The sale of the Metasploit Project, and its highly respected pen-testing platform to vulnerability management vendor Rapid7 in October signals change for yet another major open-source project to a commercial company. In a wide-ranging interview, Metasploit founder H.D. Moore speaks about the evolution of the Metasploit Project, the threat environment it has grown in and what the acquisition means for the future of the project. Moore also talks about the latest Metasploit framework release (version 3.3), the project's open source exploit development and penetration-testing platform.
What kind of reaction has the Metasploit community had to the Rapid7 deal? What are your fans saying? H.D. Moore: For the most part, people who use the framework are happy about it. They key things are that the license doesn't change and that our development methodology doesn't change. We had a couple folks bring in some hard questions on the internal core development group, asking, 'Why would I work to enrich Rapid7's pockets?' The result of all the discussion was, well it really wasn't that much of a community project either. Going back to 2006, Metasploit was being run as an LLC. We had commercial training; we paid for a lot of our costs that way. And there really only were only a few core folks involved in the main development process.

You've just released Metasploit Framework 3.3, a full year after 3.2. What's new and improved? Moore: Nearly everything. We've added something like 120 new exploits, 100 new auxiliary modules, and almost every payload has been rewritten. The executable generator can now actually inject itself into existing binaries, so nearly all the antivirus signatures that previously blocked things like Metasploit-generated binaries no longer work. We now support Windows 7, Vista 64-bit, and 64-bit in general as both a target platform and as an attacking platform. We fixed tons and tons of bugs to make things more stable. We added a lot of new ways to embed payloads into a lot of different things. You can now put a payload into a Word document, into a Visual Basic script to make it persistent. Basically, we're going after a lot of scenarios all at the same time.

The link for this article located at SearchSecurity is no longer available.