Comparing Editions: Metasploit Framework vs. Metasploit Pro

Document created by ckirsch on May 8, 2013Last modified by ckirsch on Mar 26, 2014
Version 5Show Document
  • View in full screen mode

Are you using Metasploit Framework and wondering what Metasploit Pro could do for you? This document outlines the most important differences between Metasploit Pro and Metasploit Framework.

  • Metasploit Framework is the free, open source version that provides basic functionality through a command-line. First released in 2003, this longest-standing Metasploit edition is used mostly by Metasploit veterans, security researchers, and exploit developers.
  • Metasploit Pro is a fully-featured security solution for security programs and advanced penetration tests in mid-sized and enterprise security teams and consulting firms. Advanced penetration testers will find the most use in some of the productivity and advanced attack features. In addition, Metasploit Pro can be used to boost your enterprise security program in many other ways.


Prefer a table-formatted comparison? Go here.


The following features are exclusive to Metasploit Pro and not included in Metasploit Framework:


Higher Productivity, Better Usability


Good security professionals are hard to find. Metasploit Pro helps your experts be more productive through increased usability and better data management, reducing the time to conduct large penetration tests by up to 50%.


Manage Data in Large Engagements


Managing your target assets, collected evidence, and organizing your work is time consuming and maintaining a spreadsheet of more than a handful of IP addresses isn’t the most efficient or secure tactic. Metasploit Pro keeps track of all hosts, services, vulnerabilities, and evidence for you without your having to lift a finger.


  • Import and consolidate data: Import results from more than a dozen other tools, including port scanners, vulnerability scanners, and web application scanners. Metasploit Pro gives you a consolidated view of all of your findings.
  • Search for hosts, services, vulnerabilities, tags & notes: Search the entire database for specific information, no matter whether it’s a specific service pack, a note you filed, or a credential you captured.
  • Identify outliers: The Grouped View gives you an overview of the most and least common service on the network. This makes it very quick to identify outliers in services or version numbers, indicating that a host is non-standard on the network. Outliers provide a great first step into the network because they are often either a badly maintained or a legacy system.
  • Tag hosts: Both one of the most powerful and overlooked features in Metasploit Pro is tagging, which enables you to tag hosts to assign hosts to a person, mark the scope of a project, or flag high-value targets. Hosts can also be tagged by source (from Nexpose, internal scan, list from IT). Tags also serve as references for later actions; for example, if you've marked certain hosts with the "pci" tag, you can then start a smart exploitation action on these machines simply by entering #pci into the hosts field.
  • Store evidence: All automatically collected evidence is stored in the database. Credentials are automatically leveraged in your next bruteforce attack. Screenshots, files, and other evidence is included in reports. No more cutting and pasting!
  • Track your steps: Metasploit Pro creates and audit trail of all of your actions, listing Metasploit Pro’s every action.


metasploit-wizards.pngAccelerate Baseline Audits, Then Go Deeper


No matter if you're a veteran penetration tester or new to the game, you'll likely have more projects than you have time on your schedule. Metasploit Pro's Security Auditing Wizards walk the user through the steps of a typical engagement. Seasoned penetration testers will find that the wizards shortcut the first steps of an engagements, making them more productive. For new Metasploit Pro users, the new wizards provide a great way to easily conduct baseline assessments to find low-hanging fruit.



Simplify and Operationalize Security Testing


Even when offensive security techniques have been publicly discussed at conferences and proof of concept code or open source tools are available, using them in your projects can be very time consuming and may even require custom development. Simplify and operationalize security testing with Metasploit Pro's MetaModules, which automate common yet complicated security tests that provide under-resourced security departments a more efficient way to get the job done. MetaModules cover tasks for penetration testing, such as passive network discovery, and security controls testing, such as firewall egress testing.



Choose between Web UI and Enhanced Command-Line Console


If you are a Metasploit veteran, you’ll likely prefer the command line over a graphical user interface. Metasploit Pro gives you the choice between the two – and enables you to switch between them. All information is tracked in the Metasploit Pro database, so you can conduct your penetration test on the command line and revert to the graphical user interface for searching, tagging, and reporting of hosts and evidence.


