Top Metasploit Modules

Thursday, May 31, 2012 @ 02:05 PM gHale

Metasploit is a powerful and popular tool for penetration testers and security experts, but it is also a treasure trove for hackers.

A look at the most popular Metasploit modules offers a look at the vulnerabilities that earned the most attention last month, according to research by vulnerability management, compliance and penetration testing provider Rapid 7.

Unpatched PHP Bug Hit
PHP Bug Accidentally Released
Oracle Flaw PoC Releases by Mistake
A+ Discovery: Student Finds Zero Day

The list came together by examining the webserver statistics for the Metasploit Auxiliary and Exploit Database.

1. MS12-020 — Earlier this year, experts thought (though never proven) MS12-020 would allow an attacker to hijack RDP and execute code. The second vulnerability addressed in MS12-020 centered on a flaw in RDP that could create a Denial-of-Service condition on RDP-enabled systems. “This is likely the most popular module we have due to both recency bias and because there was an unusual level of spontaneous organization of the Metasploit developer community to search for the correct path to remote code execution,” said Rapid 7’s Tod Beardsley.

2. MS08-067 — Beardsley explains this one as a “four year old vulnerability that tends to give the most reliable shells on Windows 2003 Server and Windows XP. This exploit is also not ancient, so it’s reasonable to expect to find some unpatched systems in a medium to large enterprise vulnerable to it.” Most security administrators, however, will recognize this vulnerability as the one used by Conficker and its many variants to spread. It released out-of-cycle in 2008 (October 23) in order to address a flaw in the Server service, enabled by default on Windows 2000, Windows XP (all versions), and Windows Server 2003. Microsoft pushed a fix for this flaw earlier than usual because of the concern that it could help create a new Worm variant. Months after the patch developed, the vulnerability was in the first version of Conficker. The Worm remains active to this day.

3. MS06-040 — This is the go to method for gaining remote root on Windows NT. “A six year old vulnerability that’s notable in that there’s no official patch from Microsoft for this on Windows NT 4.0. This was discovered after NT went end-of-life, so if you need remote root on an NT machine (and there are still plenty out there), this is going to be your first choice,” Beardsley said.

Oliver Rochford, a SecurityWeek columnist, said studies of the methods utilized in the wild reflect that attackers have a preference for the same tools that penetration testers and other security professionals use or sell to others, and Metasploit is no different.

Click here for the entire list of popular Metasploit modules.

Leave a Reply

You must be logged in to post a comment.