Metasploit was created by HD Moore in 2003 as a portable network tool using the Perl programming language. Later, the Metasploit Framework was completely rewritten in the Ruby programming language. On October 21, 2009, the Metasploit Project announced that it had been acquired by Rapid7, a security company that provides unified vulnerability management solutions.
Like comparable commercial products such as Immunity's Canvas or Core Security Technologies' Core Impact, Metasploit can be used to test the vulnerability of computer systems to protect them or to break into remote systems. Like many information security tools, Metasploit can be used for both legitimate and unauthorized activities. Since the acquisition of the Metasploit Framework, Rapid7 has added two open core proprietary editions called Metasploit Express and Metasploit Pro.
Metasploit's emerging position as the de facto exploit development framework has led in recent times to the release of software vulnerability advisories often accompanied by a third party Metasploit exploit module that highlights the exploitability, risk, and remediation of that particular bug. Metasploit 3.0 (Ruby language) is also beginning to include fuzzing tools, used to discover software vulnerabilities, rather than just exploits for currently public bugs. This new avenue has been seen with the integration of the lorcon wireless (802.11) toolset into Metasploit 3.0 in November 2006.
Metasploit 4.0 was released in August 2011.
Use Of Metasploit Framework :-
The basic steps for exploiting a system using the Framework include:
- Choosing and configuring an exploit (code that enters a target system by taking advantage of one of its bugs; about 900 different exploits for Windows, Unix/Linux and Mac OS X systems are included);
- Checking whether the intended target system is susceptible to the chosen exploit (optional);
- Choosing and configuring a payload (code that will be executed on the target system upon successful entry; for instance, a remote shell or a VNC server);
- Choosing the encoding technique to encode the payload so that the intrusion-prevention system (IPS) will not catch the encoded payload;
- Executing the exploit.
Metasploit runs on Unix (including Linux and Mac OS X) and on Windows. It includes two command-line interfaces, a web-based interface and a native GUI. The web interface is intended to be run from the attacker's computer. The Metasploit Framework can be extended to use external add-ons in multiple languages.
To choose an exploit and payload, some information about the target system is needed, such as operating system version and installed network services. This information can be gleaned with port scanning and OS fingerprinting tools such as nmap. Vulnerability scanners such as Nexpose or Nessus can detect the target system vulnerabilities. Metasploit can import vulnerability scan data and compare the identified vulnerabilities to existing exploit modules for accurate exploitation.
You can download the free version from the official Metasploit site- Chick Here To Download
The free version also comes as a preinstalled application in all versions of Backtrack.