RealTime IT News

Metasploit 3.1 Takes Aim at Windows

Windows security researchers now don't necessarily need to move to Linux to take full advantage of Metasploit 3.1.

Metasploit, a framework for developing, testing, and using exploit code, received its first major update since version 3 debuted in March 2007. (Allegedly, Metasploit has also been used in the past to help expedite Windows zero-day vulnerabilities.)

The new version promises numerous improvements, including hundreds of remote exploits for various platforms and technologies -- including the iPhone. Metasploit 3.1 also provides full support for Windows with a complete graphical user interface.

"It may seem silly, but getting the Windows version of Metasploit to be usable was my biggest challenge," Metasploit project founder H D Moore told InternetNews.com. "I come from a Unix background and have used Linux as a desktop almost exclusively since 1997."

That's not to say that Metasploit didn't work in some form on Windows. Metasploit 3 offered Windows downloads, though it relied on a browser-based graphical user interface (GUI), as opposed to a full desktop client.

"The browser interface is nice, but it lacks the responsiveness and flexibility of a real GUI," Moore said. "The new GUI not only provides a point-and-click interface for exploitation, it also exposes a console interface that is on par with the one most Unix users are familiar with. There are a number of features that are console-only -- exploit automation, plug-ins, etc. -- and this release finally brings users of the Windows platform the full capabilities of the framework."

Already, the new version is seeing considerable traction among the security researcher community. Moore said that in the first four days of release, more than 10,000 unique IP addresses have downloaded version 3.1 of the Metasploit Framework.

Of these, about 6,500 downloaded the Windows installer, and about 3,000 downloaded the Unix version. The remainder downloaded both.

In addition to fuller Windows support, Metasploit 3.1 also benefits from a wide community involvement in the effort to develop new exploit modules. The shift in version 3 to the Ruby development language proved a reason for growing contributions.

"In the 2.x versions of the framework, the core development team was responsible for nearly 80 percent of all exploit modules," Moore said. "Since 3.0 has been released, this number is down to 50 percent. The number of regular contributors has jumped and many folks find the new API to be much more accessible -- at least, once they get used to Ruby."

Metasploit 3.1 marks the second version of Metasploit to be released under the Metasploit Framework License, which is not yet an officially sanctioned open source license listed or certified by the Open Source Initiative (OSI). Versions prior to Metasploit 3 had been made available under the GPL.

The fact that Metasploit is not totally available under a bona fide open source license isn't a barrier to adoption, according to Moore.

"At the end of the day, what people care about is whether it works and how much it costs," Moore said. "We have licensed large portions of the framework under true open source licenses and allow third-party developers to distribute their add-ons for the framework."

The great thing about our current license is that it doesn't prevent us from changing the license in the future," he added. "We still have the option to release the entire framework under an open source software license if, and when, it makes sense. "