For the most part, people who use the framework are happy about it. They key things are that the license doesn't change and that our development methodology doesn't change. We had a couple folks bring in some hard questions on the internal core development group, asking, 'Why would I work to enrich Rapid7's pockets?' The result of all the discussion was, well it really wasn't that much of a community project either. Going back to 2006, Metasploit was being run as an LLC. We had commercial training; we paid for a lot of our costs that way. And there really only were only a few core folks involved in the main development process. You've just released Metasploit Framework 3.3, a full year after 3.2. What's new and improved?
Nearly everything. We've added something like 120 new exploits, 100 new auxiliary modules, and almost every payload has been rewritten. The executable generator can now actually inject itself into existing binaries, so nearly all the antivirus signatures that previously blocked things like Metasploit-generated binaries no longer work. We now support Windows 7, Vista 64-bit, and 64-bit in general as both a target platform and as an attacking platform. We fixed tons and tons of bugs to make things more stable. We added a lot of new ways to embed payloads into a lot of different things. You can now put a payload into a Word document, into a Visual Basic
Requires Free Membership to View
SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!
Michael S. Mimoso, Editorial Director
script to make it persistent. Basically, we're going after a lot of scenarios all at the same time. Talk about the evolution of Metasploit since the project was founded in 2003. How has the threat environment changed and how has Metasploit changed with it? If you look at the exploit coverage of Metasploit from 2003 moving forward, you'll see a shift towards client-side exploits and, even more recently, going from client-side exploits to third-party, lesser known software packages. So, as Windows becomes slightly more secure, as Linux distributions are making defaults more secure, disabling services, folks have really had to stretch to find other ways in. And that means going after things like antivirus products, third-party backup services, things that would be overlooked in a pen test. The Rapid7 acquisition presents an opportunity to marry vulnerability assessment and pen testing. What's the value of integrating these technologies?
It depends on your audience. A lot of folks in enterprise IT want to do vulnerability assessment and that's it. They don't want to do exploits. A lot of folks on the pen-testing side don't want to run a vulnerability scanner because it's too noisy and they're trying to come in quiet, stealthy when they're doing a test. There is a middle ground. There are folks who want to do a full-blown vulnerability test, and then verify what's exploitable. These are the folks who want to figure out which one of the vulnerability reports they're looking at to work on first. So for vulnerability prioritization, I really see the combination of vulnerability assessment technology and pen-test tools as being the gold standard. What can we expect to see as a result of the acquisition a year from now?
At some point we'll try to do more integration between the vulnerability assessment and pen-testing products. In terms of whether there will be a commercial version of Metasploit, we're still tossing that around. We're pretty sure there will be some sort of commercial support soon. In terms of commercial products, we haven't set anything in stone. The idea now is to keep everything we're working on now free, keep under the BSD license, and that precludes a lot of commercial options. We're really focused on where we can add value, where can we improve everything we have today.