Comparing Editions: Metasploit Community vs. Metasploit Express

Document created by ckirsch on May 9, 2013Last modified by ckirsch on Mar 26, 2014
Version 4Show Document
  • View in full screen mode

Are you using Metasploit Community and wondering what Metasploit Express could do for you? This document outlines the most important differences between Metasploit Express and Metasploit Community. In general terms, Metasploit Express is an affordable solution for conducting baseline penetration tests in medium-sized businesses. By contrast, Metasploit Community is the free, entry-level edition for small company and students.


Prefer a table-formatted comparison? Go here.


The following features are exclusive to Metasploit Express and not included in Metasploit Community:


Smart exploitation


A penetration tester’s worst nightmare is to crash a production system by selecting the wrong exploit. Metasploit Express’ smart exploitation feature adds a layer of safeguards that greatly reduces the risk of impacting production systems by reducing room for human error.


Smart exploitation automatically selects exploits that are suitable for the discovered target and is a key component to safely conduct penetration tests on production systems. If a host is matched with several exploits, the exploit that is the most specific to the fingerprinted system is used first, increasing the success rate and speed of compromise.


Compared to manual exploit selection, smart exploitation will only select exploits that are safely matched to a particular system version, therefore greatly reducing the risk of a system crash that can occur when exploits are used on systems they were not intended to be run on.


Unlike a risky “Hail Mary” mass exploitation, Metasploit Express’ smart exploitation feature carefully selects the order in which exploits are run and ensures that the same service is not attacked simultaneously by two processes, both of which can destabilize the target system.


Metasploit exploits undergo a rigid 3-step quality assurance process and grades exploit reliability on a five-star scale. By default, smart exploitation will only use exploits that have been classified to have Great or Excellent reliability ratings and are therefore safe to use in production environments.


Bruteforcing Credentials


password-auditing.pngExploitation may be the sexiest way to break into a network, but bruteforcing and recycling credentials is often more practical. However, using a collection of tools can be time consuming because no single tool covers both online bruteforcing and offline cracking features across all required services.


With Metasploit Express’ bruteforce feature, you test more than a dozen network services using SMB, database, web, secure shell, telnet, FTP, and remote management protocols – all with one button. To reduce room for human error, each service is clearly marked with the potential lockout risk.


Metasploit Express tracks all results in its internal database, keeping it at your fingertips to either iterate and use found credentials iteratively on other targets or to create a report, either with plaintext or masked passwords.


Metasploit Express comes preloaded with a word list, but you can import custom wordlists that are specific to your target’s industry or that contain known credentials from a test system to see if they slipped into the production environment. You can also mutate passwords according to preset rules, e.g. “l33t-sp34k”.

Metasploit Express automatically cracks harvested password to re-use plaintext passwords. You can also use a pass-the-hash attack to gain access to additional systems without cracking.



metasploit-bruteforce-report.jpgCompehensive Reporting


Writing reports is a time-consuming cut-and-paste chore at the end of every engagement, outlining which machines were compromised, showing the evidence, and how the results map to compliance requirements.


With Metasploit Express, you can automate much of this process. You can generate reports for various audiences, such as executives, auditors, compliance managers, or IT. If the standard report is what you need, then you’re already done. If you’d like to add your own comments to the report, you can generate it as a Word document and go from here. While you’re conducting the penetration test, you can also tag hosts you’d like to highlight or add notes to be included in reports.

risk-validation.jpgVulnerability Verification


The relationship between security and IT teams can be, shall we say, complicated. Vulnerability reports may list a potential vulnerability that is not exploitable in your environment. The IT operations team needs to know that you’re giving them meaningful, accurate information – every time.


While Metasploit Community can manually validate individual vulnerabilities, Metasploit Express gives you the ability to validate results from your vulnerability scanner by trying to exploit all found vulnerabilities in one single action, saving you a lot of time in your vulnerability management program.


Pushing exploitable vulnerabilities back into Nexpose for consolidated reporting requires a Metasploit Pro license.


Validate Remediation Efforts


After you have patched a system or implemented a compensating control, how do you know that a system is now secure? Metasploit Express enables you to re-run the action that previously compromised a machine so you can validate that the remediation was successful. You'll be sure that you don't have a false sense of security.


Collect evidence


Click one button to collect valuable evidence of compromise, including passwords, screenshots, and system info.




Peer support is great but it has it's limits. When you have a deadline, you need a quick and sure fix. Metasploit Express includes 24/7 phone, email, and portal support access so you can interface with a real live human as much or as little as you would like. Metasploit Express support covers the product to help with workarounds, bugs, and GUI questions. We consider our support crew to be an extension of our customers’ teams and we hope you will too. Day or night, no matter the time zone, Metasploit Express support has your back.