Metasploit is a tool for hackers. This doesn’t make metasploit inherently bad: in fact, it helps organizations defend against millions of attacks per year. What is metasploit? How can it be a force for both good and bad? This debate has been surging throughout the cybersecurity community since Metasploit’s release in 2003.
How Self-Testing Sucks
There are two types of organizations out there: those that have already been breached, and those that don’t yet know. This is where pentesting – otherwise called ethical hacking – can play a major role in security compliance and defense.
Many organizations make the mistake of brushing pentesting off as an unnecessary expense. However, the reality is that many organizations think of themselves as unbreached and protected – it can be especially hard to pentest your own company, thanks to the fact that you’ve a vested interest in keeping it all online.
Sometimes – when presented with uber-outdated legacy systems, or gross misconfigurations, pentesting pros can cause short-lived outages. Other ethical hacking processes can result in minor data loss, as SQL injection could modify or drop data in your database. Though these all sound like major red flags – perhaps even painting pentesting as destructive – it’s far better for these issues to occur at the hands of a trained professional than a profiteering cybercriminal.
This is one reason why regular pentesting is necessary for some compliance regulations. The Payment Card Industry Security Standards Council (PCI DSS) is a collaborative effort from Visa, Mastercard, American Express and others to prevent credit card fraud. Penetration testing is paramount for compliance with PCI DSS because it is the most reliable way at present to identify whether card-processing systems are properly secured or not.
Pentesting is also a legal requirement for all businesses covered by the European Union’s GDPR framework. This places the protection of citizens’ data in the responsibility of the companies handling it. Penetration testing is a crucial part of the GDPR compliance process because it helps organizations serving EU citizens verify and validate the security of their data processing systems. The standard also ensures that these organizations are compliant with the GDPR security guidelines.
Ultimately, you may not be the prospect of third-party ethical hackers fiddling with the backend – but ignorance is far worse (and costlier!) than biting the bullet and facing security issues head-on.
The Fine Line Between Ethical And Criminal
Pentesting is such a powerful tool, helping prevent vulnerabilities from snowballing into attacks. They lend organizations the education and power to take back their networks from malicious attackers. In 2009, the attitude toward pentesters was far different to today’s. Getting set up as a pentester had a huge barrier to entry, both technically and culturally. They had to code their own platforms. Organizations viewed them with mistrust; as individuals harmful to brand image.
It was in this climate that HD Moore developed a free-to-use, open source comprehensive toolbox for penetration testers: Metasploit. This covers three main fields of pentesting: network, web application and wireless network tests.
Network pentesting scans any external-facing networks, testing and prodding prime exploit targets as they go. APIs have already shown themselves as major exploit points, as misconfigured ones have historically created major issues for SQL injection. A pentester will attempt to exploit these vulnerabilities, running a script that asks their own server for a test payload.
Web applications usually turn up the most issues in pentesting: there’s a reason web apps are the initial targets in 86% of data breaches. From there, Metasploit users can begin escalating privileges and crafting backdoors.
Metasploit enables the full breadth of unauthorized access, containing libraries of malware and injection techniques; collating payloads, encoders and more. The final step of a successful penetration test is publishing the vulnerability and reporting it to the guilty organization.
This may sound like an incredibly useful piece of kit. However, Metasploit is an open source tool: anyone can download it, and start wielding its malware libraries for their own gain.
The Power of Ctrl+C, Ctrl+V
In August 2022, a Java zero-day exploit was found; this affected millions of web browser users, including Internet Explorer, Mozilla, Firefox, Safari on Windows, Linux, and Mac OS X systems. Notably – before Oracle released a patch for the flaw – the exploit code was found in the Metasploit framework.
Unsurprisingly, there’s no interview process for cybercriminals. There is no need to be good at coding when the malicious software supply chain mimics the legitimate one. Malware as a Service allows for one sufficiently skilled cybercriminal to assemble a malicious python script then distribute it (for a fee, of course). Metasploit dramatically streamlines this process, making it easier for unskilled attackers to exploit complex systems.
There is an argument that this actually helps the wider security landscape – by enforcing a sort of immune response to the most common, replicable attacks. However, this means you need to be prepared.
Patching vulnerabilities manually is no easy task. Two solutions are key to a strong enough defense from Metasploit attacks: Web Application Firewalls (WAFs) at the perimeter and Runtime Application Self-Protection (RASP) guarding the web apps themselves.
WAFs defend apps and their associated APIs by monitoring web traffic, filtering HTTPS requests through a list of rules. These policies are customizable, adaptable to the unique needs of your web application. WAFs can prevent injection attacks, cross site scripting and a myriad of the more basic, common copy-and-paste exploits.
RASPs are a development of web app security; they sit inside the app itself, monitoring its behaviors and permissions. They protect this runtime environment by automatically blocking malicious inputs – even if there’s no previously-established attack pattern. This makes RASPs a more thorough security solution than WAFs, as WAFs cannot function in the same contextual manner.
When a threat is detected, a RASP can prevent exploitation and is capable of taking further actions: including terminating a malicious session, shutting the application down, alerting security personnel and sending a warning to the attacker.
Both WAFs and RASPs – utilized together – gives your business the defense necessary to ward off the hordes of Metasploit script kiddies.