Risk
2/9/2009
08:02 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Metasploit To (Almost) Go SaaS

The Metasploit hacking tool is going the direction of many other IT security tools: it's going to be delivered, in part, as a service. But will corporate security managers upload critical data to a third party to test to see if it can be cracked?

The Metasploit hacking tool is going the direction of many other IT security tools: it's going to be delivered, in part, as a service. But will corporate security managers upload critical data to a third party to test to see if it can be cracked?We've covered, on a number of occasions, how security is increasingly being delivered as a service. Last year it was MessageLabs being acquired by Symantec, Symplified and its identity management as a service, and then there's Qualys, which launched its SaaS vulnerability management appliance at the turn of this decade.

This time, it's a step toward SaaS for the popular open source penetration-testing tool, Metasploit. As Kelly Jackson Higgins reports at DarkReading:

While this is not a pure software-as-a-services model, the new service-based features are a departure from Metasploit's software-based approach. The goal is to add back-end services, such as an "opcode" database client and a password-cracker to Metasploit, that seamlessly expand the tool's features and resources for its users, says HD Moore, creator of Metasploit. "We want our regular users to be able to take advantage of [such] services transparently," Moore says.

Sounds interesting, right? Other security vendors have been providing security through software-as-service for years. But one of the upcoming services HD Moore discussed with Kelly Jackson Higgins is in a back-end password cracking service, where a user would upload password hashes to Metasploit:

With the back-end password-cracking service, a Metasploit user could automatically submit password hashes to the Metasploit platform. "Once they are finished, [they would] get the clear-text passwords back and use those for another exploit," he says.

HD Moore says he's working to address one of the obvious problems with such services, such as criminals uploading password hashes that belong to an organization they're trying to crack into. This wouldn't be good, to say the least. One of the options he's considering as a way to stop this abuse is some type of user registration and confirmation.

But forget outright criminal abuse for a moment. Would many corporate security managers feel comfortable uploading actual password hashes to a third party? How would auditors react to learning about such practices?

I'm very curious to learn the answer to those questions.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
To Be Ready for the Security Future, Pay Attention to the Security Past
Liz Maida, Co-founder, CEO & CTO, Uplevel Security,  9/18/2017
1.9 Billion Data Records Exposed in First Half of 2017
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/20/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Jan, check this out! I found an unhackable PC.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.