Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:40 AM
Connect Directly

Metasploit Hacking Tool Now Open for Licensing

New Metasploit 3.2 adds new features including DNS, WiFi hacking

The wildly popular Metasploit hacking tool for the first time is now officially open source, open-license technology that can be incorporated into commercial tools.

The free research and penetration testing tool historically has had restricted, non-commercial licensing so that it could only be used by researchers or in-house penetration testers -- not repackaged, redistributed, or sold. But in the new version 3.2 -- due later this month in its final version -- Metasploit project lead HD Moore and his team have transformed Metasploit into an official open source project, complete with a BSD 3-Clause license arrangement that allows others to sell, rename, or “fork” the code in another direction.

"Changing the license to be as open as possible -- BSD 3-clause is nearly public domain -- would not only be fair to the new developers, but allow us to expand beyond the original goal as an exploit platform and become the basis for wide variety of new projects," says Moore. "It's entirely likely that we will see new projects targeted at individual sectors and applications, which we hope will filter some improvements back to the core project. By opening the license to the entire Metasploit codebase, we have let the proverbial cats out of the bag -- it's now just a matter of counting kittens."

Rich Mogull, founder of Securosis, says this will provide more options in the penetration testing market. “Choice increases, and potentially the pace of development. But it also means people need to be careful... The Metasploit team has done a heck of a good job on quality, which isn't guaranteed as people take it in new directions,” Mogull says. “Also, we'll likely see commercial products that are just wrappers of a system that already has a good UI [user interface]. Some will advance the product, but many won't. Me, I'll stick with whatever HD is running for now, but we might see some interesting offshoots over time.”

Commercial penetration testing vendor Core Security Technologies may eventually incorporate Metasploit technology into its products, says Fred Pinkett, vice president of product management for Core. “Interestingly, we had always talked to HD [Moore] about interactions and connections between the technologies... where there were modules they don’t have, or considerations of how we might integrate with Metasploit in an open way,” Pinkett says. “Our commitment to our customers is commercial-grade exploits.”

Metasploit 3.2, which will be available in two weeks, adds 300 new exploits and has a simplified module structure so exploits are easier to load. Among the new features are DNS Spoofing, based on a tool built by Moore in the wake of Dan Kaminsky’s DNS flaw discovery; JavaScript obfuscation; JavaScript detection of the browser, operating system, and service packs; Browser Autopwn, for firing off browser exploits; man-in-the middle attacks; reflective DLL injection; full IPv6 support; and Karmetasploit, a rogue wireless access point for hacking WiFi in cafes, airplanes, and hotels.

An early version of Metasploit 3.2 is available here.

The original versions of Metasploit -- 1.0 and 2.X -- were initially available under GPL and Perl Artistic License to help ensure that they were interoperable with other security tools. But Moore and his co-developers found that some people were abusing that arrangement commercially, so they shifted gears to a more restrictive licensing arrangement with 3.0.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Core Security Technologies

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Navigating Security in the Cloud
    Diya Jolly, Chief Product Officer, Okta,  12/4/2019
    SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
    Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: Our Endpoint Protection system is a little outdated... 
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-12-10
    JBoss KeyCloak: XSS in login-status-iframe.html
    PUBLISHED: 2019-12-10
    oVirt Node: Lock screen accepts F2 to drop to shell causing privilege escalation
    PUBLISHED: 2019-12-10
    openstack-utils openstack-db has insecure password creation
    PUBLISHED: 2019-12-10
    rubygem-openshift-origin-controller: API can be used to create applications via cartridge_cache.rb URI.prase() to perform command injection
    PUBLISHED: 2019-12-10
    marc-q libwav through 2017-04-20 has a NULL pointer dereference in wav_content_read() at libwav.c.