By Joe Barr on May 04, 2007 (8:00:00 AM)
Metasploit LLC released version 3.0 of the Metasploit Framework (MSF), the popular penetration testing project, late last month. Version 3.0 is a complete rewrite of the previous tools using primarily the Ruby programming language; versions 1 and 2 were written primarily in Perl. Also new are an experimental GUI, and perhaps the crowning jewel of the release, the db_autopwn module, which automates exploit discovery and execution.
MSF is designed for automated penetration testing. To that end, it keeps a stable of exploits known to work against specific targets: various releases of Windows, Linux, BSD, generic Unix, and Mac OS. It also runs on many of those same platforms, and has even been seen on a Nokia N800 handheld.
MSF was originally developed by H. D. Moore. Matt Miller and a small number of other developers joined Moore in developing the 2.0 release. The developers formed Metasploit LLC last year for the purpose of “preventing commercial abuse and ensuring the longevity of the project.” Metasploit LLC owns all rights to the Metasploit software, domains, and trademarks. MSF is licensed under the Metasploit Framework License, which has not been approved by the OSI nor ruled a free software license by the FSF.
The current development version of MSF — revision 4701 from svn — comes with 190 exploits and more than 100 payloads. Think of an exploit as the weapon that gets you in the door, and a payload as ammunition; payloads contain the instructions on what to do once you get inside. For a walkthrough of a specific exploit and payload usage from msfconsole, see our review of the 2.6 release.