They are part of an escalating arms race in cyberspace, where millions of attacks and intrusions occur every day. By prepackaging the myriad computer commands that penetrate and exploit target networks, hackers have dramatically eased the process.
Security researchers and consultants, including Linn, use such hacking tools to identify vulnerabilities and help organizations patch them. Bad-guy hackers, known as black hats, and cyberwarriors use similar illicit kits to spy on, steal from and wreak havoc in corporate and government computers.
Metasploit and many other hacker tool kits are available free to anyone who has an Internet connection.
Linn acknowledges the irony. But he likened Metasploit and other tool kits to a “Swiss army knife” and said the positive features “far outweigh the negatives.”
“Metasploit is a tool designed for researchers and security professionals, but just like many tools there are uses for it that are illegal,” said Linn, a security consultant at Trustwave’s SpiderLabs. “We don’t outlaw screwdrivers and hammers because someone might use them for murder, though. We prosecute those people who use them illegally.”
A researcher named H.D. Moore began working on Metasploit in 2002. Moore, now 31, is the chief security officer with Rapid7, a security firm that sells a commercial version of Metasploit and helps offset the cost of maintaining the free system. A computer researcher and hacker based in Austin, Moore wanted to simplify the development of computer hacks known as exploits. To keep pace with growing numbers of criminal cyberattacks, he wanted to make security hacking, or “penetration testing,” more systematic.
Metasploit works by creating ready-made packages of computer code, known as “modules,” that can be downloaded from metasploit.com. Once they are launched, the tools can find network vulnerabilities and take control of the systems.
Metasploit also serves as something of a global clearinghouse of hacker knowledge, tools and practices. Because it is an “open source” system, it relies on contributions from experienced hackers. Its popularity has soared during the past several years. Starting with 11 exploits in 2003, Metasploit now has close to 1,000.