Metasploit is a powerful and popular tool for penetration testers and security experts. However, it’s also a goldmine for the darker side of the hacking community. Recently, Rapid 7 published a list of most popular Metasploit modules, offering an interesting look at the vulnerabilities that earned the most attention last month.
The list was compiled by examining the webserver stats for the Metasploit Auxiliary and Exploit Database.
1. MS12-020 - At the top of the list is MS12-020. Earlier this year, it was implied (though never proven) that MS12-020 would allow an attacker to hijack RDP and execute code. The second vulnerability addressed in MS12-020 centered on a flaw in RDP that could be used to create a Denial-of-Service condition on systems where RDP was enabled. “This is likely the most popular module we have due to both recency bias and because there was an unusual level of spontaneous organization of the Metasploit developer community to search for the correct path to remote code execution,” Rapid 7’s Tod Beardsley explained.
2. MS08-067 - Beardsley explains this one as a “four year old vulnerability that tends to give the most reliable shells on Windows 2003 Server and Windows XP... This exploit is also not ancient, so it’s reasonable to expect to find some unpatched systems in a medium to large enterprise vulnerable to it.” Most security admins and aficionados however will recognize this vulnerability as the one used by Conficker and its many variants to spread. It was released out-of-cycle in 2008 (October 23) in order to address a flaw in the Server service, which is enabled by default on Windows 2000, Windows XP (all versions), and Windows Server 2003. Prophetically, Microsoft pushed a fix for this flaw earlier than usual because of the concern that it could be used in the creation of a new Worm variant. Months after the patch was developed, the vulnerability was used in the first version of Conficker. The Worm remains active to this day.
3. MS06-040 - This is the go to method for gaining remote root on Windows NT. “A six year old vulnerability that’s notable in that there’s no official patch from Microsoft for this on Windows NT 4.0. This was discovered after NT went end-of-life, so if you need remote root on an NT machine (and there are still plenty out there), this is going to be your first choice,” Beardsley said.
As SecurityWeek columnist Oliver Rochford points out, studies of the methods utilized in the wild reflect that attackers have a preference for the same tools that penetration testers and other security professionals use or sell to others, and Metasploit is no different.
The entire list of popular Metasploit modules is worth checking out. It’s also worth the time it takes to ensure that your systems are patched against them.