By guest blogger and Rapid7 customer David Henning, Director Network Security, Hughes Network Systems
A few weeks ago, Rapid7 asked me to participate in the Metasploit Tech Preview for 2013. I’ve participated in a couple of other product previews in the past. I like the interaction with the Rapid7 development teams. This tech preview was smooth and it was easy to participate. Previous testing sessions required interactions over e-mail and there was some associated lag. This preview was managed via the Rapid7 community site which helped it run much more smoothly.
So now I’ve been asked to give my impressions of the latest Metasploit 4.8. My team and I have been kicking it around for a little over a week now. What’s new? Well, there are five main improvements to the tool; user interface, reporting, passive network discovery, vulnerability validation, and the validation wizard. Of these, we were asked to test two, the user interface of the single host screen and the vulnerability validation wizard.
My take on the latest Metasploit Pro? The UI is nice. It has a clean modern look you would expect in this age of sleek phones and tablets. The quick start wizards allowed me to get going quickly, but I still had the ability to walk through a new project step-by-step, if I chose. The new tabs in the single host view include summary numbers. For example, a host with three services will have the number 3 circled on the Services tab just like the mail app on my phone tells me how many messages I’ve got.
The big feature, though, is the Vulnerability Validation Wizard. In just a few clicks, you can use the wizard to connect from Metasploit into the Nexpose scanner product, download the recent scan data, and automatically launch tests to validate if the vulnerability can be exploited by Metasploit. This gives one the ability to prioritize vulnerabilities that need to be fixed now because they are easily exploited vs. vulnerabilities that are not easy or even are completely false positives. Once the vulnerabilities are validated or proven un-exploitable by Metasploit, the new wizard will continue the workflow and the findings are pushed back into the Nexpose console.
Collectively, I’m pleased with the new improvements to Metasploit Pro. The vulnerability validation and two-way communication with the related Nexpose scan tool is something I know I’ve asked for and suspect many other customers had as well. It saves me and my team considerable time compared to manually entering false positives or sending reports on valid vulnerabilities to our systems groups for remediation. Definitely looking forward to upgrading our production system when this is released.