14

I'm new to metasploit, and want to install it on the work computer I use every day; but I'm not sure whether it is safe.

Are there any best practices when using metasploit?

schroeder
  • 123,438
  • 55
  • 284
  • 319
elsadek
  • 1,782
  • 2
  • 17
  • 53

3 Answers3

10

While installing metasploit on your machine will not directly cause any issues you should be aware of the following:

  • metasploit, like all other software, can introduce vulnerabilities as a result of the underlying components that make it work, the database listener and Ruby service are installed as well as a web framework depending on the version installed. If your computer is not adequately protected or new exploits are found for this software, it may be possible to compromise your machine. This is an inherent risk of installing any software.

  • metasploit allows for the creation and generation of 'malicious' payloads. If configured incorrectly or run accidentally on your machine could introduce vulnerabilities as well.

  • many antivirus solutions will detect metasploit modules and exploits and prevent them from running by placing them quarantine. If you have AV installed you'll need to provide exceptions for it which is, overall, reducing your effective security.

In summary, it depends on what you define as safe. If the above risks are acceptable, go ahead. The metasploit framework is well renowned and as far as anyone knows, isn't backdoored in any way. Assuming you download it directly from rapid7 I would imagine there would be no issues.

schroeder
  • 123,438
  • 55
  • 284
  • 319
NULLZ
  • 11,426
  • 17
  • 77
  • 111
  • I'll go for a VM, it makes situation more confortable – elsadek Feb 24 '13 at 06:28
  • Not only for Metasploit but for every tool, you should use a machine independent for this kind of actions. That's why exist Backtrack, Backbox, etc – The Illusive Man Feb 24 '13 at 15:16
  • 1
    Just be warned that unless its part of your job, installing Metasploit (especially if it triggers an AV alert) will likely draw the attention of your system administrators which may be against your company IT policy. Cheers! – NULLZ Feb 24 '13 at 22:19
  • @yzT that's fine if you have the processing power available to run VM's. However, often I do not, especially when running from a laptop. – NULLZ Feb 24 '13 at 22:22
  • Unless you're running on a laptop from ancient times, you shouldn't have any trouble running one of the smaller *nix distros. You don't need to feed a dedicated Metasploit VM with RAM and processing power like you would a general-purpose Windows VM. – Rushyo Feb 28 '13 at 10:28
9

I'd recommend that you don't install Metasploit on your work computer. To make Metasploit run without issues, it's recommended that you switch off your firewall and anti-virus, which may not be a good idea for your production system. My recommendation: Install Metasploit on a virtual machine (e.g. VirtualBox) in Bridged Mode (so the payloads can connect back). Ubuntu seems to work great and doesn't require a license.

Disclosure: I (used to) work for Rapid7

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 1
    thnsk for the advice, it's been a while I've setup two VMs on virtualbox, the first is ubuntu which run metasploit and the second is just BackTrack VM. – elsadek Mar 04 '13 at 08:51
5

As long as you install it from a known source, then there should not be any risk to you or your computer.

However, your employer's network administrators may have a few questions for you if you use it and they detect the activity.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Akber Choudhry
  • 809
  • 7
  • 12
  • 3
    They may have questions even if you don't use it - many corporate AVs have signatures to detect tools like this as "Potentially Unwanted Programs" (PUPs) or "Hacking Tools". – Iszi Feb 24 '13 at 02:12