Slashdot Mirror

← Back to Stories (view on slashdot.org)

Metasploit Hacking Tool To Get Services-Based Model

Posted by kdawson on from the at-your-services dept.

ancientribe writes "Metasploit hacking tool creator HD Moore told Dark Reading that the open-source hacking tool soon will come with back-end services-based features aimed at offloading resource-intensive penetration testing tasks. This is a departure for the software-oriented Metasploit, and Moore and company just may be on to something: it turns out commercial penetration testing tool vendors are looking at adding services-based versions of their software. Immunity Inc. will do so this year, and Core Security Technologies is considering doing so as well."

5 of 29 comments (clear)

  1. Legal minefield by Anonymous Coward · · Score: 4, Interesting

    Do they really expect professional penetration testers to use a third party to attack production networks? Most companies hardly have the guts to even hire a penetration tester. I doubt they'll be thrilled that the list of their vulnerabilities is shared with another company.

    1. Re:Legal minefield by Who+Is+The+Drizzle · · Score: 2, Funny

      Do they really expect professional penetration testers to use a third party to attack production networks?

      That's what she said!

  2. "offloading resource-intensive penetration tests" by timeOday · · Score: 5, Funny

    In my day we just called them botnets.

  3. Resource intensive? by Bert64 · · Score: 4, Interesting

    Maybe if they hadn't decided to rewrite metasploit in ruby it wouldn't be so resource intensive...
    The speed difference between 2.x and 3.x is absolutely insane. Calling the msfcli interface results in 10+ seconds of initialization before it even starts trying to exploit the target, when you have a script calling msfcli multiple times it soon gets tiring... And this is on a fairly modern dual core box. I used to run metasploit 2.x on a much slower single core box and it performed quite well.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  4. Re:Production by Tekfactory · · Score: 2, Insightful

    Its about belief, some folks won't trust the model to simulate the production environment. Even if you make the VM or Ghost image right off of the real hardware, and put it onto another machine of the same model with the same specs, someone in the chain of command or legal will want to know if you tested the real thing.

    And if it goes far enough, say after a data breach, leave it to a lawyer in court to ask if you on the stand, if tested the live system or some rigged demo designed to fool the auditors.