Since mid-December, the Metasploit team has been working non-stop towards version 3.4.0 of the Metasploit Framework. The final release is still scheduled for mid-May, but I wanted to share some of the upcoming features, available today from the development tree. Version 3.4.0 includes major improvements to the Meterpreter payload, the expansion of the framework's brute force capabilities, and the complete overhaul of the backend database schema and event subsystem. In addition, more than 60 exploit modules and 40 auxiliary modules have been added since 3.3.3, with more to go before the final release. Our team of 6 dedicated staff, along with our external contributors and the supporting teams within Rapid7, have been cranking out updates and improving the quality of the framework by leaps and bounds. While previous blog posts have covered some of the new features, the draft release notes are up and cover the feature list in greater depth.
I am also pleased to announce that we will be introducing Metasploit Express, an easy to use security solution that is designed to bring penetration testing capabilities to security professionals everywhere. When I first became involved in security, well before the Metasploit Project even started, I had a vision for a security product that would simplify and automate many of the common penetration testing tasks I did on a daily basis. As the Metasploit Project has grown, most of the components required to build this product have ended up in the Metasploit Framework.
Today, tens of thousands of security professionals use the Metasploit Framework and the modules within it for a variety of security tasks. The challenge with using Metasploit during a penetration test is knowing which modules to run, with what payloads, in what order, and with what parameters. Knowing how to use the console and combine modules effectively is one of the most complex skills that a security professional can learn. The framework today contains almost 550 exploits, 200 payloads, and 260 auxiliary modules that can be mixed and matched to do just about anything. This doesn't count the extensive Meterpreter payload or the library of scripts provided in the base installation.
For a security professional trying to get a job done, mastering the basics doesn't take long, but leveraging the full power of the framework can take some time and often requires custom scripting.
This is where Metasploit Express comes into play.
Metasploit Express is essentially three pieces -- the Metasploit Framework that everyone uses today with no special modifications of any kind; the Workflow Manager, which handles the heavy lifting, automation, and analysis; and the User Interface, which provides a simple way to conduct common tasks, view results, interact with compromised targets, and generate reports.
To be absolutely clear, Metasploit Express is a commercial product, complete with a price tag and a support infrastructure. The availability of Metasploit Express does not change the licensing or the development model for the Metasploit Framework, nor do we intend to start charging for the framework at any point in the future. The Metasploit Framework is now and will always be an open-source project in the truest sense, available under one of the most liberal licenses available (New BSD). The open source framework provides the tools that Metasploit Express uses to streamline common penetration testing tasks. This dependency will ensure that new exploits, bug fixes, and payload features will always end up in the open source development tree before being incorporated within the Metasploit Express product. Just like with NeXpose Community Edition, there will be no time delay of modules or commercial restrictions on the use of the open source framework.
For Metasploit to be successful in the long run, it must be much easier to use by a wider range of security professionals. Metasploit Express gets us closer to this goal by making penetration testing accessible to the entire security community. Sales of Metasploit Express provide a path to even faster development of the open source framework and a long-term solution to sustaining the project.
You can find more details about Metasploit Express here, with much more to come as we approach the official release date.
I hope you are as excited about the product as I am :)