Ethical Hacker Community Forums

As we get closer to a final release, Metasploit v3.0 Beta 3 has been released. Download it here:

http://www.metasploit.org/projects/Framework/msf3/#download

Share your thoughts on v3.0, Metasploit in general or anything else that comes to mind when it comes to exploit frameworks.

Here's one to get the ball rolling... By the strict definition of what we've come to know this term to be (those who blindly use tools, scripts and exploit code written by someone else without knowing how to do it themselves), does that make most who use Metasploit script kiddies, even us 'professionals' in IT and security?

Don

LOL! That’s a good topic to get some debate going.  I don’t think you will get 2 people to agree exactly what a script kiddie is because we all have our own idea.  Mine is simple. A script kiddie is someone that has no idea of how or why a tool is working but only knows how to blindly point and click and hopes  occasionally he hits a vulnerable target.   If using a tool that someone else wrote makes you a script kiddie, well then every hacker on this planet is a script kiddie, because who doesn’t use nmap for instance.  The trick is really understanding networking, operating systems, tcp/ip, and really know how to use the tools. Sometimes you have to understand that not everything a tool tells you is correct and you have to interpret the results. You might even have to “play” with the tool to do some custom and new things.  This comes from experience by doing a lot of hacking. 

I know of some very good pentesters that don’t code tools and only use the tools others have written. The difference is they have been doing it a long time and can really make the tools work well and know how to interpret the results.   On the other hand, to be an elite hacker in the “black hat” sense, you have to know coding and write your own trojans and if you are lucky enough to find a new exploit no one has found, then you will be able to penetrate places others will never crack.  Heck, maybe a script kiddie is just someone that uses a name like L33t HaX0r , Ha Ha!  :)

I'd like to add to what Kev said.  "Script Kiddie" is a term of derision for an individual who doesn't look for new exploits and doesn't do anything to improve the security posture of the computer using community, he or she simply downloads a tool and starts searching for a place to use it.

There is a big difference between that individual and a penetration tester, a respected professional that is hired to assess the security of an organization and improve the security posture of that organization.

Although it may be difficult to see a major difference, I think the motivation of the person using the tools is one of the ways to distinguish between a script kiddie and a penetration tester.  That is, of course, in addition to what Kev said about script kiddies not understanding how the tools work.

 you'd be surprised at the number of people i see that cant even work MSF on the command line... it even keeps some of the kids out.

the real power of MSF will be from some of the plugins, scripting, and the meterpreter. that will keep most of the kids away from the real power.

if you are upset that some lamers can point click and hack your box, you should have patched it to begin with.