[Infowarrior] - Metasploit Framework version 3.0 Released
Richard Forno
rforno at infowarrior.org
Wed Mar 28 12:42:29 UTC 2007
March 27th, 2007 -- Metasploit is pleased to announce the immediate,
free availability of the Metasploit Framework version 3.0 from
http://framework.metasploit.com/.
The Metasploit Framework ("Metasploit") is a development platform for
creating security tools and exploits. Version 3.0 contains 177
exploits, 104 payloads, 17 encoders, and 3 nop modules. Additionally,
30 auxiliary modules are included that perform a wide range of tasks,
including host discovery, protocol fuzzing, and denial of service testing.
Metasploit is used by network security professionals to perform
penetration tests, system administrators to verify patch
installations, product vendors to perform regression testing, and
security researchers world-wide. The framework is written in the Ruby
programming language and includes components written in C and
assembler.
Metasploit runs on all modern operating systems, including Linux,
Windows, Mac OS X, and most flavors of BSD. Metasploit has been used
on a wide range of hardware platforms, from massive Unix mainframes to
the tiny Nokia n800 handheld. Users can access Metasploit using the
tab-completing console interface, the command line scripting
interface, or the AJAX-enabled web interface. The Windows version of
Metasploit includes all software dependencies and a selection of useful
networking tools.
The latest version of the Metasploit Framework, as well as screen
shots, video demonstrations, documentation and installation
instructions for many platforms, can be found online at
http://framework.metasploit.com/
Metasploit 3 is a from-scratch rewrite of Metasploit 2 using the Ruby
scripting language. The development process took nearly two years to
complete and resulted in over 100,000 lines of Ruby code. As such,
there are some notable differences between version 2.7 and 3.0:
* The Fs, Sys, Net, and Process extensions in the Metasploit 2.7
Meterpreter have been combined into a single extension that is
automatically loaded in Metasploit 3. The "stdapi" extension can be
used to manipulate files, list and manage processes, migrate the
payload into a new process, edit a file on the server, forward a
port, execute a command, and many other tasks. The "priv" extension
(accessible by the "use priv" command) provides the hashdump command
for dumping password hashes and the timestomp command for erasing
file system timestamps.
* The Meterpreter shell provides an "irb" command thats allows
interactive scripting of a compromised system. One of the features of
the Metasploit client API is the the ability to read and write the
memory of any accessible process on the exploited system, all from
inside a Ruby shell. When combined with a Meterpreter script (started
with the "run" command from inside Meterpreter), this feature can be
used to backdoor running applications or steal in-memory credentials.
* The Metasploit console provides an "irb" command (on Unix systems
only) thats allows direct access to the Ruby internals at runtime.
This can be used to modify the behavior of the framework, interact
with existing connections, and as a development environment for
plugins.
* The Metasploit console interface has a new "route" command that
allows all network connections to a given subnet to be routed through
an existing session. This can be used in conjunction with the
Meterpreter payload to relay attacks through exploited systems.
* Database support is provided via a set of plugins and a standard
command interface. The database can be used to track host information
during a penetration test and launch automated attacks against a
network (db_autopwn). The current release can import both Nessus NBE
files and Nmap XML output files. Data provided by these tools can be
used to cross-reference open ports and vulnerabilities with
Metasploit modules.
* User options have been separated into three types: standard,
advanced, and evasion. Evasion options allow the user to bypass IDS
and IPS systems by specifying how exploit data is generated and
delivered. Evasion options are available for most exploits, with
particular attention paid to the SMB, DCERPC, and HTTP protocols.
* A plugin system allows developers to add their own commands to the
console interface, hook framework events, and extend the framework at
runtime without having to modify the base code. Examples plugins have
been included in the "plugins" subdirectory of the framework. Example
plugins include an "auto-tagger", a socket filter, a telnet service,
and a number of database and debugging plugins.
* An event subscription system allows modules and plugins to wait for
specific events and automatically perform different actions. This
feature can be used to hook socket operations, filter data flows,
and automated post-exploitation tasks.
* Metasploit modules can import methods and behaviors from a huge
library of Ruby Mixins. This release includes support for protocols
such as SMB, DCERPC, FTP, IMAP, NDMP, SMTP, and SUNRPC. Mixins are
also provided for developing brute force exploits, creating
egghunters, injecting user-land payloads from the Windows kernel,
exploiting SEH overwrites, sniffing network traffic, and injecting
raw WiFi frames.
* Metasploit modules are now organized in a directory structure
instead of a single flat directory. A caching system provides faster
loading times. The result is a scalable system that can manage
hundreds of different modules at a time (over 300 alone in this
release).
* The web interface (msfweb) is a Ruby on Rails application that uses
the Prototype JavaScript Framework to provide in-browser windowing
support. Asynchronous JavaScript is used to provide as-you-type
search results for any module type and provide tab completion for the
web console interface.
* Thanks to Ruby's in-process threading support, it is possible to
share a single Metasploit instance with other users, exploit multiple
hosts at the same time, and run persistent background services, while
only consuming the system resources of a single process. The msfd
plugin adds a telnet interface to an existing Metasploit instance.
* The new Auxiliary module type allows the development of almost any
form of security or attack tool. Auxiliary modules have complete
access to the Metasploit attack and protocol libraries and can be
used to quickly develop research tools and proof-of-concepts.
* Subversion is now used for online updates and version control. This
allows users to easily switch between the development and stable
version of the framework and obtain online updates using any
transport supported by Subversion.
* This release includes three exploit modules that exploit WiFi
driver vulnerabilities in the Windows kernel. Combined with the kernel
user-land payload stager, this allows any Metasploit payload to be
used with ring-0 exploits on the Windows platform. A handful of
auxiliary modules are included that trigger denial of service
conditions in WiFi drivers across a variety of platforms.
* Metasploit is now released under the Metasploit Framework License.
This license allows anyone to use the framework for almost anything,
but prevents commercial abuse and outright code theft. The Metasploit
Framework License helps keep the platform stable and still allows
module developers to choose their own licensing terms for their code
(commercial or open source). For more information, please see the
license document included in the distribution.
* The Rex library, which provides most of the utility methods and
protocol support for the framework, has been released under the
3-clause BSD license. Ruby developers can use this code to build open
source or commercial applications that are not subject to the
restrictions of the Metasploit Framework License.
Enjoy!
- The Metasploit Staff
More information about the Infowarrior
mailing list