Metasploit 3.2 is now out – but don’t be afraid of it – be aware of it.
Metasploit is an open source ‘toolkit’ for attack code that lets researchers test out vulnerabilities. Back in October, Metasploit founder H D Moore was in Toronto talking about the release describing some of the ‘evil deeds’ that the new release would bring. One of the key things is that Metasploit is now available (again) under a bona fide open source license BSD.
On the attack side of Metasploit 3.2, the stuff that interests me the most the most is the new browser auto-pwn module.
“Metasploit contains dozens of exploit modules for web browsers and third-party plugins,” the release notes state. “The new browser_autopwn module ties many of these together with advanced fingerprinting techniques to deliver more shells than most pen-testers know what to do with.”
Metasploit has also been improved with new JavaScript
obfuscation techniques that could lead to a
greater degree of anti-virus bypass for client-side exploits.
There are many exploits and vulnerabilities reported in any given week and to be honest it’s difficult to know sometimes what is serious and what isn’t. With Metasploit it gets easier to figure it all out. In my simplistic point of view if a vulnerability can be ‘weaponized’ into something that Metasploit can exploit than it’s something that we should take note off. In my opinion, Metasploit makes security better by helping to show where it is weak.
So if you’re a security person, this is a tool for you too, to help you to harden your own applications and infrastructure. The code is all open source too which makes the whole thing a tremendous learning resource.