Metasploit For The Masses

Two years after Rapid7 acquired the Metasploit Project, the company has rolled out a free and more user-friendly version of the open-source tool that is aimed at less technical users.

The new Metasploit Community Edition is a combination of the popular open-source Metasploit Framework and a basic version of the user interface of Rapid7's Metasploit Pro commercial product.

HD Moore, Rapid7's CSO and chief architect for Metasploit, says the free pen-testing tool features a new user interface and automation of tasks to make penetration testing more approachable for organizations and users not necessarily versed in penetration testing. There's a growing number of organizations that want to get started with pen testing, either for compliance reasons or just to test it out, he says.

"There's a huge number who want to dip their toe into security and don't want a complex learning curve. They just want to test it, and some are scared to test it," says Moore, who is also the creator of Metasploit. "[Now] they can get familiar with Metasploit ... and make sure they can prioritize vulnerabilities" and other security issues, he says.

It was two years ago today that Rapid7 announced it had purchased Moore's open-source Metasploit pen-testing tool project, and that Moore had joined the company and was remaining in charge of the project.

For Rapid7, the goal was to leverage Metasploit's exploit technology to help identify which vulnerabilities found by its NeXpose vulnerability-management tool were actually exploitable. But the deal also gave Metasploit full-time resources, something Moore says has helped propel the project and technology much further than he and its contributors could have done during after-hours. It also gave Metasploit a real commercial presence: Rapid7 rolled out an enterprise version of Metasploit -- Metasploit Pro -- last year, and later, Metasploit Express, Rapid7's commercial tool with a full GUI and automated exploitation and reporting for enterprises.

Moore says Metasploit contributors from the open-source community continue to add creative features and functions to the tool at a rapid clip. And since Rapid7 purchased Metasploit, the code base has grown 156 percent.

Meanwhile, Metasploit Community comes with network-discovery features and is integrated with vulnerability scanners including Rapid7's NeXpose, as well as Nmap and other tools. It also identifies which bugs are actually exploitable, and includes an exploit module browser.

Moore says more organizations are conducting pen tests, and pen-testing engagements are getting larger and more frequent. "Waiting until the fourth quarter for the next pen test doesn't cut it [anymore]," for example, he says.

"It goes to show that Metasploit continues to lead the way in keeping their community involved, whereas other projects have went closed source and cut community ties," says David Maynor, CTO for Errata Security, of the Metasploit Community release.

Maynor, who conducts pen-testing engagements for his firm's clients, says cost-cutting is a reality today for many organizations. "Saving money is good business. The more you can automate something like a pen test, the better," Maynor says. "The danger comes in not being able to evaluate the results correctly."

Metasploit Community is available for download here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.