Review of the Metasploit Project
Back in ye olden days of yore, pentesting involved a lot of repetitive labor that Metasploit now automates. Information gathering? Gaining access? Maintaining persistence? Evading detection? Metasploit is a hacker's Swiss army chainsaw (sorry, Perl!), and if you work in information security, you're probably already using it. Better still, the core Metasploit Framework is both free and libre software and comes pre-installed in Kali Linux. (It's BSD-licensed, in case you're curious). The framework offers only a command-line interface, but those wanting GUI-based click-and-drag hacking — plus some other cool features — can drop a bundle for per-seat licenses to Metasploit Pro.
And, before Oracle released a patch for the flaw, publicly available exploit code was added to the Metasploit framework. Such tools can be used to both help security pros and system owners strengthen and test their security, but they can also be used by criminals to break into vulnerable systems. This “dual-use” capability of Metasploit has made it controversial at times, and such tools have even been outlawed in some nations. One of the biggest concerns often cited is that when exploits are released, attackers can put them to use quicker than organizations can patch their dozens, or even tens of thousands, of systems.“Metasploit, like other dual-use security tools, is great at raising awareness and providing defenders with a way to measure their risk,” Moore says. “The availability of clean exploits to the public at large has helped level the playing field against criminals.” Additionally, Moore points out that nearly every recent client-side exploit (those found in Internet Explorer, Adobe Flash, Java, etc.) placed into Metasploit was discovered first in the wild, and then ported from that live sample into a clean version for the toolset. Not everyone agrees with Moore’s assertion that Metasploit “helps to level the playing field.” “While it’s correct to say that individual organizations can reduce their own risk with tools like Metasploit, in the aggregate everyone’s risk is increased significantly,” argued Pete Lindstrom, research director at security research firm Spire Security. “The attackers can hit long before most organizations have time to patch.”
Security practitioners need to know how those same bad guys might attack and what is possible. Layered security is not just ACL’s, firewalls, network segregation, IDS, etc. The most important layer in the security process is the human layer. What that human layer can bring to the table is every bit as important as the rule base on the firewall and being armed with the Metasploit Framework will only add to that human value.