See our complete list of top penetration testing tools.
The Bottom Line
Rapid7's Metasploit scans and tests for vulnerabilities. Backed by a huge open-source database of known exploits, it provides IT security teams with an analysis of pen testing results so remediation steps can be done efficiently. However, it doesn't scale up to enterprise level and some users say it is difficult to use at first.
Type of tool: Penetration testinghttps://o1.qnsr.com/log/p.gif?;n=203;c=204660768;s=9477;x=7936;f=201812281316470;u=j;z=TIMESTAMP;a=20392955;e=i
Key features: Metasploit is a collection of penetration tools used to discover vulnerabilities, evaluate security and devise various approaches for defense. It can be used on servers, web applications and networks. It boasts an up-to-date database of known vulnerabilities and exploits. It supports Linux, Mac and Windows. A built-in network sniffer is included, and it provides a variety of ways to carry out attacks against exploits.
It includes automation, too, and offers pre-written scripts. Different modules cover scanning, exploiting, payload generation and analysis. Community and Pro editions are available. Both include features such as scanning of imported data, discovery scan, manual exploitation, data export, session/credential management, proxy pivot, and session clean up. Pro comes with a lot more bells and whistles such as brute force, evidence collection, complete reporting, AV/IDS/IPS evasion, data tagging, wizards for fast action, VPN pivoting, payload generators, and team collaboration.
Metasploit is backed by a community of over 200,000 users and contributors. Rapid7's work with the user community has amassed more than 2,300 exploits and more than 3,300 modules and payloads.
"Metasploit provides a fast way to collect all the low-hanging security problems when a new system is deployed," said a network manager in the healthcare industry.
Differentiator: Covers the entire range: scanning, finding, testing and exploiting vulnerabilities. Huge open-source database of exploits. Excellent analysis of pen testing results.
What it can't do: Does not scale as well as some other products, and is best as a tool to use against exploits acting against particular servers or applications rather than as a general scanning tool.
Cost: Community edition is free. Pro edition is $15,000 per year. There are also express versions costing between $2,000 and $5,000 per year.