O'Reilly logo

Mac® Security Bible by Joe Kissell

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

21.3. Using Metasploit

Whereas Nessus and SAINT can scan for potential vulnerabilities but not test them to see if they're actual vulnerabilities, a free, open-source tool called the Metasploit Framework (http://metasploit.com/), or Metasploit for short, offers (as does SAINTexploit) the remaining piece of the puzzle: It can exploit known vulnerabilities — enabling you to know for sure whether your computers are at risk.

Metasploit itself doesn't know how to exploit vulnerabilities; rather, it's a development and delivery mechanism. Researchers who discover security holes can use the Metasploit Framework to create instructions for carrying out exploits, which can then be shared with other users and tested on a variety of systems.

So, in Metasploit's usage, an exploit is a procedure, described in a module (a specially designed Ruby file), that attacks a known weakness in a particular program or service on one or more platforms. It's the code that Metasploit uses to break in. The Metasploit Framework ships with hundreds of exploits, and more are being developed all the time.

But once you're in, then what? Picking a lock may open the door, but the reason for doing so is to get at what's on the other side. So, the other key component of Metasploit is the payload, which is the set of instructions for taking some action on the target computer once the exploit has been successfully executed. Typical payloads include procedures to give the user shell access to the remote computer, execute ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required