The penetration testing world saw a couple of exciting announcements yesterday. The first one I want to mention because it's one of my favorite tools -- Burp Suite Professional. It's a great tool for Web application penetration testing, and a new update was just released. But of course the big news that has everyone talking are the Metasploit releases.

John H. Sawyer, Contributing Writer, Dark Reading

May 19, 2010

3 Min Read

The penetration testing world saw a couple of exciting announcements yesterday. The first one I want to mention because it's one of my favorite tools -- Burp Suite Professional. It's a great tool for Web application penetration testing, and a new update was just released. But of course the big news that has everyone talking are the Metasploit releases.Version 3.4.0 of the open source Metasploit Framework was released yesterday along with the new commercial Metasploit Express (screenshots) offering from Rapid7. It's a bit amusing to look back the initial reactions about the future of the Metasploit Framework when the project was first acquired by Rapid7. Some said it was doomed, while others cheered on the decision. Taking a look at the increase in development and the responsiveness of the development team shows, it's pretty obvious that it's been a big win for the Metasploit user community.

The updates for 3.40 are incredible as can be seen here in the Release Notes. There are now over 550 exploit modules. Bruteforce capabilities are greatly enhanced, and work well in some testing I was doing last night. Plus, the meterpreter payload saw some major updates. If you want to know more about what's gone into the update, take a look at the video of HD Moore's talk at Source Boston 2010 where he talks about the enhancements and the people working hard behind the scenes.

I've been a longtime user of the Metasploit Framework and jumped on the chance to test the Metasploit Express beta when it was announced. Having tested it for a couple of weeks, I've found it to be quite usable with a simple workflow to follow from identifying hosts to exploiting them and gathering "evidence." It definitely makes the power of Metasploit more accessible to those penetration testers just getting started or who have been intimidated by the myriad of exploits, payloads, and auxiliary modules.

While the workflow definitely adds something that was missing, I feel a little constrained within the graphical interface. It's lacking in the raw power and customization that a penetration tester is exploit to when working with msfconsole in Metasploit Framework. This is something that's been echoed on the express-users mailing list and some online reviews.

On the other hand, it works. I used Express to bruteforce the password on one of my routers, exploit several vulnerable virtual Windows and Linux systems, collect system information, and "clean up" the traces of the exploitation. If I don't like the nmap scanning options, I can just import the results of my own scan or even the results from a Nessus vulnerability scan. But if I could just drop down to a msfconsole interface within Express...

If you're in the market for a penetration testing tool or would like to experience the power of Metasploit with a easy-to-use graphical (Web) interface, then Metasploit Express is pretty slick, works well, and has an awesome development team behind it.

And for testing purposes, if you don't have any vulnerable systems lying around, then HD and crew just released Metasploitable, a vulnerable virtual machine running Ubuntu 8.04 server. Just don't expose it to the Internet once you've got it up and running.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

About the Author(s)

John H. Sawyer

Contributing Writer, Dark Reading

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights