Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

5/19/2010
02:45 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Big New Features In New Metasploit Framework

The penetration testing world saw a couple of exciting announcements yesterday. The first one I want to mention because it's one of my favorite tools -- Burp Suite Professional. It's a great tool for Web application penetration testing, and a new update was just released. But of course the big news that has everyone talking are the Metasploit releases.

The penetration testing world saw a couple of exciting announcements yesterday. The first one I want to mention because it's one of my favorite tools -- Burp Suite Professional. It's a great tool for Web application penetration testing, and a new update was just released. But of course the big news that has everyone talking are the Metasploit releases.Version 3.4.0 of the open source Metasploit Framework was released yesterday along with the new commercial Metasploit Express (screenshots) offering from Rapid7. It's a bit amusing to look back the initial reactions about the future of the Metasploit Framework when the project was first acquired by Rapid7. Some said it was doomed, while others cheered on the decision. Taking a look at the increase in development and the responsiveness of the development team shows, it's pretty obvious that it's been a big win for the Metasploit user community.

The updates for 3.40 are incredible as can be seen here in the Release Notes. There are now over 550 exploit modules. Bruteforce capabilities are greatly enhanced, and work well in some testing I was doing last night. Plus, the meterpreter payload saw some major updates. If you want to know more about what's gone into the update, take a look at the video of HD Moore's talk at Source Boston 2010 where he talks about the enhancements and the people working hard behind the scenes.

I've been a longtime user of the Metasploit Framework and jumped on the chance to test the Metasploit Express beta when it was announced. Having tested it for a couple of weeks, I've found it to be quite usable with a simple workflow to follow from identifying hosts to exploiting them and gathering "evidence." It definitely makes the power of Metasploit more accessible to those penetration testers just getting started or who have been intimidated by the myriad of exploits, payloads, and auxiliary modules.

While the workflow definitely adds something that was missing, I feel a little constrained within the graphical interface. It's lacking in the raw power and customization that a penetration tester is exploit to when working with msfconsole in Metasploit Framework. This is something that's been echoed on the express-users mailing list and some online reviews.

On the other hand, it works. I used Express to bruteforce the password on one of my routers, exploit several vulnerable virtual Windows and Linux systems, collect system information, and "clean up" the traces of the exploitation. If I don't like the nmap scanning options, I can just import the results of my own scan or even the results from a Nessus vulnerability scan. But if I could just drop down to a msfconsole interface within Express...

If you're in the market for a penetration testing tool or would like to experience the power of Metasploit with a easy-to-use graphical (Web) interface, then Metasploit Express is pretty slick, works well, and has an awesome development team behind it.

And for testing purposes, if you don't have any vulnerable systems lying around, then HD and crew just released Metasploitable, a vulnerable virtual machine running Ubuntu 8.04 server. Just don't expose it to the Internet once you've got it up and running.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprise
Assessing Cybersecurity Risk in Today's Enterprise
Security leaders are struggling to understand their organizations risk exposure. While many are confident in their security strategies and processes, theyre also more concerned than ever about getting breached. Download this report today and get insights on how today's enterprises assess and perceive the risks they face in 2019!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18881
PUBLISHED: 2019-11-12
WSO2 IS as Key Manager 5.7.0 allows unauthenticated reflected XSS in the dashboard user profile.
CVE-2019-18882
PUBLISHED: 2019-11-12
WSO2 IS as Key Manager 5.7.0 allows stored XSS in download-userinfo.jag because Content-Type is mishandled.
CVE-2019-18873
PUBLISHED: 2019-11-12
FUDForum 3.0.9 is vulnerable to Stored XSS via the User-Agent HTTP header. This may result in remote code execution. An attacker can use a user account to fully compromise the system via a GET request. When the admin visits user information under "User Manager" in the control panel, the pa...
CVE-2019-18874
PUBLISHED: 2019-11-12
psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object.
CVE-2019-18862
PUBLISHED: 2019-11-11
maidag in GNU Mailutils before 3.8 is installed setuid and allows local privilege escalation in the url mode.