Pen testers weigh in on whether the deal was a success or a sellout

When Rapid7 bought the Metasploit Project exactly one year ago this week, there were rumblings of concern that the open-source penetration testing tool would lose its identity and go all commercial. Metasploit indeed has gone commercial -- there are new commercial versions of the tool available now from Rapid7 in addition to the open-source framework -- but most penetration testers say the tool has maintained its open-source roots and is evolving much more rapidly with the added development resources.

Rapid7 rocked the penetration testing marketplace with its announcement it had purchased the Metasploit Project and hired its creator, HD Moore, as chief security officer of the company. Moore and Rapid7 executives were adamant about avoiding a failed open source-commercial marriage such as that of the Nessus scanning tool, which went from an open-source to a proprietary, closed-source license under Tenable Network Security. Their goal was to instead both improve and preserve the open-source framework, while making a commercial version of Metasploit as well.

Rapid7 marked the one-year anniversary of the union this week with the availability of Metasploit Pro, an enterprise version of the popular hacking tool that allows unrestricted, remote access to networks and comes with features such as collaboration, custom Web application testing, antivirus evasion, and social engineering.

Meanwhile, there have been 1 million downloads and updates to the open-source Metasploit Framework since Rapid7 took it in-house, and release cycles have gone from nine to 12 months to once a week now with the additional resources for the project, according to Rapid7's Moore. There are 120,000 active members of the Metasploit community, and 164 new exploits have been added to the Metasploit Framework since the acquisition. "The biggest difference now is that it's more than a one-person project," Moore says. "The project has more flexibility now" and includes quality assessment, he says. "It has commercial quality surrounding it."

Moore says the biggest challenge with the Rapid7-Metasploit union is responding to feedback and patch submissions quickly enough. Keeping the community developers in the loop and in lockstep with the internal development work is also a challenge.

"Many of the outside developers have pet projects, but these can fall by the wayside if the supporting code is churning faster than they can keep up," he says. "Prior to Rapid7, we received contributions for almost all levels of the framework, from the modules, which are mostly stand-alone, to the core libraries, payloads, and user interfaces. After the acquisition and due to the pace of development happening on the back end, most of the new contributions focus on the areas that require less work to keep up with the API, namely the modules and plug-ins. We are still seeing more contributions than ever before on the modules side, but most of the core development work now happens in our team."

The union ultimately has pitted Metasploit against commercial penetration testing tools from Core Security and Immunity Inc. Some longtime Metasploit users say they've been pleasantly surprised with how the project has maintained its character and now update the tool more regularly. Joshua Perrymon, CEO for PacketFocus and a penetration tester, says Metasploit has morphed into "more of a commercial, get-it-done pen-test tool."

Perrymon likes the graphical user interface improvement, as well as the ability to "pivot," or compromise, a machine from the outside to use it to attack other machines inside. He says he's among the traditional security experts who prefer using the open-source tools, so he has no plans to purchase Metasploit Pro. "I'm still old-school about not relying on commercial tools or a single tool to do the job. Metasploit is like a tool in the kit: If I need to validate an exploit, this is the safest way to use it," says Perrymon, who also runs Nmap, Nessus, and phishing tools, for instance.

David Maynor, CTO of Errata Security, says he uses Metasploit every day in his pen-test work for clients. He has noticed the quicker turnaround on the development side, he says, and says Metasploit has remained open under the Rapid7 umbrella. He's looking at Metasploit Pro, mainly because some clients prefer he run a commercial tool rather than an open-source one because they argue it has more support behind it. "It generally takes more explaining the value proposition of Metasploit over Immunity or Core" to sell clients on his using the open-source Metasploit, he says.

But not all hackers are happy with Metasploit's new home. Moore says complaints have mostly been from those who don't want to contribute to a commercial firm's products, or in how Rapid7 handles feature development for commercial products.

"We really try to make the difference between free and commercial to be largely related to ease of use and automation, not technical capacity. However, a couple of folks are annoyed that we did not spend more time maintaining the open-source bits that could be considered competitive with the commercial parts," he says. "These features would include things like the old Web interface, the old GUI, and the automated exploit tools in the free code, [such as ] db_autopwn."

Moore says the Web interface and GUI were too buggy to maintain, so he offered them up to external developers to take over. A little more than a handful of contributors said they would work on the Web interface, but nothing has materialized thus far, he says.

But an outside contributor, who goes by the moniker "scriptjunkie," has taken over the GUI project. "[He] wrote a brand new interface in Java, and, best of all, it uses the same communication channel as our commercial products, keeping the development goals aligned," Moore says. And the Metasploit team is working on improving the automated exploit feature, he says.

And interestingly, Metasploit's commercial products, which also include Metasploit Express, a low-cost pen-testing tool with a full GUI and automated exploitation and reporting for enterprises, have been critiqued by some for not offering exploit packs or zero-day exploits, Moore says.

Meanwhile, Metasploit Pro is is priced at $15,000 per (named) user per year.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights