Security Management Strategies for the CIOSearchSecurity.com:
To get security news and tips delivered to your inbox, click here to
Requires Free Membership to View
What kind of reaction has the Metasploit community had to the Rapid7 deal? What are your fans
saying?
For the most part people who use the framework are happy about it. They key things are that the
license doesn't change and that our development methodology doesn't change. We had a couple of
folks bring in some hard questions on the internal core development group, saying, 'Why would I
work to enrich Rapid7's pockets?' The result of all the discussion was, well it really wasn't that
much of a community project either. Going back to 2006, Metasploit was being run as an LLC. We had
commercial training; we paid for a lot of our costs that way. And there really only were only a few
core folks involved in the main development process.
The Metasploit Project:
- Metasploit was created by security researcher H D Moore in 2003 as a portable network game using the Perl scripting language. It was later rewritten in Ruby.
- The Metasploit Framework development platform is used to perform penetration testing, IDS signature development, and exploit research.
- The Metasploit Framework is described as a module launcher, allowing the user to configure an exploit module and launch it at a target system.
- In 2008 Moore and the Metasploit development team changed the Metasploit Framework from a proprietary to a true open-source BSD compatible license.
You've just released Metasploit Framework 3.3, a full year after 3.2. What's new and
improved?
Nearly everything. We've added something like 120 new exploits, 100 new auxiliary modules, almost
every payload has been rewritten. The executable generator can now actually inject itself into
existing binaries, so nearly all the antivirus signatures that previously blocked things like
Metasploit-generated binaries no longer work. We now support Windows 7, Vista 64-bit, 64-bit in
general as both a target platform and as an attacking platform. We fixed tons and tons of bugs to
make things more stable. We added a lot of new ways to embed payloads into a lot of different
things. You can now put a payload into a Word document, into a Visual Basic script to make it
persistent. Basically, we're going after a lot of scenarios all at the same time. Talk about the
evolution of Metasploit since the project was founded in 2003. How has the threat environment
changed and how has Metasploit changed with it?
If you look at the exploit coverage of Metasploit from 2003 moving forward, you'll see a shift
towards client-side exploits and, even more recently, going from client-side exploits to
third-party, lesser known software packages. So, as Windows becomes slightly more secure, as Linux
distributions are making defaults more secure, disabling services, folks have really had to stretch
to find other ways in. And that means going after things like antivirus products, going after
third-party backup services, things that would be overlooked in a pen The Rapid7
acquisition presents an opportunity to marry vulnerability assessment and pen testing. What's
the value of integrating these technologies?
It depends on your audience. A lot of folks in enterprise IT want to do vulnerability assessment
and that's it. They don't want to do exploits. A lot of folks on the pen-testing side don't want to
run a vulnerability scanner because it's too noisy and they're trying to come in quiet, stealthy
when they're doing a test. There is a middle ground. There are folks who want to do a full-blown
vulnerability test, and then verify what's exploitable. These are the folks who want to figure out
which one of the vulnerability reports they're looking at to work on first. So for vulnerability
prioritization, I really see the combination of vulnerability assessment technology and pen test
tools as being the gold standard.
What can we expect to see as a result of the acquisition if we're talking a year from now?
At some point we'll try to do more integration between the vulnerability assessment and pen-testing
products. In terms of whether there will be a commercial version of Metasploit, we're still tossing
that around. We're pretty sure there will be some sort of commercial support soon. In terms of
commercial products, we haven't set anything in stone. The idea now is to keep everything we're
working on now free, keep under the BSD license, and that precludes a lot of commercial options.
We're really focused on where can we add value, where can we improve everthing we have today.
Join the conversationComment
Share
Comments
Results
Contribute to the conversation