Metasploit Hits 1000 Exploits

Last updated at Thu, 08 Feb 2024 21:18:26 GMT

Along with today's 4.5 release, Metasploit hit a thousand exploits.

So, what does that mean? Well, let's take a look, historically.

When Metasploit 1.0 was released on October 6, 2003, it boasted all of 11 exploits, according to this mailing list post. Now, this is 9 years ago, so an announcement on a mailing list of more than one exploit was pretty novel, and "a ton of new ones" were "on the way."

About six months later, Metasploit 2.0 was released. This April 7, 2004 edition of Metasploit had 18 exploits, a 63% jump. Not bad for 2004 -- that was practically one new exploit a month from one project! These guys were clearly Serious Business.

Over the next three years, Metasploit attracts the attention of basically everyone in the security research community, HD begins and ends the Month of Browser Bugs, and incidentally the Framework gets completely rewritten in Ruby (up until now, the Metasploit Framework had been written in Perl). Upon Metasploit 3.0's release on March 27, 2007, the project commands 177 exploits. That's 159 new exploits over about 36 months, right around 4.4 exploits per month, so let's just round it out and figure this period saw about one new exploit per week. Things are picking up steam.

On August 1, 2011, Metasploit 4.0 was released. In the interim, the Metasploit Framework got picked up by Rapid7 (thanks guys!), so people started getting paid, full-time, to write and help others write exploits. We have a couple products come up in this time -- Metasploit Community and Metasploit Pro, so we have a whole new slew of users. This release sees 716 exploits, at least according to commit 65a3c0. Since 3.0, 716 exploits means 557 new exploits. The lag from 3.0 is four years and four months -- 1588 days, to be precise, right about 227 weeks. (557 / 227) is right about 2.4 exploits per week over this scale, or twice as many as the jump from 2.0 to 3.0.

That brings us to today -- December 7, 2012. Using the 1000 exploits figure as of Metasploit 4.5, it took us 70.5 weeks to pick up those 284 new exploits. That's an average of four new exploits a week since 4.0's release. I guess we don't work on Fridays. Incidentally, we have 562 auxiliary modules and 164 post modules as of this moment, too, and those are no small feat, either, and there's lots of interesting and important work being done there, too.

The growth of Metasploit Framework and the Metasploit products over the years have been amazing and humbling. Anyone can see that we don't write all or even half of these exploits -- they come from researchers, hobbyists, and hackers from around the world, and all of you had the thought to share your knowledge, skill, and expertise with us. Thank you for that. Thanks also to Rapid7 for recognizing the power and positivity of the open source security movement. I'm honored to be a part of this project, and can't wait to clock another thousand exploits.