If you’ve done any serious pen testing on your network, there’s a good chance you’ve used Metasploit. The open source project’s founder took some time to talk about where it’s going, what it’s like to mix open source ideals with commercial goals, and the difficulties of maintaining both Windows and Linux versions of his software.
The open source Metasploit framework is a popular way for security researchers to conduct penetration testing for security analysis. It’s also a project undergoing a number of transitions.
For one thing, there’s a new Metasploit version on the way that sports new features, including improved social engineering testing tools. But there’s also the transition from a purely open source project to an effort that must balance the needs of its open source community with the commercial requirements of its new Metasploit Express proprietary product.
At the center of these transitions is HD Moore, the researcher who founded the Metasploit project.
Since Metasploit’s acquisition by security vendor Rapid7 in 2009, Moore has served as chief security officer at his new employer while continuing to work on the framework. During that time, he’s overseen Metasploit’s expansion, which most recently has included embracing new commercial aspirations with Metasploit Express. For Moore, the move to Rapid7 has been a boon for both himself and the Metasploit project as it presses ahead with new features.
“The only slight distraction is that some of my time is split between other responsibilities at Rapid7 and not so much on the code itself,” Moore told InternetNews.com. “I’m spending 50 percent of my time on developer-only time, but I do have to work in other areas including working with sales — but it’s still so much more time than I’ve ever been able to spend with Metasploit that I can’t complain.”
The most recent Metasploit version was its 3.4 release, which debuted in May. Alongside the open source release, Rapid7 also released Metasploit Express 3.4, a commercial program that provides a new user interface and ease-of-use enhancements to the framework.
“The biggest goal that we have for Metasploit in the next few months is to nail down our client-side exploitation capabilities,” Moore said. “We want to make it easier to configure and provide more social engineering-type attacks.”
Metasploit’s Next Version – and a Future in the Cloud?
For social engineering attacks today, Moore noted that Metasploit already has modules that can help to enable those types of attacks. With the upcoming Metasploit 3.5 release, currently scheduled for release in October, the goal is to make it easier to actually use and execute Metasploit’s social engineering penetration testing tools.
“What we’re trying to do for social engineering testing in Metasploit 3.5 is consolidate all of our individual tools for client-side and web application testing and building wrappers around them to make them easier to use,” Moore said.
Both the core open source Metasploit 3.5 release as well as the commercial Metasploit Express 3.5 release will benefit from the client-side exploitation consolidation, he added. Moore explained that open source users will get a single module that will enable them to control the other client-side exploit modules, while Metasploit Express users will get a graphical user interface and additional reporting capabilities.
Moore noted that the core Metasploit Framework is very scalable today. Still, he added that there is room for improvement in managing large volumes of sessions from a reporting console.
And while a number of security vendors are looking to morph their offerings into cloud computing services, it’s unclear whether Metasploit will follow suit. Moore said that he thought such a solution would work well for external penetration testers, but internal testing remains the project’s focus.
“For a lot of our customers, what they’re doing are internal assessments on enterprise networks,” Moore said. “For that type of environment, on-demand in the cloud doesn’t work well, as you need to have something local on the network.”