Metasploit Goes Pro for Security Testing


A year ago, the open source Metasploit penetration testing project was acquired by security firm Rapid7 with the goal of putting more resources into development. This week, Rapid7 is showing off the fruits of its labor with the release of the Metasploit Pro Framework for commercial users and a new Metasploit 3.5 core release for the open source community.

With the Metasploit Pro release, Rapid7 is proving a new flagship platform for commercial Metasploit users to enumerate, test and exploit networks in an effort to improve enterprise security. With the Pro release, Metasploit is moving beyond its single-user roots.

"What we're trying to do with Metasploit Pro is to take Metasploit to the team level, " HD Moore, Rapid7 Chief Security Officer and Metasploit chief architect told "Metasploit Pro is a multi-user product so multiple users can all be working with the product on the same penetration test."

Additionally, Metasploit Pro includes a new dashboard and a customizable reporting engine that gives a birds-eye view of penetration testing for enterprise IT managers. Moore said that the dashboard provides details on percentages of tested systems that have been compromised and what state they are in. "One of the big features in Metasploit Pro is the customizable reporting feature," Moore said. "We're now using the JasperSoft reporting back-end so you can do any kind of reporting you want."

As part of the product, Rapid7 will be including sample templates for report generation. At launch, there aren't any compliance reports, though Moore noted that over time additional templates will be made available with regular updates.

While multi-user deployment and usage is part of Metasploit Pro, the system doesn't yet have integration with enterprise directory systems. Moore noted that Metasploit Pro will have integration with enterprise directory systems including ActiveDirectory in a future update.

From an exploitation perspective, among the key features in Metasploit Pro is the ability to attack a network through its firewall to find and exploit vulnerabilities. Moore explained that in prior versions of Metasploit, a proxy was often required in order to gain access to a target network. While that method works for some cases, it had some limitations.

"What it doesn't really help you out with is any kind of network layer attacks like sending raw IP packets and it limits how fast you can scan," Moore said. "In Metasploit Pro we developed a commercial module that allows you to do a Layer 2 pivot across the target."

A new social engineering campaign system is also part of the Metasploit Pro release enabling security professionals to thoroughly test email, phishing and other social engineering attacks. "We've exposed an entire campaign system for doing social engineering attacks directly through the framework," Moore said. "This includes setting up a Web server that serves up exploits, so you can use an auto-pwn model where it will throw every exploit at the target based on what the fingerprints are."

Moore added that the system can also be used for email attacks by sending file attachments or links back to a Web server. There is also a mechanism that enables USB based attacks, where a payload is put onto a USB key.

Metasploit 3.5

The Metasploit Pro tool is built on top of the Metasploit 3.5 open source framework, which is also set to be released this week. With Metasploit 3.5 there are now over 600 exploit modules available to penetration testers. For open source users, there is also a new Java GUI for Metasploit replacing an older interface that was considered by Metasploit developers to be buggy.

The Metasploit 3.5 release fixes over 130 bugs since the 3.4 release which debuted in May of this year.

Sean Michael Kerner is a senior editor at, the news service of, the network for technology professionals.

Follow eSecurityPlanet on Twitter @eSecurityP.