Metasploit has become a go-to platform for penetration testing and signature development, so much so that disclosure of new software vulnerabilities often are accompanied by a Metasploit exploit module.
The Metasploit Project is a computer security project that developed and maintains the Metasploit Framework for creating and executing exploit code. Available as a free open-source tool and in more sophisticated commercial products from Rapid7, it contains libraries of vulnerabilities and modules to exploit them. The framework lets developers and researchers build exploits to test for holes in IT systems, and its modularity allows the combination of different exploits and payloads.
Ostensibly a tool for penetration testing by good guys, Metasploit can be used for either good or evil. But its purpose is to democratize IT security, said HD Moore, who created Metasploit in 2003.
“It started out as more of a political thing than anything else,” Moore said. At a time when only black hats had access to exploits and attack tools, white hat developers, researchers and security professionals were operating at a disadvantage. “The main goal was to put them all on the same footing.”
Originally written in Perl script and first released in late 2003, Metasploit since has been rewritten in Ruby. It now is in version 4.0 and contains about 900 exploit modules for Windows, Unix, Linux and Mac OS operating systems, Moore said.
It also contains several hundred modules for fuzzing, which can discover previously unknown or unsuspected vulnerabilities in a target. A user selects a target machine, selects exploit modules to test for a vulnerability or vulnerabilities, selects the payloads for the exploits and launches it at the target. If the vulnerability is there, the exploit should get through to deliver its payload.
ShareNOV
2012