Metasploit Version 4.11 Released

This week, we released Metasploit version 4.11 to the world -- feel free to download it here if you're the sort that prefers the binary install over the somewhat Byzantine procedure for setting up a development environment. Which you should be, because the binary installers (for Windows and Linux) have all the dependencies baked in and you don't have to monkey around with much to get going.

The two major features with this release center around reorganizing the bruteforce workflow to make things more sensible and usable for larger-scale password audits, and much better visualization on figuring out where the weak link is/was in the organization under test when stolen credentials were used to extend control.

Check out the screens of the much-streamlined Bruteforce configurator (click to embiggen):

and the "Credentials Domino" screen (also embiggenable):

That is one sexy relational graph, and the whole thing is kind of super fun to use. Makes me almost want to be a web developer. (:

Metasploit Resource Portal

In other news, it turns out I'm now a web developer! I give to you, the Metasploit Resource Portal, currently at It's pretty modest right now, and still in a public beta state, but today seems like as good a day as any to announce -- especially since community contributor Tom Sellers pretty much forced my hand yesterday in this quick DM conversation:

Tom has the honor of offering up the first PR to the project, so we'll see how this all plays out. Metasploit is an ever-changing beast, just like the rest of the security landscape. Hopefully, this crowd-sourced scheme to keep up on expert-reviewed content will be useful for both newbs and greybeards.

While this first small pass was collected up by Grandmaster Exploit Dev Wei @_sinn3r Chen and Metasploit Documentrix Thao @crazygoodcookie Doan, it turns out there's a ton of material on Metasploit ins and outs that wasn't written by anyone connected at Rapid7. Of course, that's no real surprise. However, while much of it is really good, only some of it is quite excellent -- so we're going to have to depend on you folks to help flag what's truly over-the-top amazing sauce.

If you have any suggestions or ideas for what can make this static site more useful for you, please don't hesitate to file an issue. This is literally the first on-the-Internet web project I've ever done, so I completely expect you to rake it over the coals. I settled on a Middleman-produced, Bootstrap-flavored, GitHub Pages-hosted static website. The whole thing was pretty fun -- especially since I got some early hand-holding and pep-talking from Matt @techpeace Buck, webdev extraordinaire.

I do have to say, though, I'm kind of horrified at the level of implicit trust that webdevs the world over are putting on cleartext http-delivered javascript includes. I'm pretty sure I chased all of those down so I'm at least not exposing you to XSS/CSRF across all the space. As it happens, Trevor @burlyscudd Rosen and I have worked up a developer-centric talk on this very topic, in fact. Mind those network calls!

New Modules

Since commit dcf2317, we've added three new exploits and six new auxiliary and post modules. The Kippo module is particularly interesting, at least to me. More often than not, I run a Kippo server on my laptop when I go to security conferences, just to see what I can see. It looks like that jig is now potentially up, at least until the Honeynet folks figure out if and how they want to avoid detection using these techniques.

Exploit modules

Auxiliary and post modules