3:40 PM -- The Metasploit Project has released version 3.1 of its popular attack and exploit development framework. The new version of Metasploit includes over 450 modules -- 265 of which are remote exploits, some targeted at the iPhone and wireless drivers -- as well as a full GUI for users of Windows. There are too many features and too much advanced functionality under the hood to cover each in detail, but I think the new Windows GUI is especially significant because it will likely cause a jump in usage of the tool. (See Metasploit Adds iPhone Hacking Tools.)
Why is the GUI so important? The same reason that malware authors target Windows and not Linux and Macs: market share. There are more desktops and laptops running Windows than any other OS, and from what I've seen amongst the techies and security professionals I've met, the majority of them are also running Windows.
The Metasploit Framework blog says that network security professionals use it for penetration testing, and that system administrators can verify patches with Metasploit. But another important use for Metasploit that it doesn't mention is for demonstrating attacks to IT professionals and management.
It's always fun to give a presentation on the stages of an attack accompanied by a demonstration of how easy it is to compromise an unpatched system using free tools like the Metasploit Framework. That demonstrates not only the importance of staying fully patched, but also of how easy the tool can be used for evil as well.
The most common response I get (in addition to looks of awe) is: "And that's free?!" It amazes people that powerful tools such as the Metasploit Framework are freely downloadable. The new Windows package includes everything needed to be up and running in minutes.
If you or members of your staff have never tested the Metasploit Framework, download it and take it for a spin. It can be an invaluable tool for your job. And if you're an IT security professional looking for support from management, you might just find that demonstration of its ease of use could open some eyes about security risks -- and even some wallets.
John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading