April 12th, 2004 11:37 PM
They did - it is stated right in the documentation. In fact, there are 3 ways to run it...
they could have made it a web based utility
1. console (./msfconsole)
2. commandl line
3. web gui (./msfweb)
On to the point of the thread...
Question: Why is it that the security community, taking their lead from popular/mainstream media, continue to attach emotional concepts to items which are inherently neutral?
Answer: For the same reasons that people continue to step on spiders: fear and lack of understanding.
Now, lest anyone think that these tools (see below) are going to contribute to a rise in the skiddie population and attacks...you're deluded beyond repair. This simply isn't true and I don't see any facts being offered up to prove such statements. Until then, concentrate on mitigating your vulnerabilities and building up your defense-in-depth strategy. Otherwise, you're simply not moving the argument forward in a productive manner.
Metasploit is a good tool, but as others mentioned not the first of its kind. We already have Core Impact and Immunity Canvas. The big difference, also as others have pointed out, is price. Metasploit (so far) is open-source. The other two products cost. Cost a lot. Personally, the minute I saw the release notification hit the mailing-lists, I jumped on it. And I like it
Furthermore, there are so many canned/scripted exploits out there minus the console interface, why are we singling out Metasploit?
Instead of worrying about these tools, which still take a modicum of common sense to operate btw, start worrying about what risk exists in your networks. Start doing something to actually mitigate that risk. In fact, start taking responsibility for these things instead of blaming inanimate tools for your lack of understanding and fear(s) and you'll be amazed at how much less you'll need to worry.
Ego is the great Logic killer