The updates for 3.40 are incredible as can be seen here in the Release Notes. There are now over 550 exploit modules. Bruteforce capabilities are greatly enhanced, and work well in some testing I was doing last night. Plus, the meterpreter payload saw some major updates. If you want to know more about what's gone into the update, take a look at the video of HD Moore's talk at Source Boston 2010 where he talks about the enhancements and the people working hard behind the scenes.
I've been a longtime user of the Metasploit Framework and jumped on the chance to test the Metasploit Express beta when it was announced. Having tested it for a couple of weeks, I've found it to be quite usable with a simple workflow to follow from identifying hosts to exploiting them and gathering "evidence." It definitely makes the power of Metasploit more accessible to those penetration testers just getting started or who have been intimidated by the myriad of exploits, payloads, and auxiliary modules.
While the workflow definitely adds something that was missing, I feel a little constrained within the graphical interface. It's lacking in the raw power and customization that a penetration tester is exploit to when working with msfconsole in Metasploit Framework. This is something that's been echoed on the express-users mailing list and some online reviews.
On the other hand, it works. I used Express to bruteforce the password on one of my routers, exploit several vulnerable virtual Windows and Linux systems, collect system information, and "clean up" the traces of the exploitation. If I don't like the nmap scanning options, I can just import the results of my own scan or even the results from a Nessus vulnerability scan. But if I could just drop down to a msfconsole interface within Express...
If you're in the market for a penetration testing tool or would like to experience the power of Metasploit with a easy-to-use graphical (Web) interface, then Metasploit Express is pretty slick, works well, and has an awesome development team behind it.
And for testing purposes, if you don't have any vulnerable systems lying around, then HD and crew just released Metasploitable, a vulnerable virtual machine running Ubuntu 8.04 server. Just don't expose it to the Internet once you've got it up and running.
John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.