Moore said the fact that criminals, spies and others with ill intent can access Metasploit is a necessary trade-off. To keep Metasploit up to date, hackers have to be able to contribute details about the newest vulnerabilities and attack methods.
An organization that keeps track of known vulnerabilities said it has documented more than 53,000, a number that rises every day.
“All we’re trying to do is put everyone on a level playing field,” Moore said.
‘A taste of things to come’
When Metasploit emerged, even veteran hackers marveled at its design and simplicity. A 2004 presentation about it at Black Hat Las Vegas, the annual hacker conference, was titled “Hacking Like in the Movies,” according to a 290-page online book called “Metasploit Toolkit” by David Maynor and several other security researchers.
“The hall was packed to the gills. People stood in the aisles, and the crowd was spilling over to the main corridor,” the authors wrote. “Applause flowed freely throughout the session, and the consensus was clear, ‘Metasploit had come of age.’ But we should have known better. That was only a taste of things to come.”
The extraordinary thing about Metasploit is the digital architecture that streamlined what had been a laborious process of exploit development. That process invariably involved several steps for anyone, good or bad: the discovery of a software vulnerability; the analysis of the code to see whether the vulnerability could be exploited; the writing of the exploit itself, including the commands that tell a target system to open up to an intruder; and testing to ensure the exploit worked.
With Metasploit, all those steps are already done and packaged together with still other features, including tailor-made “payloads” that take effect and hand over control of a system after a hacker gets in.
Other systems have been created to ride on top of Metasploit and make it even easier to use. One called Armitage was created by Raphael Mudge, who was recently hired under contract by the Defense Advanced Research Projects Agency to develop new cybertools.
“Armitage recommends exploits and will optionally run active checks to tell you which exploits will work,” Mudge said in an Armitage tutorial. “If these options fail, use the Hail Mary attack to unleash Armitage’s smart automatic exploitation against your targets.”