The open source Metasploit framework is a popular way for security researchers to conduct penetration testing for security analysis. It's also a project undergoing a number of transitions.

For one thing, there's a new Metasploit version on the way that sports new features, including improved social engineering testing tools. But there's also the transition from a purely open source project to an effort that must balance the needs of its open source community with the commercial requirements of its new Metasploit Express proprietary product.

At the center of these transitions is HD Moore, the researcher who founded the Metasploit project.


Since Metasploit's acquisition by security vendor Rapid7 in 2009, Moore has served as chief security officer at his new employer while continuing to work on the framework. During that time, he's overseen Metasploit's expansion, which most recently has included embracing new commercial aspirations with Metasploit Express. For Moore, the move to Rapid7 has been a boon for both himself and the Metasploit project as it presses ahead with new features.

"The only slight distraction is that some of my time is split between other responsibilities at Rapid7 and not so much on the code itself," Moore told InternetNews.com. "I'm spending 50 percent of my time on developer-only time, but I do have to work in other areas including working with sales -- but it's still so much more time than I've ever been able to spend with Metasploit that I can't complain."

The most recent Metasploit version was its 3.4 release, which debuted in May. Alongside the open source release, Rapid7 also released Metasploit Express 3.4, a commercial program that provides a new user interface and ease-of-use enhancements to the framework.

"The biggest goal that we have for Metasploit in the next few months is to nail down our client-side exploitation capabilities," Moore said. "We want to make it easier to configure and provide more social engineering-type attacks."

Metasploit's Next Version - and a Future in the Cloud?

For social engineering attacks today, Moore noted that Metasploit already has modules that can help to enable those types of attacks. With the upcoming Metasploit 3.5 release, currently scheduled for release in October, the goal is to make it easier to actually use and execute Metasploit's social engineering penetration testing tools.

"What we're trying to do for social engineering testing in Metasploit 3.5 is consolidate all of our individual tools for client-side and web application testing and building wrappers around them to make them easier to use," Moore said.

Both the core open source Metasploit 3.5 release as well as the commercial Metasploit Express 3.5 release will benefit from the client-side exploitation consolidation, he added. Moore explained that open source users will get a single module that will enable them to control the other client-side exploit modules, while Metasploit Express users will get a graphical user interface and additional reporting capabilities.

Moore noted that the core Metasploit Framework is very scalable today. Still, he added that there is room for improvement in managing large volumes of sessions from a reporting console.

And while a number of security vendors are looking to morph their offerings into cloud computing services, it's unclear whether Metasploit will follow suit. Moore said that he thought such a solution would work well for external penetration testers, but internal testing remains the project's focus.

"For a lot of our customers, what they're doing are internal assessments on enterprise networks," Moore said. "For that type of environment, on-demand in the cloud doesn't work well, as you need to have something local on the network."

Linux vs. Windows

While Metasploit is available for both Windows and Linux, Moore noted that 75 percent of Metasploit Express users are using Linux.

That hasn't made things especially simple. For one thing, Moore said Metasploit has been fighting with open source distributions for a long time on issues of program packaging file dependencies -- namely, ensuring that the distros include the right dependencies.

Now, he said, he's given up on working with the distributions directly on the issue. As a result, Metasploit is now bundling its own build of required tools like the Ruby language, a project with which Metasploit has close ties.

"We've taken on the responsibility to maintain all the dependencies that are involved in the Metasploit Framework," Moore said. "We were dragged, kicking and screaming, into maintaining our own version of Ruby and other dependencies. But we had to do it because the various Linux distributions did such a poor job of keeping them stable."

"Metasploit is the biggest test case for Ruby today and we have more code than any other project," he added. "During the development of Metasploit Express, we spent a lot of time pushing bugs upstream to the Ruby development team."

In addition to coping with dependency woes, Moore also described having to cope with all kinds of strange issues the project has encountered across the different Linux distributions.

Windows, in contrast, has a far fewer number of different versions, which Moore said reduces the building problems Metasploit encounters.

Balancing Open and Commercial Security Testing

While building issues may prove vexing, for Moore, the biggest hurdle to overcome in continuing to grow Metasploit is simply keeping the project sustainable.

"The challenge is about how to help the folks that put time and money into the project get money back out of the project without going against the things that made the project popular to begin with," Moore said.

He noted that it's a balancing act of how much code is put into the open source tree versus how much ends up in the commercial product. While the proprietary offering is critical for turning the technology into a revenue stream, Moore stressed that the open source edition has been critical to the success of Metasploit -- and that it will remain that way in the future.

"The second Metasploit stops committing fresh new exploits and code to the open source tree is the day the project dies," Moore said. "On the other hand, if we abandon the commercial side and no one buys our product, then we can't afford our development team. So it's a balance we're trying to strike."

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.