Hacking tool kits, available free online, fuel growing cyberspace arms race

About 300 people in at least 20 countries have donated exploits so far. The contributors also collaboratively review the offerings to be sure they work effectively. Moore estimated that about 1 million people downloaded the free version during the past year, with about 5 million since its inception. It appears that about 200,000 penetration testers, including the U.S. military’s cyberwarriors, use it regularly, he said.

No one knows how many bad guys employ Metasploit and similar tools. Fears about that potential have been raised in Germany and elsewhere. But Moore said black-hat hackers typically rely on other tool kits that are less focused on research and more focused on swift, illegal break-ins.

Moore said the fact that criminals, spies and others with ill intent can access Metasploit is a necessary trade-off. To keep Metasploit up to date, hackers have to be able to contribute details about the newest vulnerabilities and attack methods.

An organization that keeps track of known vulnerabilities said it has documented more than 53,000, a number that rises every day.

“All we’re trying to do is put everyone on a level playing field,” Moore said.

‘A taste of things to come’

When Metasploit emerged, even veteran hackers marveled at its design and simplicity. A 2004 presentation about it at Black Hat Las Vegas, the annual hacker conference, was titled “Hacking Like in the Movies,” according to a 290-page online book called “Meta­sploit Toolkit” by David Maynor and several other security researchers.

“The hall was packed to the gills. People stood in the aisles, and the crowd was spilling over to the main corridor,” the authors wrote. “Applause flowed freely throughout the session, and the consensus was clear, ‘Meta­sploit had come of age.’ But we should have known better. That was only a taste of things to come.”

The extraordinary thing about Metasploit is the digital architecture that streamlined what had been a laborious process of exploit development. That process invariably involved several steps for anyone, good or bad: the discovery of a software vulnerability; the analysis of the code to see whether the vulnerability could be exploited; the writing of the exploit itself, including the commands that tell a target system to open up to an intruder; and testing to ensure the exploit worked.

With Metasploit, all those steps are already done and packaged together with still other features, including tailor-made “payloads” that take effect and hand over control of a system after a hacker gets in.

Other systems have been created to ride on top of Metasploit and make it even easier to use. One called Armitage was created by Raphael Mudge, who was recently hired under contract by the Defense Advanced Research Pro­jects Agency to develop new cybertools.

“Armitage recommends exploits and will optionally run active checks to tell you which exploits will work,” Mudge said in an Armitage tutorial. “If these options fail, use the Hail Mary attack to unleash Armitage’s smart automatic exploitation against your targets.”