Metasploit 3.6 Aims for Compliance
New release of vulnerability testing framework gets closer to enterprise requirements for compliance testing while still providing improvements to open source users.
The Metasploit vulnerability testing framework is out with a major update this week, providing new capabilities to help enterprises ensure security compliance.
Metasploit is available in three versions, Express, Pro and Open Source edition, and all three benefit from new features and capabilities. Metasploit Pro users gain a new PCI compliance capability that is intended to help organizations validate their readiness for the new PCI-DSS (Payment Card Industry Data Security Standard) 2.0 requirements.
"The Metasploit Pro PCI-DSS 2.0 report is designed to be used an appendix to a comprehensive report," HD Moore, Rapid7 Chief Security Officer and Metasploit chief architect told InternetNews.com. "Instead of providing a full list of pass/fail items, it is focused on known fail conditions based on the results of the penetration test."
Moore noted that the added PCI report in Metasploit Pro makes it easy for businesses to identify common problems. The Metasploit Pro solution can then be used alongside Rapid7's NeXpose vulnerability management solution. Moore added that Metasploit provides visibility on compliance from a slightly different angle than what is provided by vulnerability management products, but in the end, they are complimentary.
"Our consulting customers can use the PCI report to quickly identify findings for their official reports, but the report coming from Metasploit Pro is not designed to be a standalone PCI compliance deliverable," Moore said.
Metasploit 3.6 also provides project activity reports to help groups track and report on the vulnerability testing process.
"The Project Activity Report is a quick way to produce a complete archive of what actions were taken by what user, against what targets, in a given penetration test," Moore said. "The Activity Report is an offline export of the event view already included in the user interface."
Moore explained that a user can easily see what other people on the system have done, including the full output of any tasks. Going a step further, if a user wants to replicate a previously exploited vulnerability, the user can click on the exploit module name from the Closed Sessions list and re-launch the exploit with the exact same parameters.
"This makes it trivial to verify mitigation and remediation efforts," Moore said.
The Metasploit Pro 3.6 improvements also help to benefit the open source version of Metasploit as well. Moore noted that the development of Metasploit Pro specific features in 3.6 has resulted in a number of improvements to the open source framework.
"The work behind the Pro Console actually resulted in major usability improvements to the standard Metasploit Framework console," Moore said. "All 64 of the new modules (including 15 exploits) are available in the open source version as well as the commercial products."
Among the new modules are Post-Exploitation modules including the loot system which had previously only been available in the commercial products.
"This makes it simple for users to manage the data they acquire via Post-Exploitation modules," Moore said. "We focus on the commercial products for new features and roll these back into the open source codebase when it makes sense."
Moving forward, Metasploit developers are starting the process or ramping up for a 3.7 release which will expand the vulnerability testing capabilities of the framework.
"The next release (3.7) involves rewiring much of the backend session support in the open source core and adding a number of incremental features," Moore said. "This release will also include major improves to the SMB protocol stack and usability in general."
Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.