Hackers break into systems and some of them get caught. Funny thing is that when some of them did get caught some years back, when there was little penalty for computer crimes, some of them saw the error of their ways. They realized that there was money to be made by writing tools to help people secure the very same networks they themselves were so very adept at breaking into. After all why risk further trouble with law enforcement, and the slowly increasing penalties when you can play for the good guys. Not only are they now a legitimate security consultant, but they are also now making a bucket of money while they are at it. For many people money is a prime motivator, and computer hackers are no different. Factor in the money and the ego boost of being a wanted commodity is a combination that lured many hackers to a career in network security. That being said the truly good ones embody the true meaning of the word hacker. They simply enjoy computers at their most basic yet complicated level; source code. To further clarify a hacker in reality is a programmer. Someone who can actually write code, and by extension create programs.
The stage is now set for many talented hackers to now devote their coding abilities to writing tools. Those tools can just as easily help secure a network as to be used to crack the network. With the ever increasing size of the Internet there is seemingly a never-ending market for the services these hackers can provide. Writing a tool to help secure a network and then selling it is far better then the ephemeral ego boost of rooting a machine, or underground credibility that writing, and releasing such a tool may bring. There is also the burgeoning open source movement as well. These programmers believe that tools and operating systems should be open source ie: not commercial and they donate their coding expertise to do just that.
How does this impact you though?
Having the security tool development aspect as a legitimate career available to hackers has helped the computer security software market flourish. There is now a veritable cornucopia of well written, and easy to use tools to help one ascertain the security posture of a network; both commercial and open source. They range from the simplistic port-scanning tool to the far more complex intrusive types of scans, which may actually send exploit code.
Due to the availability of these very well written, and in this case open source, tools has come a curious side effect. There is beginning to be a bit of a backlash at the recent spate of releases for some of these tools. By backlash I mean the harsh words some of my fellow network security peers have leveled at some of the latest tools to be released. One such specific tool would be Metasploit, which was coded by two of the best win32 coders out there today; HD Moore, and spoonm. Some of my colleagues feel that the availability of such high quality open source tools, which cost nothing only adds to their woes. By their logic a commercial tool which costs a good deal of money may not be used as much by the segment of online users who continually scan for vulnerable computers. Having such potent attack tools as the Metasploit Framework freely available only complicates their task of keeping their respective networks secure.
Personally I do not share their opinions myself. It is always good to see and be able to use tools that help you do your job. Whether they be; open source or commercial. I for one strongly feel that to help secure your network you need to be able to try, and break into it. In essence to successfully defend your need to know how to attack it. This is not an opinion shared by all, but I believe it to be a valid one. Being able to personally recreate a certain hack makes it all the much easier to spot when, and if it materializes at the your network.
Tools for everyone!
The irony of course is that these very same tools are the ones used by the less then talented "script kiddie". One of the largest threats facing our collective networks today are the bottom feeders of the computer world; the aforementioned script kiddie. What they may lack in talent they more then make up for in sheer numbers. While I am for total disclosure, and that also means the posting of exploit code this has helped simplify the task of this segment of the online world. Question is though how do these online vandals also get a hold of other very expensive computer security software? Herein lies an even greater irony in so much as that these high-end tools end up on the peer to peer lists quite quickly. Why pay thousands of dollars when you can simply steal it anonymously is the motto of many. The more savvy computer user would simply get an open source alternative, which is both free and just as good in most cases.
This brings me back full circle so to speak. With the initial release, and subsequent improvements to Metasploit many of my peers have complained about the lethality of such a tool. While this tool may not be as up to date as some of the other high-end tools like CANVAS and Impact Metasploit will still also help check your network security posture. That being said Metasploit is also free, and relatively easy to use. The Metasploit developers may not be adding every latest exploit to their tool, but they have added some nice little twists to it such as NOOP sled randomization or "egg obfuscation". Not only that but they also added a ready made signature for the IDS vendors to key on. That being the word metasploit in the actual packets sent when this tool is used.
In a computer world of increasing exploit code sophistication, and tools with which to parry it one comes to a cross-road. At what point is the tool a legitimate security one, or simply a hacking tool? The above noted Metasploit tool is a perfect example of this paradigm. I emailed with HD Moore one of the programs developers about this very thought. He sees Metasploit as more of a development tool in addition to the obvious pen-testing applications that it has. The one key difference for Metasploit over other such tools is that it will allow you to add to it. Like anything else in life these tools can be used for either good or bad. It all comes down to the individual.
It occurred to me that it may simply be the fact that Metasploit is open source, and therefore freely available that has irked so many. What my peers should be is thankful that developers as talented as HDM, and spoonm have freely given of their time and skills to create such a tool. To be in the network security world is to be continually learning and evolving your skillset. Not everyone has the ability to be a software developer that is a given. What we must all do as security professionals though is keep up to date on the tools that are out there. In the case of Metasploit Framework you don't have to worry about the possibility of added value features in the expoit code. All exploits there can be trusted not to open up any backdoors on your system. Only those on the victim computer in your lab.