Metasploit: Is It a Good Thing, or a Bad Thing?
Many years ago I ran the online ‘Security Clinic’ on ITsecurity.com. It offered free advice from a worldwide pool of security experts.
Late one evening I received a telephone call at home. It was the Chief Constable of Strathclyde Police. He was worried that the Clinic was pointing people to L0phtCrackto help recover their forgotten passwords – he thought the advice might benefit hackers. But after a brief discussion, he admitted that his own police force also used L0phtCrack.
This is the problem with dual-use products: in good hands they’re good, and in bad hands they’re bad. Of course we’ve come a long way since L0phtCrack, and dual-use products are in a different league these days. Perhaps top of the tree is the MetaSploit Framework: beneficial in good hands and dangerous in bad hands. The question is, does one outweigh the other?
Metasploit is effectively a working collection of exploits, available to anyone. It was born, explains its founder HD Moore, now CSO at Rapid7, out of the security industry’s increasing pressure for what it describes as ‘responsible disclosure’.
“Starting around 1999, information security took a drastic turn towards commercialization,” says Moore. “The security community that had previously been generous with research and exploits started to recede while commercial tools gained traction. At the same time, major software vendors were applying pressure to security researchers to follow oppressive disclosure practices. Criminals that depended on exploits turned to hoarding and the black market for ‘zero-days’ became white hot.”
The result, he continues, had a ‘chilling effect’ on the research community. Zero-days were becoming known to the criminals, but were hidden behind ‘responsible disclosure’ from the defenders – and Metasploit, he said, was developed to help “level the playing field against criminals.”
Moore accepts that there is some danger of misuse. “There will always be a subset of our user base that can be categorized as ‘script kiddies’, but this downside is minor compared to the overall benefit that the Metasploit tools provide.” The argument is simple. If the good guys know about bad things, they can defend against them. If the bad things are unknown, there can be no defense.
But of course we can expect Moore to defend his own baby. Perhaps a better test would be to consider what other researchers working in security think. First, independent researcher and pentester Robin Wood (aka DigiNinja). “It’s a useful toolkit,” he says. “I recently wrote a tool to test MySQL databases. On its own it would have been a lot of code, but using Metasploit it was simple to implement in just a few lines. From a general pen-tester’s point of view it means a good selection of well-tested exploits.”
Some within the industry sit more on the fence. David Emm of Kaspersky Labs says, “On the one hand, it’s being widely used by malware and cybercriminals. However on the other, it can be an extremely useful vulnerability testing tool.”
Others are clearly favorable. “The value of metasploit as a pentesting tool outweighs the potential for misuse,” suggests Paul Zimski, VP, Solution Marketing at Lumension. “Trying to bury the truth and obfuscate access to known exploits only helps the hackers.”
Andrew Mason of RandomStorm adds, “In my opinion Metasploit is a good thing for security. It provides a great way of testing and proving exploits against vulnerabilities. This gives real strength to arguments that would just be information-based without the ability to prove them. I am sure that this focus is good for the industry as once a Metasploit module is released, it must affect the speed at which a vendor releases a patch for that vulnerability.” This is the same argument as that used by full disclosure proponents: Metasploit/full disclosure ensures rapid fixes from the vendor.
Rik Ferguson, vice-president of security research at Trend Micro, has an unusual take. It is, he suggests, the positive to the criminals’ exploit kit negative. “There are many non-commercial alternatives to Metasploit that accomplish many of the same things – and they are often more targeted and easier to use, such as the Blackhole exploit kit. It may not be as fully featured and uses a subset of exploits but it is designed for use by criminals not by penetration testers; and it is effective and widespread.”
Which brings us full circle to HD Moore’s early comment: Metasploit levels the playing field between the good guys and the bad guys.
So, is Metasploit a good thing or a bad thing for security? Like the question of full disclosure, we’re never going to get full agreement. But, does it matter? No, it doesn’t matter, because it’s here and like so many other things in life, we better just get used to it – and we might as well make the most of it.