The so-called Pro Console also includes advanced commands not included in the Metasploit Framework command set, enabling you to conduct command-line based audits even faster.


Speed Up Exploitation and Reduce the Room For Human Error


exploit-reliability.pngA penetration tester’s worst nightmare is to crash a production system by selecting the wrong exploit. In Metasploit Framework, penetration testers select each host and exploit manually before launching it. This is great for spot checks but becomes very hard to handle when auditing thousands of machines. Metasploit Pro’s smart exploitation feature adds a layer of safeguards that greatly reduces the risk of impacting production systems by reducing room for human error.


Metasploit Pro’s smart exploitation automatically selects exploits that are suitable for all discovered targets and is a key component to safely conduct penetration tests on production systems. If a host is matched with several exploits, the exploit that is the most specific to the fingerprinted system is used first, increasing the success rate and speed of compromise. To give you full control over the exploits that are run, you can choose a “dry run” option that shows you which exploits would run in a given scenario before you launch them.


Compared to manual exploit selection in Metasploit Framework, smart exploitation will only select exploits that are safely matched to a particular system version, therefore greatly reducing the risk of a system crash that can occur when exploits are used on systems they were not intended to be run on.


Unlike a risky “Hail Mary” mass exploitation, Metasploit Pro’s smart exploitation feature carefully selects the order in which exploits are run and ensures that the same service is not attacked simultaneously by two processes, both of which can destabilize the target system.


Metasploit exploits undergo a rigid 3-step quality assurance process and grades exploit reliability on a five-star scale. By default, smart exploitation will only use exploits that have been classified to have Great or Excellent reliability ratings and are therefore safe to use in production environments.


If you prefer to launch single exploits or modules, you can do this from the Modules tab or the command line.


password-auditing.pngFaster and More Comprehensive Bruteforcing


Exploitation may be the sexiest way to break into a network, but bruteforcing (i.e. guessing passwords) and recycling collected credentials is often more practical. However, using a collection of tools can be time consuming because no single tool covers both online bruteforcing and offline cracking features across all required services.


With Metasploit Pro’s bruteforce feature, you test more than a dozen network services using SMB, database, web, secure shell, telnet, FTP, and remote management protocols – all with one button. To reduce room for human error, each service is clearly marked with the potential lockout risk.


Metasploit Pro tracks all results in its internal database, keeping it at your fingertips to either iterate and use found credentials iteratively on other targets or to create a report, either with plaintext or masked passwords.

Metasploit Pro comes preloaded with a word list, but you can import custom wordlists that are specific to your target’s industry or that contain known credentials from a test system to see if they slipped into the production environment. You can also mutate passwords according to preset rules, e.g. “l33t-sp34k”.


Metasploit Pro automatically cracks harvested password to re-use plaintext passwords. You can also use a pass-the-hash attack to gain access to additional systems without cracking.


Collect evidence, Launch Post-Exploits and Create Persistent Sessions


Your social engineering campaign or server exploit was successful – but you've gone out for lunch? Metasploit Pro post-exploitation macros save you time and increase your productivity by automatically launching post-exploitation measure when Metasploit compromises a host. Actions include collecting passwords, taking screenshots, and installing keyloggers.


You'll also want to protect yourself from losing a hard-earned session. With Metasploit Pro, persistent sessions ensure that the target connects back after the network connection is lost - even after a reboot. To ensure that your engagement does not leave behind an artifact that could later be exploited, you can specify a timeout for the persistent agent to self-destruct.


Automate and Integrate with Other Systems


Many drive-by attacks have become automated, so security professionals are at a disadvantage if they don't follow suit. With Metasploit Pro you can become more productive using the following ways to automate and integrate:


  • Metasploit Pro API: Build your own automation from from scratch, integrate with GRC and SIEM solutions, as well as custom vulnerability management tools while getting all that Metasploit Pro has to offer.  Our integrations and feature set are improving every day, but don’t let us hold you back!
  • Task chains: Set up custom workflows without having to write a single line of code. Task chains can be scheduled to run manually, one, or at scheduled intervals. Complete simple tasks or entire penetration tests, and have the reports sent to you by email after the workflow has completed.


