When it comes to IT security, is the best defense a good offense? That’s the thinking behind the open source Metasploit vulnerability testing framework, which is out with its new 3.3 release this week, sporting new features for researchers to deliver payloads and test wireless, database and browser security.
While Metasploit could potentially be used as a malicious tool, its intent is all about verifying security and keeping vendors honest, according to project leader H D Moore.
“Metasploit is a great way to enforce the ‘trust by verify’ method of IT security management,” Moore told InternetNews.com. “Often folks will install a patch, but forget to reboot the server or otherwise activate the fix. This can lead to machines showing as ‘patched’ in the sense that registry checks will return the correct information, but still being exploitable using a product like the Metasploit Framework.”
Metasploit is an open source testing framework first developed by Moore in 2003. One of its hallmarks since at least the 3.0 release is its ability to evade detection by antivirus and intrusion-prevention systems. Again the focus for Moore isn’t about being malicious, but about making sure that security systems actually work.
“In addition to patch verification, Metasploit does a great job of keeping security vendors honest,” Moore said. “If a vendor claims that their device can stop a new exploit, put it to the test with the framework and determine whether that claim is true.”
With Metasploit 3.3, the framework will push security vendors even further. Among the new capabilities is the ability for the Metasploit exploit payload encoding library to embed Metasploit payloads into arbitrary executables.
Typically, antivirus vendors employ heuristics technology to scan for malware behavior patterns in order to identify bad executables. Moore notes that Metasploit 3.3 has a way of getting around that too.
“We avoid the problem by allowing the user to specify their own executable as the base,” Moore said. “This functions by overwriting a block of existing code in the target executable and then creating a new entry point that jumps to the injected block. This allows penetration testers to use known-safe executables as the vector for delivering Metasploit payloads, since the icon, file size, and versioning information is preserved.”
Moore did note however that the Metasploit arbitrary payload solutions is not perfect and it could be possible for an antivirus security vendor to have a signature for defend against the payload. That said, he added that the new feature raises the bar significantly from prior versions.
Metasploit 3.3 follows the 3.2 release by nearly a year. One of the big features that Metasploit 3.2 introduces is what it calls browser auto-pwn, which provided an automated solution for testing Web browser security. In Metasploit 3.3, Moore noted that three major enhancements have been made.
“The first involves a rework of the entire module, allowing users to dynamically select exploits from the Metasploit module tree automatically,” Moore said. “The fingerprinting capabilities of the module were overhauled to allow accurate browser targeting even when the browser has JavaScript enabled and cloaks its user agent. Finally, a new payload feature has been activated allowing all exploits to share the same backend listener, cutting down on the number of open ports needed on the attacking host.”
Wireless security testing also gets a big boost in Metasploit 3.3 thanks to the inclusion of the Lorcon2 library. Lorcon2 (acronym for Loss Of Radio CONnectivity) into Metasploit. Lorcon is an open source network tool for Wi-Fi injection.
“The addition of the Lorcon2 library is a major change to how wireless attack tools will be developed in the future,” Moore said. “Previously, it was possible to inject Wi-Fi traffic, but we had no easy way to listen for replies and perform meaningful interaction with a wireless device. The Lorcon2 library abstracts the packet capture and injection routines, allowing existing tools, like airpwn and dnspwn, to be ported to Metasploit.”
Metasploit 3.3 also includes improvement to Oracle database vulnerability testing. Moore noted that many of the Oracle features were integrated after security researcher Chris Gates’ Black Hat 2009 presentation on Oracle hacking. He added that the plan is to continue to improve and extend Oracle support going forward.
The Metasploit project itself is also undergoing some changes as it transitions from being a hobby project started by Moore to being a commercially sponsored effort. At the end of October, Metasploit was acquired by security vendor Rapid7. It’s a move that Moore notes will bring benefit to the Metasploit Framework.
“Rapid7 has provided development time, hardware, and project management support for this release,” Moore said. “In terms of how development itself is handled, the only change is that I have help from a full-time development team and assistance from Rapid7 when we required additional resources. Going forward, the development process will be streamlined, and Rapid7’s QA resources will be used to help with the testing process.”