They are part of an escalating arms race in cyberspace, where millions of attacks and intrusions occur every day. By prepackaging the myriad computer commands that penetrate and exploit target networks, hackers have dramatically eased the process.
Security researchers and consultants, including Linn, use such hacking tools to identify vulnerabilities and help organizations patch them. Bad-guy hackers, known as black hats, and cyberwarriors use similar illicit kits to spy on, steal from and wreak havoc in corporate and government computers.
Metasploit and many other hacker tool kits are available free to anyone who has an Internet connection.
Linn acknowledges the irony. But he likened Metasploit and other tool kits to a “Swiss army knife” and said the positive features “far outweigh the negatives.”
“Metasploit is a tool designed for researchers and security professionals, but just like many tools there are uses for it that are illegal,” said Linn, a security consultant at Trustwave’s SpiderLabs. “We don’t outlaw screwdrivers and hammers because someone might use them for murder, though. We prosecute those people who use them illegally.”
A researcher named H.D. Moore began working on Metasploit in 2002. Moore, now 31, is the chief security officer with Rapid7, a security firm that sells a commercial version of Metasploit and helps offset the cost of maintaining the free system. A computer researcher and hacker based in Austin, Moore wanted to simplify the development of computer hacks known as exploits. To keep pace with growing numbers of criminal cyberattacks, he wanted to make security hacking, or “penetration testing,” more systematic.
Metasploit works by creating ready-made packages of computer code, known as “modules,” that can be downloaded from metasploit.com. Once they are launched, the tools can find network vulnerabilities and take control of the systems.
Metasploit also serves as something of a global clearinghouse of hacker knowledge, tools and practices. Because it is an “open source” system, it relies on contributions from experienced hackers. Its popularity has soared during the past several years. Starting with 11 exploits in 2003, Metasploit now has close to 1,000.
About 300 people in at least 20 countries have donated exploits so far. The contributors also collaboratively review the offerings to be sure they work effectively. Moore estimated that about 1 million people downloaded the free version during the past year, with about 5 million since its inception. It appears that about 200,000 penetration testers, including the U.S. military’s cyberwarriors, use it regularly, he said.
No one knows how many bad guys employ Metasploit and similar tools. Fears about that potential have been raised in Germany and elsewhere. But Moore said black-hat hackers typically rely on other tool kits that are less focused on research and more focused on swift, illegal break-ins.
Moore said the fact that criminals, spies and others with ill intent can access Metasploit is a necessary trade-off. To keep Metasploit up to date, hackers have to be able to contribute details about the newest vulnerabilities and attack methods.
An organization that keeps track of known vulnerabilities said it has documented more than 53,000, a number that rises every day.
“All we’re trying to do is put everyone on a level playing field,” Moore said.
‘A taste of things to come’
When Metasploit emerged, even veteran hackers marveled at its design and simplicity. A 2004 presentation about it at Black Hat Las Vegas, the annual hacker conference, was titled “Hacking Like in the Movies,” according to a 290-page online book called “Metasploit Toolkit” by David Maynor and several other security researchers.
“The hall was packed to the gills. People stood in the aisles, and the crowd was spilling over to the main corridor,” the authors wrote. “Applause flowed freely throughout the session, and the consensus was clear, ‘Metasploit had come of age.’ But we should have known better. That was only a taste of things to come.”
The extraordinary thing about Metasploit is the digital architecture that streamlined what had been a laborious process of exploit development. That process invariably involved several steps for anyone, good or bad: the discovery of a software vulnerability; the analysis of the code to see whether the vulnerability could be exploited; the writing of the exploit itself, including the commands that tell a target system to open up to an intruder; and testing to ensure the exploit worked.
With Metasploit, all those steps are already done and packaged together with still other features, including tailor-made “payloads” that take effect and hand over control of a system after a hacker gets in.
Other systems have been created to ride on top of Metasploit and make it even easier to use. One called Armitage was created by Raphael Mudge, who was recently hired under contract by the Defense Advanced Research Projects Agency to develop new cybertools.