Share Information with Your Team


When working in a red team, it can be hard to keep track of information and share it with the team, resulting in low productivity and missed opportunities to penetrate the target.


Metasploit Pro manages all of the data in a penetration test and makes it available instantly to all team members, such as discovered hosts, notes, and credentials. Credentials captured by one team member instantly become available for other members for iterative attacks, greatly increasing the speed of a large-scale penetration test. With team collaboration, you can mentor junior team members and oversee their work on a project, reducing the cost of the engagement and enabling training on the job.


At the end of the engagement, the results of all team members are included in the final reports – no collating necessary.


metasploit-bruteforce-report.jpgEasily Create Reports


Writing reports is a time-consuming cut-and-paste chore at the end of every engagement, outlining which machines were compromised, showing the evidence, and how the results map to compliance requirements.

With Metasploit Pro, you can automate much of this process. You can generate reports for various audiences, such as executives, auditors, compliance managers, or IT. Metasploit Pro also includes two valuable reports that map the findings to the requirements of both PCI DSS and FISMA. If the standard report is what you need, then you’re already done. If you’d like to add your own comments to the report, you can generate it as a Word document and go from here. While you’re conducting the penetration test, you can also tag hosts you’d like to highlight or add notes to be included in reports.


Get Technical Support When You Really Need It


Peer support is great but it has its limits. When you have a deadline, you need a quick and sure fix. Metasploit Pro includes 24/7 phone, email, and portal support access so you can interface with a real live human as much or as little as you would like. Metasploit Pro support covers the product to help with workarounds, bugs, and GUI questions, and even questions with the Metasploit Framework. We consider our support crew to be an extension of our customers’ teams and we hope you will too. Day or night, no matter the time zone, Metasploit Pro support has your back.


Advanced Attack Capabilities


Attackers are getting more and more sophisticated. Penetration tests must match their techniques to provide a real-world picture of current threats. Metasploit Pro includes several advanced attack vectors that will make your engagement more realistic and increase your chances to compromise the network.


Evade Detection from IDS/IPS



When conducting a penetration testing assignment, one objective may be to get into the network without tripping any of the alarms. Enterprises typically add this to the requirements to test if their defenses are good enough to detect an advanced attacker.


Metasploit has many different settings to evade an IDS/IPS (intrusion detection system/intrusion prevention system). Metasploit Framework enables you to set many of these manually, for example changing the transport type, encoding, fragmenting traffic. Finding the right setting to evade the IPS system can be a little tricky.


If you want to make your life easier, you can use Metasploit Pro's pre-defined levels of evasion: You can choose Transport Evasions, and Application Evasions, all of which have the options of None, Low, Medium, and High. In the back-end, the tuning is different for each type of exploit. For example, if you’re choosing low transport evasion, it will run the exploit a little slower and chunk it up into more segments. With higher options, we change exploit-specific settings, like the compression type, the name of the webserver, or use different Unicode encodings.


Evade leading Anti-virus solutions


Because Metasploit Framework's payloads as well as their encoding techniques are open source and well known to AV vendors, they get stopped by most AV solutions.


With Metapsloit Pro, you can create dynamic payloads to evade detection by anti-malware solutions. Metasploit Pro evades leading anti-virus solutions 90% of the time, with no solution detecting all options. Dynamic payloads are seamlessly integrated into exploitation, credentialed log-ins, and phishing and can be used stand-alone.


Get Full Layer-2 Access to Compromised Hosts


Metasploit Framework’s regular proxy pivoting is useful to exploit another host once you have gained a first session in an organization through social engineering or exploiting an Internet-facing server. However, its proxy-based interface makes it very challenging to run reconnaissance on the network.


By contrast, Metasploit Pro's VPN pivoting lets you run any network-based tools through a compromised host, such as vulnerability scanners or even your own custom tools. It creates an encrypted layer 2 tunnel into the compromised machine and routes any network traffic through that target machine. This grants you full network access as if you were on the local network – without a perimeter firewall to block your traffic.


