“It forces the security vendors to take that vulnerability seriously,” Moore said. “And it forces the vendors responsible for that software to provide a patch or a work-around.”
Alan Paller, director of research at the Sans Institute, one of the world’s leading cybersecurity training organizations, said Metasploit contributors are playing a crucial role in highlighting the pervasive vulnerabilities in systems throughout cyberspace.
“They solve a critical problem for us,” Paller said. “They are necessary tools right now when much of the world is still in denial.”
No one knows how many illicit attack kits are sold to black-hat hackers. Offers appear every day across the Internet. Moore said exploit kits that employ “botnets” in criminal schemes often sell for up to $10,000.
A botnet is a network of computers that have been infected by malicious software and are controlled by bad guys. They often send spam, but they are also used to send malicious code, or malware, in coordinated attacks on networks.
Moore said that in several cases, the bad guys have used botnets to attack Metasploit as punishment for spurring fixes to widely attacked vulnerabilities.
“We do a good job killing bugs,” Moore said. “When the Metasploit adds a new attack, it instantly raises the visibility of that vulnerability.”
Robin Jackson sat in his Helena, Mont., office and prepared to launch his next hack. The target: a Chinese company’s Web site.
Jackson is a security researcher for a firm called WT Forensics. He said he also participates in informal networks of hacker-intelligence specialists who try to keep watch on the black hats and cyberwarriors across the globe.
He described his China effort as an exploratory “gray hat” hack to see if the target company’s Web page was vulnerable. He decided he would use a set of commands to make his attack seem as though it were coming from a computer in London. To penetrate the Web server, he would turn to the collection of tool kits he keeps on his computer.
In addition to Metasploit, Jackson relies on a number of other automated attack kits almost every day to do his job. There are many of them: Nmap scans the configuration of networks. John the Ripper and Hashcat crack passwords. The Social Engineering Toolkit combines automation with manipulation techniques to help hackers trick people into giving them access to networks.
A host of commercial systems, including a premium version of Metasploit, make it possible to attack multiple client machines at a time. A firm called Immunity, maker of a security tool kit called Canvas, recently released a related commercial system called Swarm. It enables security researchers to scan and attack up to a million servers an hour.
For this exploratory mission, Jackson decided to use a more focused free tool called Havij. With a few clicks on his keyboard, he directed Havij at the targeted Internet address in China. He typed “%Inject Here%” to launch the program.
Havij has been built to send thousands of permutations of commands to implement something known as an SQL Injection attack. Havij would keep hammering the targeted Web server until it sent a command that slipped by the server’s security.
A few years ago, Jackson would have had to type each attack command by hand. With Havij, he can launch the attack, sip his coffee and wait. “Unlike the manual process, Havij automatically does everything seamlessly and much more quickly,” he said.
For all their benefits, Jackson said, the kits are lowering the barriers to entry for inexperienced hackers. Criminal hackers and “hacktivists” can simply download the tool kit and then watch an instructional video on YouTube to get started.
Members of the hacktivists group Anonymous have used the system to target police and military networks. A group called Team GhostShell relied on it to compromise hundreds of Chinese Web sites.
“The Internet not only enables the distribution of hacking tools, but it also offers the hands-on instruction and training on how to use these,” Jackson said. “There are literally thousands upon thousands of videos . . . which show the neophyte how to install and use these tools.”