metasploit introduction

About

Released in 2004, it’s open-source platform for developing, testing, and using exploit code. It has the world’s largest, public collection of quality-assured exploits. Payloads, encoders, no-op generators, and exploits are integrated into the framework which allows it to be used for exploitation research. It comes with hundred of exploits which allows for easier writing of custom exploits due to having a reference point, and also allows you to start with a group of reputable exploits as opposed to what can be found around the Internet.

Metasploit was free, but the project was acquired by Rapid7 in 2009 which brought commercial variants. The Framework itself is still free and open source, but they now also offer a free-but-limited Community edition, a more advanced Express edition ($3,000 per year per user), and a full-featured Pro edition ($15,000 per user per year). Other paid exploitation tools to consider are Core Impact (more expensive) and Canvas (less).

Metasploit is currently a collaboration between the open source community and Rapid7, with the primar focus of being software that helps Security and IT professionals identify security issues, verify vulnerabilities, and manage security assessments. Capabilities include but are not limited to: smart exploitation, password auditing, web application scanning, and social engineering (A, 2012).

History

HD Moore created the Metasploit Project in 2003 to provide the security community with a public resource for exploit development. This project resulted in the Metasploit Framework, an open source platform for writing security tools and exploits.

The first version provided a curses-based frontend written in the Perl scripting language. Spoonm, the second developer, joined the project in late 2003 and helped design the overall workflow that is still in use today. Shortly after Matt Miller (aka skape) started contributing, eventually becoming the third member of that core development team (A, 2012).

The first two versions of the Metasploit Framework were written in the Perl scripting language, ending with the 2.7 release in 2006. Perl had a number of disadvantages, which lead to ground-up rewrite using the Ruby language started in 2005 and completed in 2007. By the end of 2007, both Spoonm and Matt Miller had left the project and in an effort to bring on a new team the source code was relicensed under the three-clause BSD license, starting with version 3.2 in 2008. The license change, combined with a stronger community-focused development team lead to a huge boost to the vitality of the project.

On October 21, 2009, Rapid7, a vulnerability management solution company, acquired the Metasploit Project. Prior to the acquisition, all development of the framework occurred in the developer’s spare time; eating up most weekends and nights. Rapid7 agreed to the fund a full-time development team and still keep the source code under the three-clause BSD license that is still in use today.

Impact

Metasploit has become a prominent piece of penetration software and is widely used by the security industry. Informative security and ethical hacking websites like offensive-security.com (who design metasploit) and null-byte.wonderhowto.com include comprehensive guides  (“Metasploit Unleashed – Free Online Ethical Hacking Course,” n.d; Web, 2014). It’s regarded by many in the community as being an industry-standard tool. It’s been surveyed as being the most popular penetration framework (Gupta, 2016). It is also included by default in one of the most popular penetration-based operating systems of Kali Linux (Shakeel, 2017).

Uses

Metasploit is a framework and not a specific application. This means that though it comes with many different built-in tools already, tools can be created to test any number of security vulnerabilities. System exploitation is one of the methods for performing security tests. Generally this means that you are scanning the network for security holes (backdoors) in computers connected to that network. After a vulnerability is found, a payload can be used. The payload is the code that you run on the compromised system that allows a measure of control over that system, ideally complete control. The payloads that come with Metasploit are effective enough to test with, though you can customize them or use them as a reference for your own payload design. Also, as a method of finding backdoors into systems Metasploit can listen. As opposed to active scanning, it can intercept network information and analyze that data for use in getting access to various systems. Metasploit does have both a command line and graphical interface (Armitage) depending on a user’s ideal configuration, as well as functionality to record all information incoming and outgoing, for later analyzation by the user (“Metasploit for beginners – a concise introduction – Concise Courses,” 2017).

Case Study

Lawrence from Automation Direct has used Metasploit Professional to show system administrators the vulnerabilities in their systems and this has changed company policy and procedures.

Lawrence says the Metasploit reports have changed the mindset of the server administrators he works with. “As soon as I drop a piece of paper on them that shows how I’ve gotten into a machine, and that from there I was able to get on other machines,
it totally changes their posture on what needs to be done,” he says. Now server administrators ask for risk assessments and
remediation recommendations before putting new servers online.

“It’s hard to put a value on security,” says Lawrence. “One compromise will cost you way more than this product. If you can secure
one target from being compromised, it’s going to pay for itself once. The value of what you get for the money is exponential.”

Lawrence was able to better secure his company which includes saving them a lot of money in the long run (“Rapid7 Metasploit changes the security mindset at AutomationDirect,” 2011) .

Conclusion

Metasploit is an essential tool for any penetration tester. It allows for a beginner to experiment with the basics for free and for the seasoned professional to save time and energy without compromising the effectiveness of the tools they use.

Reference

A. (2012, August 9). Metasploit – blogger technology. Retrieved from https://blgtechn.blogspot.com/2012/08/metasploit.html

Metasploit Unleashed – Free Online Ethical Hacking Course. (n.d.). Retrieved from https://www.offensive-security.com/metasploit-unleashed/

Web, O. T. (2014, July 10). Hack Like a Pro: Metasploit for the Aspiring Hacker, Part 1 (Primer & Overview) « Null Byte :: WonderHowTo. Retrieved from https://null-byte.wonderhowto.com/how-to/hack-like-pro-metasploit-for-aspiring-hacker-part-1-primer-overview-0155986/

Gupta, A. (2016, January 18). Five most popular penetration testing tools. Retrieved from https://www.ravellosystems.com/blog/five-most-popular-penetration-testing-tools/

Shakeel, I. (2017, February 21). Top 10 Linux Distro for Ethical Hacking and Penetration Testing. Retrieved from http://resources.infosecinstitute.com/top-10-linux-distro-ethical-hacking-penetration-testing/

Metasploit for beginners – a concise introduction – Concise Courses. (2017). Retrieved from https://www.concise-courses.com/security/metasploit-for-beginners/

Rapid7 Metasploit changes the security mindset at AutomationDirect. (2011). Retrieved from https://www.rapid7.com/globalassets/_pdfs/customer-stories/customercasestudy-automationdirect-03-2011.pdf