For the past couple of years I've been a big fan of Metasploit. I believe it's one of the best
security testing tools around and an essential tool for any serious Windows security tester. And it just got better. H.D. Moore and the Metasploit team recently released the 3.0 version of this product. They re-wrote 100,000-plus lines of code in the Ruby scripting language and the result is a feature-rich tool that is a lot more powerful, yet easier to use, than its predecessor.
In addition to faster loads and better module organization that everyone can benefit from, security testing-related enhancements to Metasploit version 3.0 include:
- Interactive scripting capabilities via the Meterpreter and a client API that allows for direct memory reads/writes from/to exploited systems
- Routing capabilities that allow the relaying of attacks through compromised systems
- Ability to import Nessus and Nmap output files for cross-referencing host vulnerabilities supported on target systems. This is a major time saver, especially on larger networks! If you want to use a vulnerability scanner other than Nessus, the Metasploit Framework Web site and Web Console have good search capabilities and a list of current exploits.
- Large list of Windows-centric exploits including Wi-Fi driver exploitation capabilities
Enhanced extensions that support exploitation tricks such as file and process manipulation, port forwarding, command execution, Windows password hash dumps and covering your tracks
- IDS/IPS evasion options that alter the way exploits are carried out
- Multiple concurrent host exploitation via Ruby's built-in process threading
Metasploit currently has 176 exploits, 104 payloads and even some handy auxiliary modules for DoS testing, host discovery and more. It's also worth noting that this security testing tool now comes pre-packaged with the netcat, Putty and VNC tools for easy access if you need them during your security testing. The application installs quickly and easily in Windows using its Web interface by default as shown in Figure 1.
Figure 1: Metasploit's Web Console provides easy access to what you need for security testing.
There's also a GUI application (msfgui) in development that takes Metasploit to the next level.
The best way to upgrade your skill set and increase your security testing knowledge is to learn from others and get your hands dirty with experience. Learning about Metasploit is no different. It doesn't have a one-hour learning curve, but thankfully there are a growing number of resources you can turn to in order to enhance your Windows security testing.
For starters, check out the Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research (Syngress). I had the privilege and pleasure of contributing to this book as a technical editor and can vouch for its solid content. Also, be sure to refer to my two previous tips on Metasploit as a penetration testing tool and using Metasploit for real-world security testing. The version may have changed but most of my outline about Metasploit's usage still applies. Finally, if you want to stay abreast of daily happenings within the Metasploit community, I recommend you subscribe to the Metasploit mailing list.
Metasploit 3.0 is a whole new beast. Although the new version is much more comprehensive and complex, it's still relatively easy to use. The price is right too -- it's a free download. If you perform security testing and, like me, long to obtain remote control of the systems you're testing, get the latest version of Metasploit and give it a whirl. It won't be able to exploit every vulnerability you find -- no tool or reasonable amount of manual testing will. But it does a lot. A couple of commercial alternatives may allow you to dig in deeper if you can justify the cost. I tend to recommend commercial security tools over their freeware and open source counterparts, but this version of Metasploit debunks the adage "you get what you pay for." Beyond the shadow of a doubt, it will raise your Windows security testing capabilities and results a few notches.
About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has nearly two decades of experience in IT and specializes in performing information security assessments regarding compliance and risk management. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels information security audio programs providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com.
