Automating Metasploit Framework

Abstract:vulnerability assessment (va) and penetration test (pentest) are required by many
organizations to satisfy their security auditing and compliance. Va and pentest are conducted in
the different stage and they are done through the software tools. Implementing the system
that is able to convert the va scan result to be rendered in the pentest tool is a real challenge.
This paper proposes a design and development of a system called vape-bridge that provides the
automatic conversion of the scan result of open vulnerability assessment scanner (openvas) to
be the exploitable scripts that will be executed in the metasploit which is a widely-used
opensource pentest program. Specifically, the tool is designed to automatically extract the
vulnerabilities listed in open web application security project 10 (owasp 10) and exploit them to
be tested in the metasploit. Our vape-bridge encompasses three main components including (1)
scan result extraction responsible for extracting the va scan results related to owasp10 (2)
target list repository responsible for retaining lists of vulnerabilities to be used in the process of
metasploit, and (3) automated shell scripts exploitation responsible for generating the script to
render the exploit module to be executed in metasploit. For the implementation, the vape-
bridge protype system was tested with a number of test cases in converting the scan results
into shell code and rendering results to be tested in metasploit. The experimental results
showed that the system is functionally correct for all cases.
The Metasploit Project is a computer security project that provides information about security
vulnerabilities and aids in penetration testing and IDS signature development. It is owned by
Boston, Massachusetts-based security company Rapid7.

Its best-known sub-project is the open-source[2] Metasploit Framework, a tool for developing
and executing exploit code against a remote target machine. Other important sub-projects
include the Opcode Database, shellcode archive and related research.

The Metasploit Project includes anti-forensic and evasion tools, some of which are built into the
Metasploit Framework. Metasploit is pre-installed in the Kali Linux operating system.[3]