Metasploit
Metasploit took the security world by storm when it was released in 2004. It is an advanced open-source platform for developing, testing, and using exploit code. The extensible model through which payloads, encoders, no-op generators, and exploits can be integrated has made it possible to use the Metasploit Framework as an outlet for cutting-edge exploitation research. It ships with hundreds of exploits, as you can see in their list of modules. This makes writing your own exploits easier, and it certainly beats scouring the darkest corners of the Internet for illicit shellcode of dubious quality. Metasploit was completely free, but the project was acquired by Rapid7 in 2009 and it soon sprouted commercial variants. The Framework itself is still free and open source, but they now also offer a free-but-limited Community edition, a more advanced Express edition ($3,000 per year per user), and a full-featured Pro edition ($15,000 per user per year). Other paid exploitation tools to consider are Core Impact (more expensive) and Canvas (less).
The Metasploit Framework now includes an official Java-based GUI and also Raphael Mudge's excellent Armitage. The Community, Express, and Pro editions have web-based GUIs.
A collaboration between the open source community and Rapid7, Metasploit software helps security and IT professionals identify security issues, verify vulnerability mitigations, and manage expert-driven security assessments, providing true security risk intelligence. Capabilities include smart exploitation, password auditing, web application scanning, and social engineering. Teams can collaborate in Metasploit and present their findings in consolidated reports.
Metasploit editions range from a free edition to professional enterprise editions, all based on the Metasploit Framework, an open source software development kit with the world's largest, public collection of quality-assured exploits.
History of the Metasploit Project
Background
HD Moore created the Metasploit Project in 2003 to provide the security community with a public resource for exploit development. This project resulted in the Metasploit Framework, an open source platform for writing security tools and exploits.
The first version of the Metasploit Framework was written together by HD Moore and provided a curses-based frontend written in the Perl scripting language. Spoonm, the second developer, joined the project in late 2003 and helped design the overall workflow that is still in use today. Shortly after Matt Miller (aka skape) started contributing, eventually becoming the third member of that core development team.
The first two versions of the Metasploit Framework were written in the Perl scripting language, ending with the 2.7 release in 2006. Perl had a number of disavantages, which lead to ground-up rewrite using the Ruby language started in 2005 and completed in 2007. By the end of 2007, both Spoonm and Matt Miller had left the project and in an effort to bring on a new team the source code was relicensed under the three-clause BSD license, starting with version 3.2 in 2008. The license change, combined with a stronger community-focused development team lead to a huge boost to the vitality of the project.
On October 21, 2009, Rapid7, a vulnerability management solution company, acquired the Metasploit Project. Prior to the acquisition, all development of the framework occurred in the developer's spare time; eating up most weekends and nights. Rapid7 agreed to the fund a full-time development team and still keep the source code under the three-clause BSD license that is still in use today.
The first version of the Metasploit Framework was written together by HD Moore and provided a curses-based frontend written in the Perl scripting language. Spoonm, the second developer, joined the project in late 2003 and helped design the overall workflow that is still in use today. Shortly after Matt Miller (aka skape) started contributing, eventually becoming the third member of that core development team.
The first two versions of the Metasploit Framework were written in the Perl scripting language, ending with the 2.7 release in 2006. Perl had a number of disavantages, which lead to ground-up rewrite using the Ruby language started in 2005 and completed in 2007. By the end of 2007, both Spoonm and Matt Miller had left the project and in an effort to bring on a new team the source code was relicensed under the three-clause BSD license, starting with version 3.2 in 2008. The license change, combined with a stronger community-focused development team lead to a huge boost to the vitality of the project.
On October 21, 2009, Rapid7, a vulnerability management solution company, acquired the Metasploit Project. Prior to the acquisition, all development of the framework occurred in the developer's spare time; eating up most weekends and nights. Rapid7 agreed to the fund a full-time development team and still keep the source code under the three-clause BSD license that is still in use today.
The Metasploit Project Today
In addition to devoting our time to updating and enhancing the Metasploit Framework, we have been busy developing commercial solutions for professional penetration testers and IT security staff who want a more efficient solution for their everyday jobs.
In May 2010, we introduced our first commercial collaboration: Metasploit Express. The affordable security solution provides penetration testing capabilities to security professionals of all skill levels. It makes testing easier by streamlining many of the common penetration testing tasks most security professionals perform on a day to day basis – we call it the penetration testing workflow.
Only a short five months later, we added Metasploit Pro to our growing suite of commercial solutions. Metasploit Pro built on the existing interface and feature set of Metasploit Express and added even more advanced attack capabilities, including Web application scanning and exploitation, social engineering campaigns, and VPN pivoting. We built Metasploit Pro with penetration test teams in mind: it includes multi-user support and enables teams to manage project access as well as allows teams to orchestrate and synchronize multi-layer attacks. It's a true expert system for red teams and individual penetration testers.
Metasploit Framework users told us that they found the tool hard to use but couldn't always afford to upgrade to the full commercial editions. In October 2011, we decided to offer a basic version of our robust commercial user interface available to the community free of charge to make penetration testing more accessible, especially to new users. Metasploit Community Edition simplifies network discovery and vulnerability verification for specific exploits, increasing the effectiveness of vulnerability scanners such as Nexpose – for free. Download your free copy now.
With over 1 million downloads over the last 12 months, we have been keeping busy.
In May 2010, we introduced our first commercial collaboration: Metasploit Express. The affordable security solution provides penetration testing capabilities to security professionals of all skill levels. It makes testing easier by streamlining many of the common penetration testing tasks most security professionals perform on a day to day basis – we call it the penetration testing workflow.
Only a short five months later, we added Metasploit Pro to our growing suite of commercial solutions. Metasploit Pro built on the existing interface and feature set of Metasploit Express and added even more advanced attack capabilities, including Web application scanning and exploitation, social engineering campaigns, and VPN pivoting. We built Metasploit Pro with penetration test teams in mind: it includes multi-user support and enables teams to manage project access as well as allows teams to orchestrate and synchronize multi-layer attacks. It's a true expert system for red teams and individual penetration testers.
Metasploit Framework users told us that they found the tool hard to use but couldn't always afford to upgrade to the full commercial editions. In October 2011, we decided to offer a basic version of our robust commercial user interface available to the community free of charge to make penetration testing more accessible, especially to new users. Metasploit Community Edition simplifies network discovery and vulnerability verification for specific exploits, increasing the effectiveness of vulnerability scanners such as Nexpose – for free. Download your free copy now.
With over 1 million downloads over the last 12 months, we have been keeping busy.
The Metasploit Project Tomorrow
Our goals are and always will be to support open source software, promote community involvement, and provide the most innovative resources and tools for penetration testers all over the world. In addition to exploring commercial solutions, we are committed to keeping the Metasploit Framework free and open source. However, it's a lot of work and we can't do it without you. That's why we need you more than ever.
0 comments:
Post a Comment