April 13th, 2004, 12:37 AM
They did - it is stated right in the documentation. In fact, there are 3 ways to run it...
they could have made it a web based utility
1. console (./msfconsole)
2. commandl line
3. web gui (./msfweb)
On to the point of the thread...
Question: Why is it that the security community, taking their lead from popular/mainstream media, continue to attach emotional concepts to items which are inherently neutral?
Answer: For the same reasons that people continue to step on spiders: fear and lack of understanding.
Now, lest anyone think that these tools (see below) are going to contribute to a rise in the skiddie population and attacks...you're deluded beyond repair. This simply isn't true and I don't see any facts being offered up to prove such statements. Until then, concentrate on mitigating your vulnerabilities and building up your defense-in-depth strategy. Otherwise, you're simply not moving the argument forward in a productive manner.
Metasploit is a good tool, but as others mentioned not the first of its kind. We already have Core Impact and Immunity Canvas. The big difference, also as others have pointed out, is price. Metasploit (so far) is open-source. The other two products cost. Cost a lot. Personally, the minute I saw the release notification hit the mailing-lists, I jumped on it. And I like it
Furthermore, there are so many canned/scripted exploits out there minus the console interface, why are we singling out Metasploit?
Instead of worrying about these tools, which still take a modicum of common sense to operate btw, start worrying about what risk exists in your networks. Start doing something to actually mitigate that risk. In fact, start taking responsibility for these things instead of blaming inanimate tools for your lack of understanding and fear(s) and you'll be amazed at how much less you'll need to worry.
Ego is the great Logic killer
April 13th, 2004, 02:39 AM
IMHO, the one problem with the whole "if you want defense, build walls, wear bulletproof vests, etc" is the fact that there will ALWAYS be someone who will attempt to tear the wall down, climb over it, fly/catapult/dig under/over/around it. Curiosity is one thing but there are always those that feel it their right/goal/assignment/task/etc to bypass/exploit/destroy/alter/remove someone else's hard work.
SATAN, nmap, nessus, snort, crack, john (of the ripper variety hehe), all of these are valuable tools in the right hands and an annoyance and sometimes downright nightmare in the wrong hands. And the corporations, who know NOTHING about these tools except what they READ AND SEE, make it illegal to have or use by their employees. Pain in my ass...
We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.