Skip navigation
All Places > Metasploit > Blog > 2010 > October
2010

Originally Posted by Chris Kirsch

 

 

Exactly one year ago, Rapid7 acquired the Metasploit Project. Many community members feared that this would be the end of Metasploit's open source era. After all, many open source projects had been turned into commercial offerings at the cost of the community. Most prominently our space, a widely used vulnerability scanner is no longer open source.

anniversary2.jpg

 

To the surprise of many skeptics, Metasploit is arguably the most successful collaboration between an open source project and a commercial vendor in the market. The Metasploit Framework user base grew more than five-fold this year, we've seen more code commits in the past 12 months than in the previous three years combined, and more than 200 organizations have adopted the commercial editions of the product after only five months of availability.

 

I joined Rapid7 only three months ago to take on the role of product marketing manager for the Metasploit product line, so I can't take credit for this success, but I would like to share my observations and thoughts with you.

 

One reason I am excited about the challenge at Rapid7 was that I am very intrigued by the Metasploit “brand”, which has seen an incredible following. I want to be a part of leveraging it to its full potential at the benefit of both the community and the customers. We have to serve both sides because we need both grass-roots support and the commercial viability for the open source funding to be successful.

 

Most open source projects are challenged by developers who lack bandwidth and are hard to plan with because they moonlight for the project. At the time of the acquisition, Rapid7 said that it would be investing in open source projects by funding full-time developers that can focus on increasing code quality, turning around bug fixes more quickly, and implementing new features - and many scoffed. But over the past year, Rapid7 has demonstrated not only its desire to help the community but we have also followed through on the commitments made one year ago. In addition to the development team, the Metasploit Project is benefiting from the entire Rapid7 back office, including quality assurance, IT operations, and marketing to keep the community informed.

 

During that time, we’ve also built a solid, supportable base for commercial products, such as Metasploit Pro, a new software product for advanced penetration testing that Rapid7 announced yesterday. The open source community benefits from a more solid code base, the commercial customers from a mature product at a competitive price because it can leverage the contributions from the community. But the involvement of the community means much more to us: It raises the industry bar because it keeps us on our toes, including the latest developments and exploits we hear about from our community. 

The successful Metasploit collaboration also opened the door for other open source projects to get funded. In the first week I joined, we also announced the sponsorship of another open source project:
w3af. We have started to fund dedicated resources for that project and have opened a center of excellence for Web application security in our new office in Buenos Aires, led by Andres Riancho, the founder of w3af. I'm excited to see what we will be able to report in 9 months, on their one-year anniversary.

Originally Posted by egypt

 

 

On this first anniversary of Rapid7's acquisition of The Metasploit Project, we are proud to announce the release of the newest version of the Metasploit Framework, 3.5.0, with over 600 exploits and tons of bug fixes.

 

A lot has happened in the last year.  Twelve months ago, lots of folks were asking whether the acquisition was going to mean the end of Metasploit.  To address some of those questions a year ago, I promised several things.  First, I promised Quality Assurance and fewer bugs; Jonathan Cran is our dedicated quality assurance tester and has produced an excellent testing procedure as well as numerous methods for automating the framework.  Because of the team's emphasis on quality, many show-stopping bugs were found and fixed long before they caused a problem for anyone.  I promised faster development and a glance at our subversion history will show you just how much faster: we have had more commits in the last year than the previous three combined.  I promised more exploits.  A year ago, Metasploit contained 445 exploits.  Today there are 613, due in large part to Josh Drake whose tireless efforts have brought us exploit modules for many of the bugs being exploited in the wild.  I also promised greater stability and new features.  In the last year, we've vastly improved the framework itself and launched two successful commercial products around it.  Before the acquisition, meterpreter was only for 32-bit Windows.  Now it supports PHP, 64-bit Windows (thanks to Stephen Fewer), and Java (thanks to Michael Schierl) and Philip Sanderson has made considerable progress on support for POSIX.  When possible, it also now encrypts its communications and compresses files when downloading.  Additionally, several important bug fixes have increased meterpreter's reliability and scalability.

