Metasploit is a relatively simple (though occasionally frustrating) penetration-testing tool and a good "free" alternative to the commercial competition. But when Rapid7 acquired Metasploit, I was skeptical on how things would turn out. You know the drill: Acquisitions often end up running a good thing into the ground. However, things are looking pretty good a year later. Rapid7 now has a commercial version of Metasploit dubbed Metasploit Express that promises to accelerate and automate penetration testing.
During installation, you'll be notified how the application is not compatible with common antivirus and firewall applications. True. That alone can help save you hours of headache. However, given the security implications of forgetting that anti-malware and personal firewall software are disabled, you should run Metasploit on a dedicated -- ideally sandboxed -- test machine in the event something goes awry.
Once you have Metasploit Express running, you'll begin to see the value of the commercial security testing tools. Penetration testing is literally point and click. In typical ethical hacking fashion, the Metasploit Express workflow takes you through the following steps:
- Discovering hosts and services on your network (via the Discovery process, the NeXpose plug-in or by importing from other scanners such as Nessus and QualysGuard)
- Exploiting the vulnerabilities
- Collecting information from the exploited host(s)
This exploitation phase is where the true value of such a tool becomes evident. As shown in Figure 1, you can literally tell Metasploit Express which hosts or hosts it must test for vulnerabilities to exploit, and it automates the entire process.
Within the graphical user interface (GUI), you can also manually select a module, such as the all-too-common Microsoft MS08-067 vulnerability, and then tweak the settings to your liking and run the exploit the old way.
Once a vulnerability is exploited, you can access the system and "collect evidence" including passwords, Secure Shell keys, and other files. With the traditional version of Metasploit, you could take a screenshot of a remote command prompt, add a user account, etc., but that was the extent of your evidence-collection options. Now you can generate various reports to deliver directly to management or customers or complement your overall security assessment report.
Command-line junkies may not appreciate the value of how the Express version's GUI can take the pain out of security testing. However, ease of use can let additional people use such a tool to prove security vulnerabilities. Anything that helps get the attention of management and demonstrates exploitable flaws on critical production systems -- and thus weaknesses in IT processes such as patching, change management and system hardening -- will serve to improve overall information security in the long term.
There is a downside to such ease of use: Practically anyone, including nontechnical people, can use Metasploit Express. A staffer who isn't familiar with ethical hacking methodology and its potential outcomes could unintentionally crash production systems or create back doors that an attacker could subsequently exploit. This is really a management and network administration issue that can be prevented with the proper technical and operational controls, but it's something to think about nonetheless.
It'll be interesting to see how Rapid7's competition -- Core Security Technologies and Immunity -- respond to Metasploit Express in the coming months. Will there be a price war? Price and perceived value are certainly big factors in information security testing. Will the established tools tout even more features? I'm not convinced that you need a lot of bells and whistles to prove a vulnerability, but some people can benefit from additional innovation. Regardless, one thing's for sure: Another player in the penetration testing tool market is great news for all involved.
ABOUT THE AUTHOR:
Kevin Beaver is an information security consultant, expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic, LLC. In the industry for over two decades and having worked for himself the past eight years, Beaver specializes in performing independent security assessments in support of compliance and managing business risks. He has also authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Beaver can be reached at www.principlelogic.com.
This was first published in June 2010