“Armitage recommends exploits and will optionally run active checks to tell you which exploits will work,” Mudge said in an Armitage tutorial. “If these options fail, use the Hail Mary attack to unleash Armitage’s smart automatic exploitation against your targets.”
In some cases, Moore said, researchers use the Metasploit framework to apply pressure on software vendors to improve the security of their products. If the vendors neglect to fix a known bug, the researchers write an attack module to spur them to act.
That happened this year when a group of researchers created attack modules for six industrial control systems, the computers that operate the power grid, water plants and other critical infrastructure.
“It forces the security vendors to take that vulnerability seriously,” Moore said. “And it forces the vendors responsible for that software to provide a patch or a work-around.”
Alan Paller, director of research at the Sans Institute, one of the world’s leading cybersecurity training organizations, said Metasploit contributors are playing a crucial role in highlighting the pervasive vulnerabilities in systems throughout cyberspace.
“They solve a critical problem for us,” Paller said. “They are necessary tools right now when much of the world is still in denial.”
No one knows how many illicit attack kits are sold to black-hat hackers. Offers appear every day across the Internet. Moore said exploit kits that employ “botnets” in criminal schemes often sell for up to $10,000.
A botnet is a network of computers that have been infected by malicious software and are controlled by bad guys. They often send spam, but they are also used to send malicious code, or malware, in coordinated attacks on networks.
Moore said that in several cases, the bad guys have used botnets to attack Metasploit as punishment for spurring fixes to widely attacked vulnerabilities.
“We do a good job killing bugs,” Moore said. “When the Metasploit adds a new attack, it instantly raises the visibility of that vulnerability.”
Robin Jackson sat in his Helena, Mont., office and prepared to launch his next hack. The target: a Chinese company’s Web site.
Jackson is a security researcher for a firm called WT Forensics. He said he also participates in informal networks of hacker-intelligence specialists who try to keep watch on the black hats and cyberwarriors across the globe.
He described his China effort as an exploratory “gray hat” hack to see if the target company’s Web page was vulnerable. He decided he would use a set of commands to make his attack seem as though it were coming from a computer in London. To penetrate the Web server, he would turn to the collection of tool kits he keeps on his computer.
In addition to Metasploit, Jackson relies on a number of other automated attack kits almost every day to do his job. There are many of them: Nmap scans the configuration of networks. John the Ripper and Hashcat crack passwords. The Social Engineering Toolkit combines automation with manipulation techniques to help hackers trick people into giving them access to networks.
A host of commercial systems, including a premium version of Metasploit, make it possible to attack multiple client machines at a time. A firm called Immunity, maker of a security tool kit called Canvas, recently released a related commercial system called Swarm. It enables security researchers to scan and attack up to a million servers an hour.
For this exploratory mission, Jackson decided to use a more focused free tool called Havij. With a few clicks on his keyboard, he directed Havij at the targeted Internet address in China. He typed “%Inject Here%” to launch the program.
Havij has been built to send thousands of permutations of commands to implement something known as an SQL Injection attack. Havij would keep hammering the targeted Web server until it sent a command that slipped by the server’s security.
A few years ago, Jackson would have had to type each attack command by hand. With Havij, he can launch the attack, sip his coffee and wait. “Unlike the manual process, Havij automatically does everything seamlessly and much more quickly,” he said.
For all their benefits, Jackson said, the kits are lowering the barriers to entry for inexperienced hackers. Criminal hackers and “hacktivists” can simply download the tool kit and then watch an instructional video on YouTube to get started.
Members of the hacktivists group Anonymous have used the system to target police and military networks. A group called Team GhostShell relied on it to compromise hundreds of Chinese Web sites.
“The Internet not only enables the distribution of hacking tools, but it also offers the hands-on instruction and training on how to use these,” Jackson said. “There are literally thousands upon thousands of videos . . . which show the neophyte how to install and use these tools.”