Metasploit exploits undergo a rigorous 3-step quality assurance process so you have the peace of mind that exploits will work correctly and not affect production systems on your next assignment.
Step 1: Rapid7 Code Review
Many of the Metasploit exploits are contributed by Metasploit’s community of over 175,000 users, making Metasploit the de-facto standard for exploit development. This is a unique ecosystem that benefits all members of the community because every Metasploit user is a “sensor” in the real world that reports the latest attack vectors to the Metasploit exploit development team.
Quite a few people not only report what they have seen but also submit Metasploit exploit modules to the project. The Rapid7 security research team then works with the contributors to ensure that the modules meet the expected coding and quality standards and conduct a quality assurance on the code to ensure that it works as expected, doesn’t affect the stability of the exploited system, and meets our versatility requirements.
At this point, the exploit is also ranked by reliability; when testing production systems, we recommend that you only use exploits with a 4 or 5 star reliability rating (4 = Great, 5 = Excellent).
Step 2: Community Review
Let’s be intellectually honest: If you’ve ever worked in software development, you’ll know that no matter how good your QA process is, you can miss things. No QA lab can replicate every funky systems configuration and constellation that’s out there in the wild. This is where our community comes in again:
If you are a developer, you can choose to pull the untested code-of-the-moment straight from the GitHub repository (previously SVN), and many security professionals do. This gives us instant feedback on the quality of the latest code from a huge community, which is a priceless advantage Metasploit has over closed-source solutions.
At this point, I’d like to say Thank You Very Much to all of our loyal users. We can’t thank you enough, which is why we continue to offer free solutions such as Metasploit Framework and the Metasploit Community Edition. All of you ensure that open source remains better quality than proprietary solutions, which their marketing departments euphemistically position as “commercial grade”. This is ironic, since I often hear from security professionals that Metasploit exploits turn out to be more stable in the field than their proprietary counterparts for the same vulnerability.
Step 3: Automated QA Testing
Once a week, the current snapshot of the code undergoes an additional, automated quality assurance process before it is packages and released; this is known as the “stable tree”. Metasploit Community, Metasploit Express, and Metasploit Pro, exclusively pull from this stable tree, and users can get updates - typically every Wednesday barring major releases or holidays.
If you’re using Metasploit Framework, you have the choice between the development and the stable tree. If you’re using the standard installer and don’t pull from GitHub directly, msfupdate pulls the stable tree.
If you see something, say something
It’s always possible that something slips through the cracks even after these three vigorous steps. If you find an issue with any exploits or other parts of the code, please open a new discussion right here on Security Street to let us know. This has not only been the most effective way for us to communicate, it also publicly documents the issue for others who may be searching for a solution or work around. Users with a paid license of one of our commercial Metasploit editions can also contact Rapid7 support at support [at] rapid7 [dot] com.