There are a lot of different points of entry and attack in a modern enterprise IT network environment.
In an effort to help test and identify security weakness, security vendor Rapid 7 this week released Metasploit 4.0 advancing both the commercial and open source versions of their penetration testing framework. Metasploit 4.0 marks a significant shift over the Metasploit 3.x branch that first debuted back in March of 2007.
HD Moore Rapid7’s chief security officer and Metasploit chief architect explained to InternetNews.com that the use case for Metasploit has moved from a thin launcher around the exploit repository to an all-in-one penetration testing toolkit.
“The 4.0 release brings the framework to a database-centric model where all security information is stored within projects and the framework is focused on organizing system information as well as exploiting vulnerabilities,” Moore said. “This release adds support for importing data from a multitude of other security products, exporting data in a documented XML format, and integrating with other applications through a brand new remote API.”
Moore explained that Metasploit 3 exposed an XML-RPC API, but this API was limited, buggy, slow, and completely undocumented. He added that the new remote API in Metasploit 4 is fully documented and exposes almost every individual feature of Metasploit through the API.
Additionally Moore commented that Metasploit is no long just about exploitation. He noted that the combination of database focus, import/export support, and automation capabilities has shifted the focus to a wider set of activities around security testing and penetration test management.
“This release also serves as a wrap-up for the last 5 years of feature additions, incorporating over 13,000 commits and adding somewhere near a million lines of code to the project as a whole,” Moore said.
With Metasploit 4, the project is also moving to the cloud with Amazon. Metasploit now can also be provisioned as a VMware image as well. Moore noted that the cloud version leverage sthe new remote API in Metasploit 4. Rapid7 is also relying on Linux as the base operating system on which Metasploit runs in the cloud.
“We provide a standard Ubuntu image that comes with Metasploit Pro pre-installed,” Moore said. “A new instance can be brought online, activated, and use to launch attacks within seconds, all from the command-line.”
There are multiple versions of Metasploit including the open source community Framework, Express and Pro versions. Moore explained that Metasploit Framework and Metasploit Express both support importing and exporting data. That said he noted that Metasploit Pro is the only edition that exposes complete SIEM integration due to the type of data and API calls it can provide.
“Metasploit Pro is our flagship product and is the only edition with much of the automation and large-scale penetration testing functionality, however most of the individual components are implemented in the open source framework and available at some level in Metasploit Express,” Moore said.
On the community front, Metasploit 4 consolidates two major projects on the community side. Moore explained that the first project was spearheaded by a contributor who goes by TheLightCosine. That contributor took it on himself to really expand Metasploit’s post-exploitation support for extracting encrypted passwords from a huge set of applications.
“This release includes modules for pulling passwords from Outlook, Firefox, Pidgin, and dozens of other applications,” Moore said. “The second project was the Metasploit Exploit Bounty – this was a community effort to add exploits for a list of 30 vulnerabilities. At the end of the bounty program, we significantly expanded our exploit coverage for browsers, enterprise applications, and SCADA systems.”
Though Metasploit 4 is a new version number, older modules from pervious versions of Metasploit will still work.
“The Metasploit Framework is backwards compatible and the latest release supports both a new container for version 4 modules as well as the existing version 3 module repository,” Moore said.