Metasploit Framework

Walking The Thin Line Between A Tool And A Weapon

Woman working in an office
Tetra Images/Getty Images

The Metasploit Project is ostensibly a group formed to "provide useful information to people who perform penetration testing, IDS signature development, and exploit research."

Their latest release, the Metasploit Framework version 2.0, claims to be "an advanced open-source platform for developing, testing, and using exploit code."

While it is true that the tools and functionality built in to the Metasploit Framework might prove valuable for a security auditor or penetration tester to use in verifying the security of a system or network, it is probably as true or more so that script-kiddies and other wannabe hackers or developers of malicious code might put this tool to use as an express lane or fast track to help them create exploits and malware.

I don't really know enough about the Metasploit Project or the developers who have worked on this utility to say whether their motives were pure. It seems that often the line between providing network security and breaking network security is a thin one and it doesn't take much for some otherwise rational people to accuse security researchers or administrators of less than honorable intentions. Some presume that anyone in network security is also a hacker on the side and many question the true intent of tools which double as powerful weapons for script-kiddies.

Even if we assume that their goal truly is to provide useful information and tools to help further the cause of development and security research, it doesn't change the fact that the tool is available for all to download and there is no way to predict or control what the end user will do with it.

The Metasploit Project says that their Metasploit Framework can be compared with expensive commercial products such as Immunity's CANVASĀ or Core Security Technology's Core Impact. These tools also provide the same or similar functionality. One of the main reasons that they have not come under the scrutiny that the Metasploit Framework has is the pricetag. Since few can afford these packages they pose little risk, but if you take that same power and distribute it freely there is a greater concern that the wrong people will use it for the wrong reasons.

The Metasploit Framework seems to be a powerful tool. I downloaded a copy myself to play with- on my own network against my lab computers. I think that for security administrators it may prove valuable in the battle to ensure your computer and network security and make sure you are protected. But, I think we may also start to see new exploits and malware hitting the streets once the script-kiddies start playing with this tool and learning just how powerful it can be as a weapon.