Hacking with Metasploit

I’m no hacker but not so long ago I was invited to participate in a “capture the flag” contest. This is where groups of bespectacled, potato-chip munching, pizza eating individuals attempt to be the first to exploit vulnerabilities on a target computer system. I was fortunate enough to be paired up with an old-hand at such contests who was able to demonstrate the ease with which it was possible to hack into a seemingly secure system using readily available, free, easy to use tools including one called Metasploit. Quite frankly, from a security management perspective I found this tool frightening in it’s capability. It allows you to design your own payload to fit the exploit and then simply hit a button to launch your attack. There’s a new version now released that you can read about here: http://www.securityfocus.com/columnists/439. There’s also a Metasploit blog here: http://blog.metasploit.com/.

While I’m obviously very aware of the need to ensure that systems are patched and networks protected, this day brought home to me the message of how easy it can be for an experienced and determined attacker to drill into a network given the slightest hint of an exploitable vulnerability. In fact, scratch that bit about the need to be experienced because even I, with a couple of useful tools on my laptop and a surfeit of strong coffee, was able to find my way into a command window on a target PC.