Your business’ defenses should never be static. They need to adapt to a rapidly shifting attack surface, whilst continuing to cover the cybersecurity basics. As new applications are acquired, and you continue to patch and maintain your business’ efficient workspace, it can be difficult to judge how protected you truly are.

This is where penetration testing changes the game. Instead of hackers breaking and entering, penetration testers simply track and report the vulnerabilities evident in your systems. This way, your security can pull ahead of hackers. One tool in particular has earnt its crown as a pentesting essential: the open source and highly adaptable Metasploit. 

Metasploit is a penetration testing framework that simplifies and streamlines hacking. It’s a vital tool for anyone interested in gaining access to something they don’t have the credentials for. Point Metasploit at the target, pick an attack vector and a payload, and press Enter.

Whether ethically or illegally, The Metasploit Project has single-handedly empowered pro coders and script kiddies alike. What are the security risks – and should you be concerned about Metasploit? 

Metasploit History

Back at the turn of the century, cybersecurity was in its infancy. Cyberattacks were beginning to ramp up in popularity; state-sponsored espionage was already well documented, with CCP-backed cyberattack Titan Rain wreaking havoc across US federal systems.

While widespread adoption of computers was beginning to go mainstream, understanding of cyber vulnerabilities was basic. The idea of hacking was relatively infantile, too. Pentesting was a complex and under-utilized affair, with any form of unauthorized access looked upon with great suspicion. Metasploit first hit the cybersecurity scene in 2003, with originally only 11 exploits available. It gradually established a user base, however, and was acquired by cybersec company Rapid7 in 2009. They shifted the tool to fully open source, making it available for free to anyone. 

Nowadays, Metasploit has amassed an available arsenal of over 2,300 exploits and almost 4,000 payloads. It’s one of the world’s most popular tools for automating and orchestrating many aspects of penetration testing. From researchers publishing zero-day reports with a Metasploit proof-of-concept, to script kiddies terrorizing SMEs with ransomware, all are welcome.

The Anatomy of Metasploit Attacks

The first stage of any attack, legal or illegal, is information gathering. The goal is to track the organization’s digital footprints. This includes their IP address, DNS records, any subdomains they own. Attackers want a comprehensive as possible view of their target’s backend technologies and server information. From there, it’s possible to start searching for publicly or privately disclosed vulnerabilities across their software stack. Metasploit seamlessly integrates with information gathering apps such as Nmap, SNMP scanning and more. There’s also a quick plug-and-play capability to run Tenable’s vulnerability scanner, just to automate the whole process. 

Once the chink in the armor has been identified, it’s time to break open the exploit files. Metasploit currently includes 1,677 exploits across 25 platforms, including Java, Android, Python and more. Whether it’s an input validation attack, or account compromise via phishing, Metasploit is there to streamline it. 

Finally, once you’ve selected and verified the exploit channel, it’s time to pick one of the 500 payloads available. This can be as basic as a simple shellcode, to a complex branch of dynamic payloads, generating unique attacks that evade antivirus software.

Of course, a cyberattack doesn’t end as soon as one payload is deployed. With Metasploit’s comprehensive support, in the form of post-exploitation modules, attackers and pentesters can go further. That could entail moving laterally within a system, deepening their access through app and network enumerators. Metasploit also provides a suite for achieving persistent access.

Finally, Metasploit can exit cleanly, without detection. 

Empowering Script Kiddies

While Metasploit certainly adds a keen edge to the power of pentesting, there has also been a growing trend, in the form of clueless hackers causing masses amounts of damage. Take the 16-year-old ringleader of the hacking group LAPSU$. Responsible for hacking and stealing data from industry giants such as Nvidia and Ubisoft throughout 2021, the teenager was nonetheless baffled by enterprise security systems. 

Upon exfiltrating over a terabyte of confidential industry data from Nvidia, Nvidia’s firewall system kicked in and blocked the group from accessing a device with compromised data. LAPSU$ freaked out, and promptly claimed Nvidia had “hacked [them] back”. 

As the number and severity of data breaches continue to grow year after year, it’s worth examining the role of open source projects such as Metasploit. It’s never been easier to conduct attacks, particularly in a world of low or even no-code hacking. Copy-pasted code can be launched at anyone, at any time.

Can More Attacks Be a Good Thing?

So, it’s now relatively easy to pull off large scale cyber attacks. Thanks to this, certain cybersecurity solutions have shifted from gentle recommendations to absolute essentials. Two of the new essential defense components are Web Application Firewalls (WAFs), and Runtime Application Self Protection (RASP) solutions. These are not interchangeable, either. 

Firstly, a WAF is a static firewall that is customizable to your own liking. Lending a tight degree of control over the connections an app makes, it sits at the outer perimeter. In monitoring all web traffic, and comparing all connections to your white or black-list, WAFs block malicious actors from hijacking the apps you depend on. 

However, there are ways to circumvent a WAF. Especially if used out-of-the-box, WAFs can be sidestepped with a number of next-gen SQL injection attacks. This firewall needs to be reinforced with a RASP solution that monitors the interior behaviors of an application. 

RASP provides real-time attack detection by keeping a close eye on the inner mechanisms of an app. If anything untoward or potentially suspicious arises, you are the first to know. But it doesn’t stop at reporting. Whereas WAF is static, RASP are relatively new solutions that take a far more holistic approach to attack prevention. RASP can automatically shut down even entirely novel payloads, right from within the application runtime environment.