Does this bother anyone?

[RejectKnowledge]

The Metasploit Project seems to be a virtual playground for skiddies. I'm referring to the Framework part of the project. It's being developed in part by HD Moore (RPC DCOM Exploit, anyone?)

Comments? Some think the overall effects would be positive as in the skiddies might try and learn what exploits really are. Other just think it's a hit and run tool.

[Faqt]

That's a bit of reading for somebody that doesn't actually want to learn something....there's no clearly marked flashing buttons to start the download....

Looks interesting at first glance, I'll have more time later to read more of it.

[instronics]

[skiddie-mode]
OMG, yes yes YEEESSSSSSSS!!!!!
[/skidie-mode]

[serious-mode]
Oh FFS :| more work for admins. This tool is dangerous. The reading is not that bad either, so its going to be the new 'cracking' tool of the month. These sort of tools should not just be downloadable by anyone. I played around with it for a while, and its bad news for many users. Can anything be done about this? This is not your average Pen Testing tool. Its more like a skiddies 'dream-come-true' tool.
[/serious-mode]

Hmm, i really dont know what to think about this. Lets hope this tool does not become well known here in greece, since security lacks here way too much. We still have sooo many DCOM vurnerable users, its scary. Now, apart from the skiddies, imagine someone with more knowledge actually adds tons of other exploits to it... its like the perfect cracking tool. I feel sorry for many many admins now. Long nights reading logfiles, tons of hits on firewalls, IDS systems going nuts etc...

Its worth checking out, but alas, it can be missused way to simply.

Cheers.

[methsnax]

Basically all free, or demo/crackable automated penetration testing tools can be used by script kiddies; why start another post for this one? Look at Retina, NMAP, GFI LAN Guard, X-Script, etc... This is not special and there is no reason to post a new thread about it.

-Cheers-

[instronics]

Like i said above... i dont see it as a 'pen testing tool', i see it as an attack tool to crack, with the simplicity that anyone who has internet can succesfully crack boxes with it.

Cheers.

[methsnax]

Like i said above... i dont see it as a 'pen testing tool', i see it as an attack tool to crack, with the simplicity that anyone who has internet can succesfully crack boxes with it.

That being said, it can still be used as part of a pen test, even if it wasn't intended. I don't believe Jack the Ripper was originally made to test password security, but it can be used to do that.

-Cheers-

[instronics]

I dont think its like 'Jack', or 'john' for cracking. For john, you need access to the target file. Access is given after you have root access. This tool is far more serious. Im not saying the intend of this tool is malicous. Just like the Security Auditor made by Moser Informatik, which is a very powerfull collection of tools, and it cannot be abused to easily like Framework. But the said tool here is just like giving a gun to a 3 year old !!!

Cheers.

[thehorse13]

A tool is only as dangerous as the person using it. Case in point, NMAP is relatively weak in the hands of a skiddie. Hand it to someone who understands it's true capabilities and it suddenly becomes an unmerciful weapon.

an additional 2 cents

--TH13

[D0pp139an93r]

Exactly.... Although... I personally think NMap became dangerous when it was given a GUI....


Learning all them switches was sort of an initiation....


Let's be honest... Yes, this will probably be bad.... But it might spur some patches...

[mjk]

Like methsnax, I don't think this is any more dangerous than Nessus, NMap, etc. And I think TH13 makes a great point above. A tool is only as dangerous as the knowledge of the person using it. Skiddies generally don't know **** about security. See the point?