The open-source Metasploit Framework 5.0 has long been used by hackers and security professionals alike to break into systems. Now, this popular system penetration testing platform, which enables you to find, exploit, and validate security holes, has been given a long-delayed refresh.
Rapid7, Metasploit's parent company, announced this first major release since 2011. It brings many new features and a fresh release cadence to the program. While the Framework has remained the same for years, the program was kept up to date and useful with weekly module updates.
Also: 7 tips for SMBs to improve data security TechRepublic
These modules contain the latest exploit code for applications, operating systems, and platforms. With these, you can both test your own network and hardware's security… or attack others. Hackers and security pros alike can also leverage Metasploit Framework's power to create additional custom security tools or write their own exploit code for new security holes.
With this release, Metasploit has new database and automation application programming interfaces (APIs), evasion modules, and libraries. It also includes expanded language support, improved performance, and ease of use. This, Rapid 7 claims, lays "the groundwork for better teamwork capabilities, tool integration, and exploitation at scale." That said, if you want an easy-to-use web interface, you need to look to the commercial Metasploit Pro.
Specifically, while Metasploit still uses a Postgresql database backend, you can now run the database as a RESTful service. That enables you to run multiple Metasploit consoles and penetration tools simultaneously.
Metasploit has also opened its APIs to more users. In the past, Metasploit had its own unique APIs and network protocol and it still does. But to make it more accessible, it now has a much more accessible JSON-RPC API.
The Framework also now supports three different module languages: Go, Python, and Ruby. You can use all these to create new evasion modules. Evasion modules can be used to evade antivirus programs.
All modules can also now target multiple targets. Before this, you couldn't execute an exploit module against multiple hosts at a time. You can now attempt mass attacks without writing a script or manual interaction. You can target multiple hosts by setting RHOSTS to a range of IPs or referencing a hosts file with the file:// option.
The new Metasploit also improved its module search mechanism. The net result is searching for module is much faster. Modules has also been given new metadata. So, for example, if you want to know if a module leaves artifacts on disk, you can search for it.
In addition, Metasploit's new metashell feature, enables users to run sessions in the background, upload/download files, or run resource scripts. You could do this earlier, but you needed to upgrade to a Meterpreter session first. Meterpreter combines shell functionality and a Ruby client API. It's overkill for many users, now that metashell supports more basic functions.
Looking ahead, Metasploit development now has two branches. There's the 4.x stable branch that underpins Metasploit Pro and open-source projects, such as Kali Linux, ParrotSec Linux, and Metasploit Framework itself, and an unstable branch where core development is done.
Previously, a feature might sit in a pull request for months and still cause bugs when it was released in Kali Linux or Metasploit. Now, with an unstable branch, developers can iterate on features more quickly and thoroughly. The net result is Metasploit will be updated far more quickly going forward.
So, if you want to make sure your systems are locked down tight and as secure as possible, use Metasploit. After all, I can assure you, hackers will be using Metasploit to crack into your company for entirely different reasons.