Since 2003 the open source Metasploit framework has been actively developed and used as a penetration testing tool for IT security. While ease-of-use was not top of mind in the early days of Metasploit, that is changing with the latest Metasploit 4.6 Pro release.
"In the industry, there is a shortage of security folks and that puts a lot of pressure on the people that are working in security today," said Christian Kirsch, product manager for Metasploit at Rapid7. "With the Metasploit Pro 4.6 release, there is the concept of wizards to make things easier."
Metasploit Pro 4.6 includes a Quick Penetration Test Wizard, Web Application Testing Wizard and a Phishing Wizard. The wizards enable a user to simply type in an IP address range and hit start, and then a baseline test will be executed. Kirsch noted that the wizards will be helpful not only for busy professionals but also for people new to the security industry and Metasploit.
The new wizards are only part of the professional version of Metasploit and are not included in the open source Metasploit 4.6 Framework release. The Pro version of Metasploit was first introduced in 2010 as an overlay of enterprise grade features that build on the feature set present in the core open source version. Rapid 7 took over leadership of the Metasploit Project in 2009 and brought on Metasploit founder H D Moore to continue its evolution.
In addition to enabling enterprise users to simply execute complicated penetration testing, Metasploit 4.6 Pro also provides a remediation report with advice to help mitigate risks.
Though the wizards are new in Metasploit 4.6 Pro, Metasploit has had some automated capabilities for years. One of its most lethal ones is Browser Autopwn, a client side auto attack system that will fire up exploits automatically against a user's browser with the goal of providing a shell into the browser. Browser Autopwn debuted in the Metasploit 3.2 release in 2008.
Showing Importance of Security
In the core Metasploit 4.6 open source framework, 138 new penetration testing modules have been included, enabling at least 80 new exploits. One of the exploits that Metasploit 4.6 includes is a webcam activation module. The basic idea behind the module is that it could enable a security researcher to gain access to webcams and microphones at a vulnerable location.
Kirsch noted that the webcam activation module is a good way to demonstrate to a CEO that security is something to take very seriously.
"For example, if a pen tester says that they are able to access the SSH keys at an enterprise server, that may mean a lot to technical folks but it doesn't mean much to the CEO," Kirsch said. "But if you can say, 'I just hacked into your computer and I can hear everything that is being said in your room,' that has more impact to convince people that are not technical about the importance of protecting the network."
Optimizing the Interface
While the open source Metasploit 4.6 release includes new features, it is removing a few as well. The Armitage attack management system and the msfgui user interface were both removed from the open source release. However, the two projects remain available from their respective developers.
The removal of the projects was part of an optimization and clean-up exercise, Kirsch noted.
"There has been confusion on what Rapid7 supports, and we had gotten a lot of support questions in our forums for Armitage that we couldn't address," Kirsch said. "We thought it would be better that if it's something coming from a Rapid7 installer, that it be something we can support."
Rapid7 provides a commercial interface with its paid Pro and Express versions of Metasploit as well as its free Community edition.
A key goal of Metasploit now and moving forward is making penetration testing easier to do.
"Pen testing is something that has always been a little bit mysterious," Kirsch said. "Especially with Metasploit Pro, we're simplifying pen testing, helping people to be more productive."