After a year and a half of development, the latest version of the popular hacking tool Metasploit went live today. Among the hot new features: a friendly Web interface, WiFi exploits, and the ability to launch multiple exploits simultaneously on a network.
The new Metasploit 3.0 Framework was gathering steam early this morning, with Metasploit's download server pushing 32 Mbit/s of traffic within hours of its release. A beta of the updated version of the tool was first demonstrated at Black Hat USA in July, but Metasploit's developers have since added a few more goodies to the tool. (See Metasploit Issues New Beta and Metasploit 3.0 Makes Splash at Black Hat.)
HD Moore, founder of Metaspolit and one of the two lead developers of 3.0, says the multi-exploit feature -- where you can launch a denial-of-service attack, a remote-code execution attack, plus any other attack all at once -- is huge. "It opened the door for automation, network services, and mass exploitation," he says. "The value comes when you can launch every single exploit against the entire network at the same time and see what falls out."
Among the new features for Metasploit 3.0 that weren't originally shown in the beta are three exploit modules that target WiFi driver vulnerabilities in the Windows kernel. The framework comes with APIs, 177 exploits, as well as modules that handle host discovery, protocol fuzzing, and denial-of-service testing. It's aimed at researchers, network security pros for penetration testing, system administrators for verifying patch installations, and at vendors testing the security of their products. Metasploit runs across all the main operating systems and works with Unix mainframes and Nokia n800 handheld devices as well.
One feature in the new version lets you manipulate the memory of process that's running in an exploited system, and another lets you relay attacks through the compromised machine, notes Moore. "From a penetration testing perspective, the most useful features are the combination of the new Meterpreter payload and the ability to relay connections through compromised systems."
David Maynor, CTO of Errata Security, who uses Metasploit and has done high-profile research in the WiFi space, says the new 3.0 features include WiFi-based attacks that none of the commercial penetration tools have. The new Web interface, which replaces the old command-line one, makes pen testing much easier, too, he says. "It means you can use a Web browser and have all the same functionality of sitting at a Linux machine," he says. "For someone who does remote pen-tests, that type of functionality is a godsend."
Metasploit's Moore says he hopes the Web interface will help Metasploit appeal to users with less security experience. "It's not so much dumbing it down as making it less intimidating. The user still needs to know what targets, payloads, and options to use for any exploit," he says. "But they can avoid the scary black command shell until the very end."
Commercial pen testing tools like Core Security's Impact and Immunity's Canvas and Silica, meanwhile, have been catching on while Metasploit underwent its facelift. But Moore says the improved Metasploit is still aimed at a different market. "[Metasploit 3.0] is somewhere between Impact and Canvas in terms of the features, but it really isn't really designed to compete with those products." It's more a development environment and research tool than a product you can download and run, he says, like the commercial tools are.
Errata Security's Maynor says the other differentiator is, of course, support: "Support is the only area Metasploit is lacking in. There is no one you can call and make something work or figure out what happened to something," he says. "You are all by yourself."
Another big change for Metasploit is its licensing arrangement, which prevents anyone from selling the freebie Metasploit framework or using the code in their own products and taking credit for it, which occurred with the previous Metasploit version, according to Moore. But the license does allow you to sell modules and plugins for Metasploit. "But they can't distribute their changes inside of our code," he says. "The idea is that we control the platform and they can sell extensions to it."
Kelly Jackson Higgins, Senior Editor, Dark Reading