Metasploit Framework

Title: Metasploit Framework
Person: Raviv Raz
Length: 60
Language: Hebrew
Abstract:
The reasoning for setting up this project was to organize the task of
writing exploits quickly. Nowa days, almost everyday a new
vulnerability in some code is published, and the need to test whether
systems are vulnerable becomes critical in Penetration Testing. This
task, which is bread and butter for security consultants involves
testing and demonstrating to the customer the possibility of hacking
into their network and gaining sensitive information through flaws in
configuration and code.
Gnereally, three languages are used for coding new exploits: Perl, Python and C.
Rarely, assembly is used for making up platform-specific tasks.
The process genreally consists of these steps:

  -   Testing to see what systems / software is vulnerable (Scanning)
  -   Identifying the specific bug
  -   Creating the exploit code
  -   Hacking into the system
  -   Loading some remote control software
  -   Gaining administrative access and obtaining whatever was requested

In order to automate this process, two commercial programs have been created:
Immunitysec's "CANVAS" and CoreSecurity's "Core Impact"
The different routines used for the process of penetration were
bundled into these programs to create standard platforms for rapid
development.
As usual, an open-source solution has been offered in the form of Metasploit.
Although it doesn't contain too many ready-made modules for Point &
Click penetration, what it does is simplify the process of writing new
code for new vulnerabilities without having to rewrite common
routines.
The programming is done mainly in Perl (which I am not very 
experienced with, yet...)
There's also a need for this platform to gain popularity in order to
contribute new modules just like Snort (Intrusion Detection software)
and Nessus (Vulnerability Scanning software).

The highlights of what will be presented include:

- The Metasploit project vs. commercial products.
- Getting familiar with the framework, its parts and its logic.
- Using the framework in vulnerability R&D.
- Live demo of hacking using Metasploit.
- The future of Metasploit in context of Pen-Testing.


 

 

 

 

 

Please send comments, questions etc. to yapc-organizers@perl.org.il