Son of SATAN? Weighing Security Software's Risks
ryanr writes "Rob Lemos put out an article on the new metasploit relese. The article reminds me of the furor over the original SATAN being released. H.D. Moore, who wrote it, rightly points out that there are commercial tools that do it better, and it's known that the kiddies have copies of those. Why pick on the open-source tool? I think Rob is being a bit provocative." Despite the headline ("Security tool more harmful than helpful?"), the article is actually pretty balanced.
This could be a good tool if admins actually used it (or some tool to look for holes) and patched the holes and watched their security. But, I have only worked at one place that has done this and the others were under the impression they didn't have to do it very often.
Those hacking into systems will love this tool though. I'm gonna go home tonight and check my network out. Although, I don't have a thing someone would want to hack.
Evolution or ID?
H.D. Moore, who wrote it, rightly points out that there are commercial tools that do it better, and it's known that the kiddies have copies of those. Why pick on the open-source tool?
I don't care who has what exploit^H^H^H^H^H^H^Htesting tool, or what knowledge about hacking. It's a better "real-world" way to test your security anyway.
Keep your stuff patched, because you never know where, when, how or by whom the next attack is going to come from.
The problem with socialism is that they always run out of other people's money. - Margaret Thatcher
Lets just assume that most 'bad' hackers have more knowledge of security flaws and holes than most system administrators.
I this scenario, a set of 'hacking' tools made availble to those administrators can help them find vulnerabilities, fix them, and then test if their solution is working properly.
If these tools were only available to people with the intention to abuse them, it would be much harder to secure a system.
Personally, I believe that currently the knowlegde of security flaws is greater among the hackers, since they specialize in exploiting them. Most administrators have many tasks besides system security. With a set of proper tools to diagnose their systems, security could be maintained with less effort.
I've known about and been exploiting the ms-its vulnerability for a full week and then some now. I had a Proof-of-Concept within the first 2 hours of the original post by a concerned IRC user on bugtraq.
While this tool doesn't test for IE vulnerabilities like the one I have been exploiting, it covers a lot of commonly used attacks that have already been done by script kiddies for (in some cases like the apache chunked vulnerability) upwards of two years!
It also tests a lot of "duh" kinds of exploits that any serious web, mail, and NT/2000/2003 administrator would want to test. Admins and security consultants have been using Nessus for the last three years or so and people don't question that anymore.
I think the issue here with Metasploit's Framework is that it's modular, so script-kiddies like me can sit back and develop and trade exploits. My response to that is: get over it.
I've been trading exploits for so long now with my *own* PERL code that the only thing this program does is maybe cut my time down in half. And why would I want to release a module for Metasploit when I can make my own EXE's using perlcc and Cygwin?
If anything, perlcc and Cygwin contribute more to proliferation. And I kind of doubt they are going the way of the dodo anytime soon.
Anytime anyone says you don't need security information/tools they're making money and you're getting the shaft. The argument "hackers could use this" translates to "our product is insecure and our admins are lazy". Security auditing is necessary in any network you'd like to be reasonably secure.
Religion is a gateway psychosis. -- Dave Foley
It's also worth saying that that each sysadmin has to make sure that each of his boxes is fully patched, and all the software, infrastructure and daily maintainence of them is carried out.
A kiddie only has to find one flaw to penetrate a system - maybe even in a system the admin didn't know about, or which is looked after by somebody else.