To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.
What kind of reaction has the Metasploit community had to the Rapid7 deal? What are your fans saying?
For the most part people who use the framework are happy about it. They key things are that the license doesn't change and that our development methodology doesn't change. We had a couple of folks bring in some hard questions on the internal core development group, saying, 'Why would I work to enrich Rapid7's pockets?' The result of all the discussion was, well it really wasn't that much of a community project either. Going back to 2006, Metasploit was being run as an LLC. We had commercial training; we paid for a lot of our costs that way. And there really only were only a few core folks involved in the main development process.
The Metasploit Project:
- Metasploit was created by security researcher H D Moore in 2003 as a portable network game using the Perl scripting language. It was later rewritten in Ruby.
- The Metasploit Framework development platform is used to perform penetration testing, IDS signature development, and exploit research.
- The Metasploit Framework is described as a module launcher, allowing the user to configure an exploit module and launch it at a target system.
- In 2008 Moore and the Metasploit development team changed the Metasploit Framework from a proprietary to a true open-source BSD compatible license.
You've just released Metasploit Framework 3.3, a full year after 3.2. What's new and improved?
Nearly everything. We've added something like 120 new exploits, 100 new auxiliary modules, almost every payload has been rewritten. The executable generator can now actually inject itself into existing binaries, so nearly all the antivirus signatures that previously blocked things like Metasploit-generated binaries no longer work. We now support Windows 7, Vista 64-bit, 64-bit in general as both a target platform and as an attacking platform. We fixed tons and tons of bugs to make things more stable. We added a lot of new ways to embed payloads into a lot of different things. You can now put a payload into a Word document, into a Visual Basic script to make it persistent. Basically, we're going after a lot of scenarios all at the same time. Talk about the evolution of Metasploit since the project was founded in 2003. How has the threat environment changed and how has Metasploit changed with it?
If you look at the exploit coverage of Metasploit from 2003 moving forward, you'll see a shift towards client-side exploits and, even more recently, going from client-side exploits to third-party, lesser known software packages. So, as Windows becomes slightly more secure, as Linux distributions are making defaults more secure, disabling services, folks have really had to stretch to find other ways in. And that means going after things like antivirus products, going after third-party backup services, things that would be overlooked in a pen The Rapid7 acquisition presents an opportunity to marry vulnerability assessment and pen testing. What's the value of integrating these technologies?
It depends on your audience. A lot of folks in enterprise IT want to do vulnerability assessment and that's it. They don't want to do exploits. A lot of folks on the pen-testing side don't want to run a vulnerability scanner because it's too noisy and they're trying to come in quiet, stealthy when they're doing a test. There is a middle ground. There are folks who want to do a full-blown vulnerability test, and then verify what's exploitable. These are the folks who want to figure out which one of the vulnerability reports they're looking at to work on first. So for vulnerability prioritization, I really see the combination of vulnerability assessment technology and pen test tools as being the gold standard.
What can we expect to see as a result of the acquisition if we're talking a year from now?
At some point we'll try to do more integration between the vulnerability assessment and pen-testing products. In terms of whether there will be a commercial version of Metasploit, we're still tossing that around. We're pretty sure there will be some sort of commercial support soon. In terms of commercial products, we haven't set anything in stone. The idea now is to keep everything we're working on now free, keep under the BSD license, and that precludes a lot of commercial options. We're really focused on where can we add value, where can we improve everthing we have today.