Metasploit Editions Comparison Table

Document created by ckirsch on May 13, 2013Last modified by Stan Taylor on Apr 24, 2014
Version 12Show Document
  • View in full screen mode

Need to know exactly which feature is included in which Metasploit edition? We've put together various comparisons for you:

 

Top Features Overview: Free vs. Commercial Metasploit Editions

 

FeatureDetailsMetasploit FrameworkMetasploit CommunityMetasploit ExpressMetasploit Pro
LicenseUse one of several editions. Commercial licenses are annual named-user licenses with unlimited installs per user.FreeFree$5,000Call
Quick Start WizardsConduct baseline penetration tests to find low-hanging fruit, web app tests, or phishing campaigns. Shortcut the first steps of an engagements and go deeper after the Wizard completes.Y
Smart ExploitationHave Metasploit auto-select all exploits that match fingerprinted devices and services. Select a minimum reliability ranking for safe testing. Supports dry-run to see which exploits would be run before launching them.YY
Credentials BruteforcingTry out the most common or previously captured passwords on more than a dozen service types with one command. Password hashes can be automatically cracked if based on weak passwords or used in pass-the-hash attacks.YY
MetaModulesMetaModules simplify and operationalize security testing for IT security professionals. Many security testing techniques are either based on cumbersome tools or require custom development, making them expensive to use. To expedite this testing, MetaModules automate common yet complicated security tests that provide under-resourced security departments a more efficient way to get the job done. MetaModules include operations for network segmentation and firewall testing, passive network discovery, and credentials testing and intrusion.Y
Closed-loop Risk ValidationVerify vulnerabilities and misconfigurations to prioritize risks and return the results into NexposeY
Web App TestingScan, audit and exploit web applications for vulnerabilities, including the OWASP Top 10 2013.Y
Social EngineeringFor Penetration testers: Send out phishing emails containing attachments or links to websites hosting exploits or fake login forms. Create USB flash drives with malicious files to compromise a machine.

 

For security programs: Send out simulated phishing emails to measure user awareness, including how many people clicked on a link in an email or entered credentials on a fake login page, and deliver training to users who've shown risky behavior.
Y
Pro ConsoleAdvanced command-line functionality of Metasploit Pro to get access to new, high-level commands, better manage your data and generate a single report for all activities, increasing your overall productivity.Y
ReportingCreate basic penetration testing reports without cutting and pasting information, including audit reports and compromised hosts reports.

 

Pro Edition only: Create reports for web application testing and social engineering campaigns as well as compliance reports that map findings to PCI DSS or FISMA requirements.
(Y)Y
Anti-virus EvasionUse Dynamic Payloads to get past anti-virus solutions, wasting no time on writing your custom payloads, encoding existing Metasploit Framework payloads, and testing if they get past particular AV solutions.Y
VPN PivotingGet full layer-2 network access through a compromised host, enabling you to use any network-based tool through a compromised host, e.g. a vulnerability scanner, to get more visibility and use advanced techniques.Y

 

 

Detailed Metasploit Editions Comparison Table

 

