October 28, 2016

Rapid7 Introduces Metasploit Community Edition

(LiveHacking.Com) – To coincide with the second anniversary of Rapid7’s acquisition of the Metasploit project, it has announced that as of version 4.1 of Metaploit, there will now be a Metasploit Community Edition, a free commercial product that is available for both personal and professional use. Metasploit Community Edition includes the same network discovery, data import, and Nexpose integration as its Metasploit Pro counterpart.

Rapid7 are releasing the Metasploit Community Edition to address the growing gap between two types of users: The security researchers and developers who want a powerful platform to build custom tools and exploits using the console interface and the security and IT professionals that use the Metasploit Framework to conduct security assessments and verify vulnerabilities.

The free Community Edition provides a simple path for identifying targets, selecting an exploit, and launching it. Sessions can be managed through the user interface and have full access to the extensive post-exploit modules built into the Metasploit Framework.

“The best way to tackle the increasing information security challenge is to share knowledge between practitioners, open source projects and commercial vendors,” said HD Moore, Rapid7 CSO and Metasploit chief architect. “With that in mind, we’ve combined the Metasploit Framework with Rapid7’s commercial development to bring together the best of both worlds – the collaboration of security researchers around the world with quality-tested and stable commercial features. The new Metasploit Community Edition will greatly help security professionals seeking to understand risk and improve their security programs without needing to increase budgets.”

Metasploit Community Edition is available today as part of the Metasploit 4.1 release.

Metasploit 4.0 Released With 20 New Exploits

(LiveHacking.Com) – The first iteration of the 3.x series of Metasploit was released five years ago. Now after uncountable hours of coding and testing, the Metasploit Framework 4.0 has been released. This new release ships with 716 exploit modules, 361 auxiliary modules, and 68 post modules. As well as 20 new exploits, 3 new auxiliary modules, and 14 new post modules since V3.7.2.

Metasploit Framework 4.0 comes with an abundance of new features and bug fixes. There are 14 new post modules including new password-stealing post modules. Adding to Metasploit’s extensive payload support, Windows and Java Meterpreter now both support staging over http and Windows can use https.

Six of the twenty new exploits came via the recent Exploit Bounty where contributors were paid $500 or $1000 (in the form of American Express gift cards) for creating any exploit module for an item from Metasploit’s top 5 or top 25 exploit lists.

Also new in V4.0 is a consolidated pcap interface. The pcaprub extension ships with the Linux installers as of this release and support for Windows will come soon. Modules that used Racket for generating raw packets have been converted to Packetfu, which provides a smoother API for modules to capture and inject packets.

Metasploit 4 is available to download from the project’s site where you can also find update instructions. Full details of this release can be found in the Release Notes.

Metasploit Framework 3.7.0 Released

Two months after the release of the Metasploit Framework 3.6, the Metasploit team has announced the availability of Metasploit Framework 3.7.0. Since V3.6 the developers have focussed on one of the least-visible, but most important pieces of the Metasploit Framework; the session backend. This overhaul increases performance in the presence of many sessions and allows for a larger number of concurrent incoming sessions in a more reliable manner.

Metasploit now ships with 685 exploit modules of which 35 are new, 355 auxiliary modules (15 new), and 39 post modules (17 new).

V3.7 also includes some new features:

  • Support for SMB signing, enabling pass-the-hash and stolen password attacks against Windows 2008 Server environments.
  • The Microsoft SQL Server mixin (and all modules) now supports NTLM authentication.
  • Data import backend has undergone a rewrite, speeding up most import tasks by a factor of four.
  • OS information is now normalized to make fingerprinting more accurate and easier to deal with.

Highlights from the new modules include:

  • Apple iOS Backup File Extraction: Extract sensitive data from iTunes backup files (location, call history, SMS content, pictures, etc).
  • Exploits for two different Adobe Flash vulnerabilities exploited in the wild.
  • Code execution modules for MySQL and PostgreSQL when a valid login is available.
  • Exploit for the Accellion File Transfer Appliance Default Encryption Key flaw found by Rapid7.
  • Over ten new exploits for HP Network Node Manager (plus an HP OpenView exploit).
  • Post-exploitation module for privilege escalation through the .NET Optimizer Service.
  • Post-exploitation modules for stealing stored WinSCP and VNC passwords.

Metasploit Upgraded to V3.6 – Pro Version Has Better PCI DSS Compliance Reporting

Rapid7 has released V3.6 of its penetration testing suite Metasploit. The tools comes in three flavors: Pro, Express and open source. The most significant improvements have been made to the Pro version but Metasploit Express and the open source version have also had several improvements.

Metasploit Pro now generates reports for PCI DSS compliance with pass/fail information for applicable PCI DSS requirements. Also new to the Pro version is a feature that allows users to freely assign tags to assets based on multiple criteria such as compliance, operation workflow and team collaboration on different operational units.

Post-Exploitation modules is a new feature found in all editions. It includes more than a dozen modules that can be run on exploited systems to perform actions such as gathering additional information, pivoting to other networks and elevating system privileges.

This release also adds 15 new exploits making a total of 64 new modules since version 3.5.1 and brings the grand total to 648 exploit modules, 342 auxiliary modules, and 23 post modules.

Metasploit Framework 3.6.0, the open source edition of Metasploit, can be downloaded from here.