Tuesday, 18 October 2011

Pentesting for the masses

Want to run a penetration test but don't have the budget to call in a specialist group, nor the time to get to grips with the Metasploit console? Rapid7 has today launched Metasploit Community Edition, which combines the features of the free Metasploit Framework with a cut-down version of its commercial interface.

Metasploit Pro provides a relatively simple interface to the powerful but complex vulnerability testing system that is Metasploit Framework. But it costs money. If you have to ask how much, you probably can't afford it. Just to give you an idea, Metasploit Express (a cut-down version of Pro) costs $3,000. In contrast, Metasploit Community Edition is free.

Metasploit Community Edition's features include:

  • A simple graphical user interface
  • Network discovery
  • Integration with vulnerability scanners (e.g. Nmap)
  • Basic exploitation
  • Module browser (providing access to lots of exploits)

You can see a comparison chart on Rapid7's site. What sticks out to me is that if you want to run a deep pen test (potentially for/against a third party) you really should be looking at Metasploit Pro or Framework. Express and Community don't provide features such as, "Mimic... APTs", "advanced evasion techniques" and "social-engineering campaigns."

HD Moore says:
"Metasploit Framework users fall into two camps: first, there are security researchers and developers who want a powerful platform to build custom tools and processes. The command-line interface works very well for them today, and we continue to invest in this interface.
Second, Metasploit Framework is used by security and IT professionals to verify vulnerabilities and to conduct security assessments. 
For this group of users, the command-line console may not be the best fit. Metasploit Community Edition provides a much more accessible solution for this group – for free."