Son of SATAN? Weighing Security Software's Risks

ryanr writes "Rob Lemos put out an article on the new metasploit relese. The article reminds me of the furor over the original SATAN being released. H.D. Moore, who wrote it, rightly points out that there are commercial tools that do it better, and it's known that the kiddies have copies of those. Why pick on the open-source tool? I think Rob is being a bit provocative." Despite the headline ("Security tool more harmful than helpful?"), the article is actually pretty balanced.

This could be a good tool if....

[millahtime]

This could be a good tool if admins actually used it (or some tool to look for holes) and patched the holes and watched their security. But, I have only worked at one place that has done this and the others were under the impression they didn't have to do it very often.

Those hacking into systems will love this tool though. I'm gonna go home tonight and check my network out. Although, I don't have a thing someone would want to hack.

Nothing like testing security in the real world.

[blcamp]

H.D. Moore, who wrote it, rightly points out that there are commercial tools that do it better, and it's known that the kiddies have copies of those. Why pick on the open-source tool?


I don't care who has what exploit^H^H^H^H^H^H^Htesting tool, or what knowledge about hacking. It's a better "real-world" way to test your security anyway.

Keep your stuff patched, because you never know where, when, how or by whom the next attack is going to come from.

Leveling the field

Lets just assume that most 'bad' hackers have more knowledge of security flaws and holes than most system administrators.

I this scenario, a set of 'hacking' tools made availble to those administrators can help them find vulnerabilities, fix them, and then test if their solution is working properly.

If these tools were only available to people with the intention to abuse them, it would be much harder to secure a system.

Personally, I believe that currently the knowlegde of security flaws is greater among the hackers, since they specialize in exploiting them. Most administrators have many tasks besides system security. With a set of proper tools to diagnose their systems, security could be maintained with less effort.

Re:Don't blame the tool...

[superpulpsicle]

In open source world people blame the author because the code may not come from a corporate entity but an individual.

I'm the one you fear is going to be using this

I've known about and been exploiting the ms-its vulnerability for a full week and then some now. I had a Proof-of-Concept within the first 2 hours of the original post by a concerned IRC user on bugtraq.

While this tool doesn't test for IE vulnerabilities like the one I have been exploiting, it covers a lot of commonly used attacks that have already been done by script kiddies for (in some cases like the apache chunked vulnerability) upwards of two years!

It also tests a lot of "duh" kinds of exploits that any serious web, mail, and NT/2000/2003 administrator would want to test. Admins and security consultants have been using Nessus for the last three years or so and people don't question that anymore.

I think the issue here with Metasploit's Framework is that it's modular, so script-kiddies like me can sit back and develop and trade exploits. My response to that is: get over it.

I've been trading exploits for so long now with my *own* PERL code that the only thing this program does is maybe cut my time down in half. And why would I want to release a module for Metasploit when I can make my own EXE's using perlcc and Cygwin?

If anything, perlcc and Cygwin contribute more to proliferation. And I kind of doubt they are going the way of the dodo anytime soon.

How to detect bullshit

[Monkelectric]

Anytime anyone says you don't need security information/tools they're making money and you're getting the shaft. The argument "hackers could use this" translates to "our product is insecure and our admins are lazy". Security auditing is necessary in any network you'd like to be reasonably secure.

What is the difference from Nessus?

[ultimai]

I haven't really used nessus or metasploit, but what is the difference between the two?

Re:Sure, but ...

[stevey]

for every sysadmin who is trying to protect "his" system (while performing other tasks) there are numerous script kiddies who are trying to break into his system;

It's also worth saying that that each sysadmin has to make sure that each of his boxes is fully patched, and all the software, infrastructure and daily maintainence of them is carried out.

A kiddie only has to find one flaw to penetrate a system - maybe even in a system the admin didn't know about, or which is looked after by somebody else.

My first lesson with hacking back in 94

[Billly+Gates]

I remember in highschool back in 94. He was an SGI programer then. I had a friend who had a SCO box( shudder) and hacked the perl script so it could run.

He released it to help Irix system admins secure their networks. SGI having their heads up there butts, fired him believing security through obscurity was the most effective measure. After all he now made Irix insecure??

Irix remained the most unsecure Unix for many years untill managment made a recent change.

Nmap is hell of alot more powerfull now and there are many clones.

Satan is a relic of old and I just looked at some of the screenshots via a search on google. I thought it was really awesome in 94, but its quite primptive today.