Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

5/19/2010
02:45 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Big New Features In New Metasploit Framework

The penetration testing world saw a couple of exciting announcements yesterday. The first one I want to mention because it's one of my favorite tools -- Burp Suite Professional. It's a great tool for Web application penetration testing, and a new update was just released. But of course the big news that has everyone talking are the Metasploit releases.

The penetration testing world saw a couple of exciting announcements yesterday. The first one I want to mention because it's one of my favorite tools -- Burp Suite Professional. It's a great tool for Web application penetration testing, and a new update was just released. But of course the big news that has everyone talking are the Metasploit releases.Version 3.4.0 of the open source Metasploit Framework was released yesterday along with the new commercial Metasploit Express (screenshots) offering from Rapid7. It's a bit amusing to look back the initial reactions about the future of the Metasploit Framework when the project was first acquired by Rapid7. Some said it was doomed, while others cheered on the decision. Taking a look at the increase in development and the responsiveness of the development team shows, it's pretty obvious that it's been a big win for the Metasploit user community.

The updates for 3.40 are incredible as can be seen here in the Release Notes. There are now over 550 exploit modules. Bruteforce capabilities are greatly enhanced, and work well in some testing I was doing last night. Plus, the meterpreter payload saw some major updates. If you want to know more about what's gone into the update, take a look at the video of HD Moore's talk at Source Boston 2010 where he talks about the enhancements and the people working hard behind the scenes.

I've been a longtime user of the Metasploit Framework and jumped on the chance to test the Metasploit Express beta when it was announced. Having tested it for a couple of weeks, I've found it to be quite usable with a simple workflow to follow from identifying hosts to exploiting them and gathering "evidence." It definitely makes the power of Metasploit more accessible to those penetration testers just getting started or who have been intimidated by the myriad of exploits, payloads, and auxiliary modules.

While the workflow definitely adds something that was missing, I feel a little constrained within the graphical interface. It's lacking in the raw power and customization that a penetration tester is exploit to when working with msfconsole in Metasploit Framework. This is something that's been echoed on the express-users mailing list and some online reviews.

On the other hand, it works. I used Express to bruteforce the password on one of my routers, exploit several vulnerable virtual Windows and Linux systems, collect system information, and "clean up" the traces of the exploitation. If I don't like the nmap scanning options, I can just import the results of my own scan or even the results from a Nessus vulnerability scan. But if I could just drop down to a msfconsole interface within Express...

If you're in the market for a penetration testing tool or would like to experience the power of Metasploit with a easy-to-use graphical (Web) interface, then Metasploit Express is pretty slick, works well, and has an awesome development team behind it.

And for testing purposes, if you don't have any vulnerable systems lying around, then HD and crew just released Metasploitable, a vulnerable virtual machine running Ubuntu 8.04 server. Just don't expose it to the Internet once you've got it up and running.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Is Zero Trust the Best Answer to the COVID-19 Lockdown?
Dan Blum, Cybersecurity & Risk Management Strategist,  5/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13485
PUBLISHED: 2020-05-25
The Knock Knock plugin before 1.2.8 for Craft CMS allows IP Whitelist bypass via an X-Forwarded-For HTTP header.
CVE-2020-13486
PUBLISHED: 2020-05-25
The Knock Knock plugin before 1.2.8 for Craft CMS allows malicious redirection.
CVE-2020-13482
PUBLISHED: 2020-05-25
EM-HTTP-Request 1.1.5 uses the library eventmachine in an insecure way that allows an attacker to perform a man-in-the-middle attack against users of the library. The hostname in a TLS server certificate is not verified.
CVE-2020-13458
PUBLISHED: 2020-05-25
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There are CSRF issues with the log-clear controller action.
CVE-2020-13459
PUBLISHED: 2020-05-25
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There is stored XSS in the Bulk Resize action.