would i like to keep it black art...yes.

do i remember wishing people would teach me stuff...yes (still do)

is clicking 5 times and 0wning a box too easy?  is:

gcc sploit.c -o sploit
./sploit

too easy too?  yes...

do i think MSF is too easy to use...maybe a bit BUT...

if you hire some dude for an audit and all he runs is nessus and MSF and you think that's a good job, then you deserve to get your money taken.

anyway, the power behind MSF is in the ability of its API to solve problems or build your own scripts and tools and exploits.

plik,

   I think as you work with MSF more you will see that your fears are even more founded in reality.  The types of things you can easily do with just a little more knowledge is incredible.  For instance, did you realize that with just a little configuration and installing a database on your system you can import your Nessus NBE files and MSF will take this information, provide you with a list of possible exploits, automatically run them all for you, and provide you with a list of owned boxes?  Very nice and efficient. 

   What the MSF people have done is provide the public with a tool that malicious individuals may have already achieved in some form or other.  The point here is that it is better WE have access to this type of thing as well as malicious individuals so that we can sufficiently test our environments before deployment and during utilization.

   Yes, script kiddies love this tool.  Heck, I still consider myself a script kiddie because I do not understand how to write my own exploits and modify MSF to do additional tasks beyond gaining access to a system.  My only saving grace is my knowledge of security architecture, project planning, and report writing.  These are the benefits that I provide to a penetration team.  I have gotten this same feeling from the majority of persons who patrol these forums.  There are varied levels of experience and each person has their own strengths and weaknesses.

Which is why I always say, "Go forth and do good things" on just about every post.  But, of course, I am sure people are starting to get a little sick of my catch phrase

Go forth and do good MSF,
Cutaway

Do I think that writing exploits should be a "black art"? No. The full disclosure that HD Moore and the Metasploit team bring to the industry has done a tremendous amount of good by forcing vendors to improve their products, patch when bugs are discovered (and published) and develop secure testing methodologies. These are just some of the improvements to the industry.

A current example is the recent .ANI vulnerability. This exploit came out of work done by Alexander Sotirov. It bypassed all the current protections available such as GS, DEP, ASLR, and IE7's Protected Mode.

This exploit targeted a bug that had already been "fixed and "patched" by Microsoft. Without the efforts of the security researchers out there this exploit would have been used by the usual cadre of spammers, phishers and bot herders and we would have been none the wiser. By releasing this exploit it forced Microsoft to release an out of cycle patch to fix the bug.

So is there a danger that script kiddies will use these tools to "go forth and do bad things"? Sure, but as with anything, you have to assess the risk posed by this and figure what the impact would be to not have access to these tools.

From an interview with HD Moore:

"Some pen-testers prefers doing things "by hands" and don't believe in automatic tools... do you think Metasploit is giving more power to script kiddies, or pros need it as well?

H D Moore: The Metasploit Framework is definitely a "hands-on" tool. Every aspect of exploitation can be controlled, configured, and monitored by the user. Many of the convenience features, such as automatically attaching to a spawned command shell, can be disabled at run time. The automation features in version 3.0 are crude and would likely cause havoc if used on an enterprise network. The Framework is a great way to enhance existing tools and skill sets, but will never replace the role of the penetration tester or skilled analyst. On the flip side, you really need to understand security testing to effectively use the Metasploit Framework. The user must select an exploit, understand which target would be most effective, and choose a payload appropriate for the task. Compared to commercial solutions like Core Impact, Metasploit has a high learning curve and a serious "geek factor". We like it that way. "

If you think Metasploit is easy, you should try Core Impact. It's drag and drop exploiting at it's finest.

If I am doing a pentest does using a 0-day to gain access to a client site have validity? Sure, but once again it's all about risk and impact. Honestly, the client is more concerned about the public exploits. Also, there are far, far more vectors than just exploits to gain access to a site.

Just my $0.02.

-dean-

The full interview: http://www.securityfocus.com/columnists/439

I've no problem with hacking tools being easy. Security professionals cannot be experts in every field and to have straightforward tools at our disposal aids the speed and performance of assessments for our clients.

There's always been an element of ease to hacking at a certain level, after all script kiddie is not a new term. Vulnerability assessment frameworks like metasploit provide a powerful platform to the good guys and I feel the benefits greatly outweigh the cost.

Kev's got a good point, action without understanding limits an attacker. I hope infosec does not remain a black art. One day (maybe) security might not be an afterthought but a core part of development. The world of computing has quickly outpaced the attitude to security with the move from a domain of high cost, limited access and limited scope to one of low cost, virtually unlimited access and global scope. The world needs to catch up with itself.

Jimbob