Open source hacker tool, Metasploit, gains new features

Rapid7 has introduced a commercial version of the security testing tool and is promising new features for the free version, too.

The open-source penetration testing tool Metasploit will soon have a commercial version, Metasploit Express, built on the popular Metasploit Framework. The commercial version has been the source of much speculation, since Rapid7 bought Metasploit last year.

Commercial open source
The Metasploit Framework is best known as a tool for developing and executing exploit code against a remote target machine. Using the framework's  built-in tools, security professionals can conduct penetration tests, verify patch installations and even perform regression testing. Written using Ruby, the tool has about 500 modules, including hundreds of remote exploits that can be targeted against various releases of Windows, Linux, BSD, Unix, and the Mac OS. All this also makes it a favorite tool of hackers wanting to conduct attacks.

The commercial version will include three parts, says HD Moore, creator of Metasploit and CSO for Rapid7, on the Metasploit blog.

"For a security professional trying to get a job done, mastering the basics doesn't take long, but leveraging the full power of the framework can take some time and often requires custom scripting.  This is where Metasploit Express comes into play.  Metasploit Express is essentially three pieces -- the Metasploit Framework that everyone uses today with no special modifications of any kind; the Workflow Manager, which handles the heavy lifting, automation, and analysis; and the User Interface, which provides a simple way to conduct common tasks, view results, interact with compromised targets, and generate reports. "

Metasploit Express also integrates with all editions of Rapid7's vulnerability management tool NeXpose, including the FOSS Community Edition.

Although Rapid7 will soon be selling Metasploit Express 3.4 at a price of $3,000/user/year, Rapid7 execs want to assure the open source community that it isn't selling out.

The open source version, Metasploit Framework 3.4, will soon get a bunch fresh features, too. Moore says the company has made improvements to the Famework's Meterpreter payload, expanded its brute force capabilities, and done a "complete overhaul of the backend database schema and event subsystem."

The company promises to release both the commercial and the new open source versions in May.

The white hat security community and the open source community were equally aghast when Rapid7 purchased Metasploit. At the time, Moore promised the project's participants (a large community of volunteers): "Rapid7 has committed to keeping the project open source, with no plans to change the license or the community development model ... What will be changing is how fast we add new exploits, integrate new features, and release new versions." 

Security professionals were concerned at that time that a commercial focus for Metasploit would hurt it. Richmond, Va.-based IT security practitioner Rick Lawhorn, quipped in an e-mail: "The road to hell is paved with good intentions. Unfortunately, the ones who will be happy are the bad guys; with a potentially-reduced focus on making things secure and greater focus on profitability."

Time will tell if this will become a positive case study in how a tool moves from FOSS project to commercial product, or a "what not to do."

Please visit the Open Source Subnet home page for more news, blogs and podcasts.

Subscribe to all Open Source Subnet bloggers

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.

IT Salary Survey: The results are in