The Metasploit Express product, which provides a GUI (web-based), access to all of the standard Metasploit Framework features, but also exposes a workflow for conducting penetration tests with Metasploit. While the Metasploit Framework can be considered a bag of tools, Metasploit Express combines those tools to accomplish specific tasks.

The Metasploit Express interface walks through the process of scanning, exploiting, and bruteforcing a target network. Evidence can be quickly collected from compromised machines and fed back into the exploit and bruteforce tasks to go even further, using techniques like Pass-the-Hash and SSH key reuse. After the penetration test is complete, high-quality reports can be generated and used to report the findings and provide an audit log of every action taken during the test.

On October 20th, we launched Metasploit Pro, which builds on Metasploit Express to provide multi-user team support, social engineering campaigns, web application exploitation, advanced evasion techniques, and my personal favorite, VPN Pivoting. Where Metasploit Express is a great product for accelerating the penetration testing process, Metasploit Pro goes even further by enabling security teams to coordinate penetration tests through a central interface and conduct security tests at every level against the target network, from the human aspect (social engineering) down to the nitty gritty server-side exploits.

The VPN Pivot functionality in Metasploit Pro turns any compromised machine into a remote ethernet interface into the target network. This enables users to compromise an internal machine (say, through a browser exploit), and then use the VPN Pivot to continue to scan and exploit other internal machines behind the firewall.


Unlike other pivoting technologies, VPN Pivot can be used any network tool, as it creates a real interface on the Metasploit Pro system. This allows standard penetration testing and vulnerability assessments tools to be used over the interface created by Metasploit Pro. To cap things off, we added the ability do create custom reports, using the JasperSoft reporting engine and the iReport graphical report editor.

All three products share the same exploits, payloads, and libraries. The difference is the additional functionality, scalability, team support, and general scope of each tool. The Metasploit Framework is still a first class tool for exploit development and penetration testing, but the commercial products make it significantly easier to leverage these capabilities at a larger scale.

What are your plans for the near future? What features can Metasploit users look forward to?

With the Metasploit 3.5.0 release (all products share the same version number), we are going head-first into web application security. This required a huge overhaul of the backend database and we still have additional work to do in updating our web modules and filling in the gaps where coverage is missing.