Audit and Exploit Web Applications



With web apps becoming more and more crucial to the enterprise (and more and more complex), Metasploit Pro provides the intelligence you need to stay ahead of the game.  Our automated web scanning module allows you to discover URL’s, crawl for vulnerabilities, and exploit – all at the touch of a button. Target your remediation efforts by testing which SQL injection or cross-site scripting attacks are successful. Prove where you are vulnerable with Metasploit Pro and lock the barn door before the horses get out.


Metasploit Pro covers Open Web Application Security Project (OWASP) Top 10 2013. The list identifies ten of the most critical risks relating to web applications. Due to the popularity of, and increasing reliance on, web applications, they are involved in the majority of breaches. Metasploit addresses this, enabling organizations to audit the security of their web-based applications, whether they be out of the box or custom, on-premise or in the cloud. This helps security professionals identify issues before a malicious attacker does. Learn more about what's new in our OWASP Top 10 2013 webcast.


SQL injections are among the top reasons of compromise for web applications, posing a huge risk to confidential data. Most SQL injection attacks give you access to the data in the database; Metasploit Pro's new SQL injection attacks go beyond this, giving penetration testers a session on the machine, which is equivalent to having administrative rights on the machine. This gives the penetration tester not only access to the database but also to other information on the machine, and opens the door to pivot to other machines.


Finding vulnerabilities is great, but the goal is to eliminate them. The remediation advice provided in Metasploit's reports should serve as a valuable basis for discussions with internal developers and external SaaS application providers.


Launch Social Engineering Campaigns to Compromise Machines


phishing-for-pentesting.pngPerimeter defenses have become hard to breach, which is why many malicious attackers have switched to attacking the user. Metasploit Pro includes a social engineering module that enables you to:


  • Send phishing emails to one or more individuals
  • Clone websites with forms to capture login credentials or inject browser exploits
  • Create malicious email attachments
  • Generate malicious files for USB flash drives for USB attacks


Once a machine has been compromised through a social engineering tactic, you can use VPN pivoting to scan the network through a full layer-2 connection and attack internal machines as if you were on the internal network.


Improving Your Security Program


Metasploit started out as an attack framework for security research and penetration testing. It has now matured into solution that goes beyond penetration testing, providing great value to enterprise security programs.


Verify Vulnerabilities and Report Back to Nexpose



The relationship between security and IT teams can be, shall we say, complicated. Vulnerability reports may list a potential vulnerability that is not exploitable in your environment. The IT operations team needs to know that you’re giving them meaningful, accurate information – every time.


While Metasploit Framework can manually validate individual vulnerabilities, Metasploit Pro gives you the ability to validate results from your vulnerability scanner by trying to exploit all found vulnerabilities in one single action, saving you a lot of time in your vulnerability management program. Exploitable vulnerabilities can be highlighted and are put on the top of the list. Non-exploitable vulnerabilities can be downgraded in importance or excluded if the compensating controls have proven to be effective.


Metasploit Pro's integration with Nexpose offers additional benefits. After the vulnerability verification, Metasploit Pro can report results back into the Nexpose vulnerability management solution, ensuring a closed-loop security program and smoother interaction with IT operations.


Validate Remediation Efforts


After you have patched a system or implemented a compensating control, how do you know that a system is now secure? Metasploit Pro enables you to re-run the action that previously compromised a machine so you can validate that the remediation was successful. You'll be sure that you don't have a false sense of security.


Measure and Manage User Risk with Simulated Phishing Campaigns



When it comes to phishing, you are only as secure as your most naïve user.  With enterprises spending big money on training and malware prevention, it is more important than ever to know who is leaving you vulnerable.

With Metasploit Pro, you can find out whether your security awareness, vulnerability and patch management programs are hitting the spot. Send out phishing emails to your users to measure how many users:


  • Opened the email
  • Clicked on the link
  • Submitted a web form
  • Used an exploitable browser


If your user awareness metrics are cause for concern, additional training may be in order. Send users directly to an on-demand course after they click on a phishing link, or sign them up later. Measure the effectiveness of your security awareness trainings by measuring the phishing email click-through rate before and after the training. Adjust your training content or delivery method if the trainings don't show the results you were hoping for.


To improve system security, review your vulnerability management and patching programs, or tweak browser security settings.


Try Metasploit Pro Today


Metasploit Pro is available as a free 7-day trial. Download it today!