Exploits for all - final version of Metasploit 3.0 released
After a number of beta versions, the final version 3.0 of the Metasploit exploit framework has now been released. Administrators can use it to develop tools for testing security vulnerabilities, for example to check whether installation of an update on their internal servers and clients has been successful. Many security specialists also use Metasploit for analysing bugs and determining whether they can be exploited to inject code onto a system.
Metasploit, developed by H.D. Moore, provides tools, libraries and pre-fabricated modules that make creating an exploit almost as simple as assembling it from a series of building blocks. Version 3.0 includes 177 finished exploits, which can be combined with 104 types of payload (shells and the like). In addition, the framework includes various programs for automatically searching for bugs using fuzzing. The WLAN fuzzing tool Lorcon is also now an integral component of Metasploit. The new version has been completely reworked and is now based on the scripting language Ruby instead of Perl.
Metasploit is available to download as a 6 Mbyte package for Linux, BSD and Mac OS X or as a 10 Mbyte installer for Windows 2000, XP, 2003 and Vista. The background article "Exploits for All" on heise Security talks you through the first steps with Metasploit.
However, recent amendments to information security legislation, which include the criminalisation of the manufacture, provision, distribution or procurement of hacker tools will make the use of tools such as Metasploit problematic. It could even become unlawful to perform internal tests to check the security of your system or to check whether vendor patches really fix vulnerabilities as promised.
- Taking an axe to bugs, background article on heise Security