FeatureDetailsMetasploit FrameworkMetasploit CommunityMetasploit ExpressMetasploit Pro
Pricing
LicenseUse one of several editions. Commercial licenses are annual named-user licenses with unlimited installs per user.FreeFree$5,000Call
User Interface
Web-based User InterfaceUser-friendly web-based user interface that increases productivity and reduces training needs.YYY
Command-Line InterfaceBasic command-line interface, most prominently used in Metasploit Framework.YY
Pro ConsoleAdvanced command-line functionality of Metasploit Pro to get access to new, high-level commands, better manage your data and generate a single report for all activities, increasing your overall productivity.Y
Penetration Testing
Comprehensive Exploit CoverageMetasploit includes the world's largest public collection of quality-assured exploits.YYYY
Manual ExploitationSelect a single exploit to launch against a single host.YYYY
Basic ExploitationSelect a single exploit to launch against any number of hosts in your environment.YYY
Smart ExploitationHave Metasploit auto-select all exploits that match fingerprinted devices and services. Select a minimum reliability ranking for safe testing. Supports dry-run to see which exploits would be run before launching them.YY
Exploitation ChainingAutomatically combine several exploits and auxiliary modules, e.g. to compromise Cisco routersY
Evidence CollectionCollect evidence of compromise with one button, including screenshots, passwords and hashes, and system infoYY
Post-exploitation MacrosAutomatically launch a customized set of post-exploitation modules after successfully compromising a machine, e.g. to automatically collect evidence from hosts.Y
Persistent SessionsRe-establish a session after a connection gets interrupted, e.g. because of a phished user who closes his laptop.Y
Bruteforcing CredentialsTry out the most common or previously captured passwords on more than a dozen service types with one command. Password hashes can be automatically cracked if based on weak passwords or used in pass-the-hash attacks.YY
Social EngineeringSend out phishing emails containing attachments or links to websites hosting exploits or fake login forms. Create USB flash drives with malicious files to compromise a machine.Y
Web App TestingScan, audit and exploit web applications for vulnerabilities, including the OWASP Top 10 2013.Y
IDS/IPS EvasionGet to the target without being detected through IDS/IPS evasionY
Anti-virus EvasionUse Dynamic Payloads to get past anti-virus solutions, wasting no time on writing your custom payloads, encoding existing Metasploit Framework payloads, and testing if they get past particular AV solutions.Y
Payload GeneratorGenerate stand-alone Classic Payloads through an easy-to-use interfaceY
Proxy PivotingUse a compromised machine to launch an exploit against another target.YYYY
VPN PivotingGet full layer-2 network access through a compromised host, enabling you to use any network-based tool through a compromised host, e.g. a vulnerability scanner, to get more visibility and use advanced techniques.Y
Reporting
Basic ReportingCreate basic penetration testing reports without cutting and pasting information, including audit reports and compromised hosts reports.YY
Advanced ReportingCreate reports for web application testing and social engineering campaigns as well as compliance reports that map findings to PCI DSS or FISMA requirements.Y
Productivity Enhancements
Quick Start WizardsConduct baseline penetration tests to find low-hanging fruit, web app tests, or phishing campaigns. Shortcut the first steps of an engagements and go deeper after the Wizard completes.Y
MetaModulesMetaModules simplify and operationalize security testing for IT security professionals. Many security testing techniques are either based on cumbersome tools or require custom development, making them expensive to use. To expedite this testing, MetaModules automate common yet complicated security tests that provide under-resourced security departments a more efficient way to get the job done. MetaModules include operations for network segmentation and firewall testing, passive network discovery, and credentials testing and intrusion.Y
Discovery ScansLeverage the integrated nmap scanner in combination with advanced fingerprinting techniques to map out the network and identify devicesYYY
Replay ScriptsGenerate scripts that replay an attack so that your customers can test if remediation worked.YY
Data ManagementTrack all discovered and found data in a searchable database. Find outliers through the Grouped View.YYY
TaggingTag hosts to assign hosts to mark an import source, a person, mark the scope of a project, or flag high-value targets. Use tags to refer back to hosts in later actions.Y
Task ChainsCreate custom workflows to start manually, schedule once or on an ongoing basis.Y
Pro APIUse an advanced, fully documented API to integrate Metasploit Pro into SIEM and GRC solutions or create custom automations and integrations.Y
IntegrationsIntegrate out-of-the-box with GRC and SIEM solutionsY
Team CollaborationWork on the same project with several team members, splitting the workload and leveraging different levels of expertise and specialization. Share all information and create a unified report.Y
Security Programs
Closed-loop Risk ValidationVerify vulnerabilities and misconfigurations to prioritize risks and return the results into NexposeY
Managing Phishing ExposureSend out simulated phishing emails to measure user awareness, including how many people clicked on a link in an email or entered credentials on a fake login page, and deliver training to users who've shown risky behavior.Y
Vulnerability Verification
Vulnerability importImport output files from Nexpose and third-party vulnerability scannersYYYY
Web vulnerability importImport output files from various third-party web application scannersYY
Nexpose scansStart a Nexpose scan from within the interface. Results are automatically imported to Metasploit.YYY
Direct ImportDirectly import existing Nexpose scans by site.Y
Vulnerability exceptionsPush vulnerability exceptions back into Nexpose after verification, including comments and expiration date of how long vulnerability should be suppressed from Nexpose reports.YY
Closed-loop IntegrationTag and push exploitable vulnerabilities back to Nexpose for follow-up.Y
Re-run SessionRe-run an exploit to validate that a remediation effort, e.g. patch or compensating control, is successful.YY
Support
Community SupportGet peer support through Rapid7 Security StreetYYYY
Rapid7 SupportGet Rapid7 24/7 email and phone supportYY

 

Verbose Edition-to-Edition Comparisons


 

Try Metasploit Pro Today

 

Metasploit Pro is available as a free 14-day trial. Download it today!

1 person found this helpful

Outcomes