How zero-day exploits can improve security
Metasploit has become a go-to platform for penetration testing and signature development, so much so that disclosure of new software vulnerabilities often are accompanied by a Metasploit exploit module.
The Metasploit Project is a computer security project that developed and maintains the Metasploit Framework for creating and executing exploit code. Available as a free open-source tool and in more sophisticated commercial products from Rapid7, it contains libraries of vulnerabilities and modules to exploit them. The framework lets developers and researchers build exploits to test for holes in IT systems, and its modularity allows the combination of different exploits and payloads.
Ostensibly a tool for penetration testing by good guys, Metasploit can be used for either good or evil. But its purpose is to democratize IT security, said HD Moore, who created Metasploit in 2003.
“It started out as more of a political thing than anything else,” Moore said. At a time when only black hats had access to exploits and attack tools, white hat developers, researchers and security professionals were operating at a disadvantage. “The main goal was to put them all on the same footing.”
Originally written in Perl script and first released in late 2003, Metasploit since has been rewritten in Ruby. It now is in version 4.0 and contains about 900 exploit modules for Windows, Unix, Linux and Mac OS operating systems, Moore said.
It also contains several hundred modules for fuzzing, which can discover previously unknown or unsuspected vulnerabilities in a target. A user selects a target machine, selects exploit modules to test for a vulnerability or vulnerabilities, selects the payloads for the exploits and launches it at the target. If the vulnerability is there, the exploit should get through to deliver its payload.
Public-sector agencies are among those that have availed themselves of Metasploit’s penetration testing tools, and it has also been used by agencies in red team/blue team exercises.
The framework allows creation of new exploit modules with a minimum of work, so Metasploit can keep up with the growing number of vulnerabilities. When zero-day exploits of a Java flaw were discovered in August, potentially affecting billions of devices, Metasploit developed an exploit for it and, after Oracle issued a patch, tested it against the exploit to confirm that the patch was effective.
The Metasploit Project was acquired by the security company Rapid7 in 2009. Commercializing Metasploit was something “that had been in the back of my mind forever,” said Moore, who now is chief security officer at Rapid7. So Metasploit and Rapid7 hammered out a plan to allow commercial development while maintaining Metasploit’s open-source availability.
The Metasploit Community Edition remains a free open-source tool with all the functionality, available for free download. Metasploit Express and Pro are commercial products built on the open-source core with additional bells and whistles to make them more user-friendly and scalable. All modules are available first in the open-source version.
What does the security community think of a tool that makes it easy for anybody, regardless of the color of his or her hat, to launch an attack?
“We did get a lot of pushback early on in the project,” Moore said. But he points out that the bad guys already had tools for launching attacks. “The bad guys don’t use Metasploit.” Today almost all of the exploits in Metasploit modules have appeared in the wild first, so that availability of the tool is not a big advantage to attackers. “We’re not the ones who are first-to-market with an exploit,” Moore said.