The two-year anniversary of the Metasploit acquisition is coming up this week. Over the last two years we added a ridiculous amount of new code to the open source project, shipped dozens of new releases, and launched two commercial products. We could not have done this without the full support of the security community. In return, we wanted to share some of our commercial work with the security community at large.
As of version 4.1, we now include the Metasploit Community Edition in our combined installers for the open source Metasploit Framework and our commercial Metasploit Pro product. Just like Nexpose Community Edition, this is a free commercial product that is available for both personal and professional use. Metasploit Community Edition includes the same network discovery, data import, and Nexpose integration as its Metasploit Pro counterpart.
The user interface is based on the Metasploit Pro workflow and the introduction of the Analysis tab in 4.1 makes slicing and dicing large networks even easier. Just like Metasploit Pro, the free Community Edition provides a simple path for identifying targets, selecting an exploit, and launching it. Sessions can be managed through the user interface and have full access to the extensive post-exploit modules built into the Metasploit Framework. Although Metasploit Community Edition isn't a replacement for Metasploit Pro by any means, its easy to use and leverages the quality-assured code base managed by the Rapid7 team.
One of the biggest drivers for releasing Metasploit Community Edition is to address a growing gap between two types of users. Metasploit Framework users really fall into two camps: First, there are security researchers and developers who want a powerful platform to build custom tools and exploits. The console interface works great for them today and will continue to do so for years to come.
There’s another group of users though: security and IT professionals that use the Metasploit Framework to conduct security assessments and verify vulnerabilities. Even though the console is not intuitive for this group, we are seeing more people using Metasploit Framework for this purpose because it fulfills a real need to verify and remediate vulnerabilities.
Organizations of all sizes are fighting fires to combat the rising security threats. Not all companies can afford scalable, commercial software like Metasploit Pro: that is why many use the Metasploit Framework. We want to make life easier for this second group of security and IT professionals, regardless of the size of their organization or budget.
With Metasploit Pro, we already have a great, proven platform that has seen tremendous success and adoption in large enterprises. We decided to leverage this development and provide a simplified version available as the Metasploit Community Edition.
With Metasploit Community Edition, you can easily discover your network and verify vulnerabilities using specific exploits. This increases the effectiveness of vulnerability scanners such as Nexpose, which is also available in both commercial editions and a free community edition (free download). By enhancing your vulnerability management program with Metasploit, you can prioritize remediation and eliminate false positives. In other words: you’ll spend less time fixing vulnerabilities that don’t pose a real security risk. A lot of security folks also use Metasploit to get buy-in for remediation. Sometimes political barriers can be more easily overcome if you can demonstrate that a system is vulnerable by exploiting it.
We’ve simplified the way you install Metasploit so now all editions share the same installer. With this new setup, the Metasploit Framework is available in two versions, which are installed side-by-side. First, there is the stable trunk, which is quality-tested and the basis of Metasploit Community Edition, Metasploit Express and Metasploit Pro; you should use the stable trunk if robustness is important to you. Then, there’s also the development trunk, which includes exploits and functionality added since the last stable snapshot, which is updated every week. You can use this trunk if being up to date is more important to you than using a stable platform. Using the stable trunk has other advantages: it shares the same database between all editions, including Metasploit Community and Metasploit Framework, so hosts in one edition are immediately visible in the other. This makes managing the data of your security assessment much easier. Metasploit Community Edition is immediately available today as part of therelease.