I got a chance to see the Metasploit Express beta in action last week at NoVa Hackers. I was planning on writing about my impressions, but there is plenty out there from people who have spent a good deal more time in front of the beta than I have. Instead, I’m going to delve into pertinent questions a company should ask itself to see if Metasploit Express fits into the security program.
I am a fan of Core Impact, not only because they let me into their party at Blackhat Las Vegas last year. They make a good product. However, a common scenario I have seen in my experience as a security consultant is companies just purchasing flashy products without thinking about how these products will integrate into the security program. The Core Impact sales team comes in with their vulnerable machines and does the point-and-click to root. Then, the general consensus is “We’ve got to get that. It’s shiny!” The problem is when Core Impact shows up on the corporate network it doesn’t get any shells. Why? Because the customer is using Core Impact specifically for patch management which they already have under control. If a strong patch management system is already in place on the network, the default network scan from Core Impact will yield very little.
Metasploit Express builds off a very powerful open source tool with a wide variety of capabilities. It is quite possible that the product will be able to fill a gap in your security program. However, without researching your company’s needs, risks, and what Metasploit Express can do to meet them, you won’t get the most out of Metasploit Express. Sleek interfaces and support from Rapid7 cannot make up for a lack of understanding of your particular security needs.
On the whole, I’m glad to see Metasploit potentially reach a wider corporate audience with Metasploit Express. It seems in many cases Metasploit in its current form is considered a hack tool and passed over for products such as Core Impact that have a company backing and a hefty price tag. So long as I can still use community supported Metasploit for my everyday vulnerability research, I’m happy to see Metasploit get the piece of corporate pie it has long since earned.