Metasploit evolved in 2003, Rapid7 acquired it from the original developers in 2009, and fourth-generation software debuted in 2011. Metasploit Pro is currently in version 4.2 and costs several thousand dollars for a license; Metasploit Framework currently in version 4.12.33 is open source, officials explained.
SEE: Penetration Testing and Scanning Policy (Tech Pro Research)
Leo Varela, director of engineering, said his team is developing capabilities such as a single-pane interface, ways to convert Android vulnerabilities into corporate network access, a new focus on automated testing of network security controls, and a code base that’s slimmer and faster.
Metasploit is traditionally Windows-centric. However, for Apple iOS testing, Boston-based Rapid7 is in the same boat as everyone else in the security and forensics fields—it’s very difficult to do. Varela said he’s open to adding iOS modules if the community of open-source Metasploit Framework users can help. Apple’s mobile operating system is a custom version based on a derivative of Unix, and in recent and upcoming changes, “We are adding the capabilities to be able to interact with Linux and with Unix,” Varela noted.
“It’s up to the open-source developers to add content to it. We believe these [other] investments are much more valuable to the penetration testing community at large while we allow the open-source community to come up with iOS modules,” Varela added.
Joshua Marpet, of security and forensic consulting firm GuardedRisk, said Rapid7’s ease-of-use plans sound helpful for lower-level employees, but security professionals are happy using the command line and would rather see Rapid7 put its resources into new modules.
Marpet gave an example of the recent distributed denial-of-service against prominent security blogger Brian Krebs. By going through network-connected street cameras, the attackers made whole new approaches, he said. That differs from the antivirus world where new viruses are typically just different payloads wrapped in existing techniques, he observed. Rapid7 needs to keep up with this, he urged.
Marpet, in Wilmington, Del., said another tool he likes is Strategic Cyber’s Cobalt Strike because of its automation features. Washington D.C.-based developer Raphael Mudge made Cobalt Strike atop Metasploit Framework but later changed its foundation to a different system. Mudge, asked about his product’s roadmap, said he has new releases every few months but declined to comment because of frequently changing priorities.