A new version of the open source Metasploit Framework penetration testing tool is set to debut next month with the release of Metasploit Express -- ushering in new enhancements for ease-of-use and management that come courtesy of its new commercial underpinnings.
The Metasploit Framework is an open source vulnerability testing framework and is currently at version 3.3. Rapid7, the lead vendor supporting Metasploit, is now aiming to make Metasploit easier to use and manage -- and that's where Metasploit Express, set for release in May, fits in.
Unlike the Metasploit Framework, Metasploit Express is not open source, but rather delivers an open core approach whereby proprietary components are included alongside the core open source framework.
"Metasploit is great, and tens of thousands of security professionals use it and the modules within it for a variety of security tasks," HD Moore, Rapid7's chief security officer and Metasploit's chief architect, told InternetNews.com. "We want to make it easier and accessible for people by offering some additional capabilities on top of it, such as automation."
In particular, Moore explained that for users of the Metasploit Framework, it can sometimes be challenging to perform all the necessary steps in the correct order to execute a comprehensive penetration test. Additionally, he said there are many advanced features that can be difficult to use, take time to master, and potentially require some custom scripting.
"Metasploit Express makes it easier and gives it some functionality, like the user interface and workflow, that exposes the Metasploit Framework's capabilities to a broader audience," Moore said.
For users now running Metasploit Framework 3.3, Moore said that Metasploit Express provides additional functionality not available with the Metasploit Framework to make penetration testing easier and faster.
One of the key additions is the Metasploit Workflow Manager, which handles the heavy lifting of automation and analysis. Moore also said the release includes the new Metasploit Express User Interface, which provides a simple way to conduct common tasks, view results, interact with compromised targets and generate reports.
Up next: Metasploit 3.4
The new Metasploit Express is also aimed at complementing other security products from Rapid7, which acquired Metasploit in October 2009 and has since provided some points of integration with its commercial NeXpose vulnerability management software.
"The great thing about being part of Rapid7 is that we're able to release faster revs of Metasploit and work on quality assurance," Moore said. "In May, Metasploit 3.4 will be out and it will contain major improvements to the Meterpreter payload, the expansion of the framework's brute force capabilities, and the complete overhaul of the backend database schema and event subsystem."