The Metasploit open source vulnerability testing framework is out this week with a new release boosting its exploit count and adding new Java, brute force and exploit automation technologies.
Alongside the new Metasploit 3.4 release, Rapid7, the lead commercial vendor behind the project, is releasing a commercial version dubbed Metasploit Express 3.4, offering a new user interface and enhancements aimed at improving ease of use. Metasploit Express was first announced at the end of April and hits general availability this week with the 3.4 release.
A key area of improvement in the Metasploit 3.4 release is in the Meterpreter system.
"The Meterpreter is a critical component of Metasploit in that it provides the ability to perform advanced post-exploit automation on a target system," HD Moore, Rapid7 CSO and Metasploit chief architect, told InternetNews.com. "The changes that we made for 3.4.0 are part of a long-term overhaul to make Meterpreter faster, more effective and easier to develop custom scripts with."
Moore added that the improvements made to Meterpreter in the new release build on the threading changes made in the Metasploit 3.3.3 update. Metasploit 3.0, released in November 2009, included the ability to embed Metasploit payloads into arbitrary executables.
Metasploit 3.4 also makes improvements in its brute forcing capabilities. In a brute force attack, a researcher repeatedly tests a target with automated user credential information in an effort to get into the system.
"Weak passwords are absolutely old-school, but still extraordinarily effective against most production networks," Moore said. "This release adds a number of new protocols to the brute force suite, standardizes the options required to use them, includes a number of new default password lists, and extends the framework [with] additional modules that allow code execution when a valid password is guessed."
Moore explained that in the earlier Metasploit 3.3 release, there was limited protocol support for brute forcing. In Metasploit 3.4, the framework has brute force capabilities for SSH , Telnet , Apache Tomcat, MySQL, Postgres, HTTP and DB2."Since the brute force and code execution modules use the standard Metasploit socket API, it is possible to relay these attacks through an existing Meterpreter session and take advantage of features like proxy chaining, TCP segmentation evasion and SSL," Moore said. "The Metasploit Express release leverages much of the new brute force backend to provide a simple way to mass-test for common passwords and recycle cracked credentials."
Security researchers will now also be able to test Java application server security with Metasploit. Version 3.4 of the framework includes the ability to generate malicious Java Server Page (JSP) and Web Application Archive (WAR) files."The addition of JSP and WAR support in Metasploit 3.4.0 opens the door for sophisticated attacks against Java application servers, such as Tomcat, Bea and JBoss," Moore said. "As more enterprise applications build on these Java stacks, and as more vendors forget to secure them, these are becoming a common weakness in enterprise environments."
Moving forward, the plan for the next set of releases is to continue to expand Metasploit's exploit coverage and to add new capabilities. Moore said he expects to see major improvements to Metasploit's client-side exploitation functionality added over the next few months.
"The strategy for 3.5 is to continue expanding into areas of the penetration testing process," Moore said. "This will include additional investments in password testing, credential management, databases, Web applications and client-side social engineering attacks."