into Metasploit was discovered first in the wild, and then ported from that live sample into a clean version for the toolset. Not everyone agrees with Moore’s assertion that Metasploit “helps to level the playing field.” “While it’s correct to say that individual organizations can reduce their own risk with tools like Metasploit, in the aggregate everyone’s risk is increased significantly,” argued Pete Lindstrom, research director at security research firm Spire Security. “The attackers can hit long before most organizations have time to patch.”
In conclusion, again like many security tools there is the possibility of misuse. It is up to the individual end user to decide how it will be used. The bad guys already possess the tools capable of doing what is now possible with the MP. Security practitioners need to know how those same bad guys might attack and what is possible. Layered security is not just ACL’s, firewalls, network segregation, IDS, etc. The most important layer in the security process is the human layer. What that human layer can bring to the table is every bit as important as the rule base on the firewall and being armed with the Metasploit Framework will only add to that human value.