 

But most importantly, I and others at Rapid7 promised that the Metasploit Framework would continue to be Free.  We have not wavered on that promise, nor will we -- the Framework is still available under the same BSD license.

 

Today's 3.5.0 release adds even more functionality including scriptjunkie's Java GUI as a replacement for the old msfgui which relied on buggy and unmaintained GTK libraries. Thanks to a plugin by Zate Berg, you can now control Nessus directly through msfconsole.  Another new plugin, from Jonathan Cran, gives you the ability to control VMWare virtual machines as well.  Database imports have been expanded to include Retina, Netsparker, and our own Metasploit XML which you can create with the new db_export command.  An improvement to the meterpreter script API design makes it much easier to avoid duplicating code.  For advanced users with specific networking requirements, the bind address for reverse payloads can now be controlled independently from LHOST with the ReverseListenerBindAddress option.  This release also fixes a long-standing issue on Windows-native ruby that prevented background threads from working.  As a result, the new installer no longer requires Cygwin and Windows users should notice a considerable performance increase.  The msfcli interface has been revamped and now has the ability to run background exploits and catch more than one shell.  For a more detailed list of changes see the release notes.

 

Many of these improvements in the free Metasploit Framework were made possible or accelerated by the funds provided by the commercial Metasploit products, including the new Metasploit Pro, which Rapid7 announced yesterday.  One year ago, an enterprise-class penetration testing tool would set you back the cost of new car. Today, commercial Metasploit editions are available at between half and a tenth of that price, benefiting both the commercial sector and the open source community.

 

In the last twelve months, the community that some said would abandon us has flourished -- our active user base has grown five-fold.  We have had more patches, more bug reporters, more contributors, and generally more involvement.  Over one million unique IPs downloaded and updated the framework in the last year.  I think we can safely say Metasploit is here to stay.

 

I'm glad I was able to keep my promises but I'm equally glad that this prediction came true: "From my perspective, it's going to be awesome."

Originally Posted by Chris Kirsch

 

 

We love it, our beta testers loved it, and we trust you will as well: today we’re introducing Metasploit Pro, our newest addition to the Metasploit family, made for penetration testers who need a bigger, and better, bag of tricks.

metasploit-pro.png
Metasploit Pro provides advanced penetration testing
capabilities, including web application exploitation and social
engineering.

 

 

The feedback from our beta testers has been fantastic, most people loved how easily they can conduct Web application scanning and exploitation with Metasploit Pro. Unlike conventional Web application scanners that scan one server at a time, Metasploit Pro finds all Web servers on an entire network, then audits and exploits all of them at the push of a button. 

Beta testers also loved its new social engineering campaigns, which enable you to simulate attacks on the network using email and USB thumb drives. My jaw dropped when I first saw HD Moore clone “a popular music distribution website” using Metasploit Pro in our first internal sneak peek. If you want to check it out, watch
HD’s presentation at SecTor next weekin Toronto. 

My personal favorites are team collaboration and VPN pivoting, simply because they haven’t been done before. When working in teams, many penetration testers find it difficult to share interim results and consolidate their findings at the end of an assignment. With Metasploit Pro, you can collaborate to divide and conquer the network, building on each other’s strengths and pooling findings so that they can be used by everyone. And, at the end, all findings are consolidated in a single report. 

My second pet feature is VPN pivoting. It is different from the proxy pivoting you may have used so far, which is limited to routing connections from within Metasploit, and only supports basic UDP and TCP sessions. By contrast, Metasploit Pro’s VPN pivoting provides a virtual Ethernet interface into the remote network through the compromised machine. This enables you to route any traffic, from any tool, through the compromised target. With VPN pivoting, you can run a vulnerability scanner such as NeXpose through a target as if you were plugged into the local network. No other tool offers this functionality. 

In a nutshell, Metasploit Pro enables you to take an earlier flight home after your penetration testing assignment. You’ll be more competitive
and see more of your family. If you’d like to give your new life a try, download a free, fully featured Metasploit Pro trial version.

Filter Blog

By date: By tag: