Browsing articles from "March, 2010"

Metasploit Express Thoughts

Mar 16, 2010   //   by SecAdmin   //   Assessment  //  Comments Off

Initial Metasploit Express Thoughts

On April 22, Rapid7, a leader in vulnerability management and the recent acquirer of Metasploit LLC, announced the release of a commercial Metasploit product labeled “Metasploit Express.” The commercial release of the once totally open source exploit framework signifies both advancement in the legitimacy of exploitataion frameworks and the growing need from within the market place for exploitation assistance solutions. Of course neither of these positive signals will ease the quesy feeling that most Metasploit framework evangelists will have with the release of a commercial offering. Nor is it likely that the release will do much good for the exploitation framework market or have a major impact on the vulnerability management market.

The Product

Not much is known about Metasploit Express from a product standpoint as the Beta release (which SecAnalysis writers are signed up for) has not gone live yet. Supposedly Metasploit express is essentially the same product as the well-known open source Metasploit framework with a few basic exceptions. Most notably the commercial offering now has a “full graphical user interface” and is now supported by Rapid7′s customer support staff. In addition Metasploit Express also boasts automated exploits, and exploitation of common insecure configuratoins (notably insecure username and passwords configurations).

Market Impact

From a market perspective there is not a lot of good that comes from the commercial release of Metasploit Express. The exploitation framework market is already relatively small, thus the commercial entrance of a major player like Metasploit makes it even more difficult for companies like the current leaders, CORE Security and Immunity to generate business. Although the business models of the two reigning leaders are strong enough to be resilient against a more saturated market, it is not unlikely that both companies will be forced to reduce some investment into research and/or product improvements. This is particulary unfortunate as both companies have made large strides at creating more effective and enterprise ready products in recent years.

Many will no doubt argue that offering Metasploit commercially will shed some much needed light on the exploitation framework market. That message may be easy to push, however, it is difficult to justify. If anything the entrance of Metasploit into the commercial realm confuses the marekt. Integrations such as the one boasted by CORE IMPACT (which now integrates Metasploit exploits into the IMPACT framework) become a touch more interesting. The licensing model leveraged by the open source Metasploit Framework is currently very flexible, however, what happens if no one is buying Metasploit Express because CORE offers essentially the same thing in their integrated IMPACT product (with several competitive differentiators).? Furthermore, what will happen if Rapid7 determine that they could increase revenue by cutting into CORE’s current market share? How will the Metasploit licensing change? How will CORE cope with the new market competition? These questions will most likely pan out with the natural progression of the market.

Of course the exploitation market impact is less of a concern to Rapid7 when considering the vulnerability management market, where Rapid7 is focused. However, unfortunately, the impact on the vulnerability management market is minimal at best. The vulnerability management market is still primarily predicated on compliance and not on security. Thus, the addition of an easy to use penetration testing capability does little to make Rapid7′s current offerings anymore attractive. Furthermore, Metasploit Express does little to differentiate Rapid7 from vulnerability management market competitors. Especially when considering the fact that most of the market players already have integrations with penetration testing tools. In addition, there is little that a commercial Metasploit version adds in terms of marketability of the Rapid7 name. The acquisition of Metasploit may have granted Rapid7 some much needed publicity, however, the commercial release of a Metasploit version does little to that end. If anything the commercial release raises questions about Rapid7′s intent, which is not necessarily positive publicity.

There is one major positive for Rapid7 however, and it comes from the perspective of investors. Over the past few years Rapid7 has shown growth through innovation and business tactics. Adding a commercial capability for the Metasploit Framework will show investors the potential for further growth in revenue with minimal investment (as much of the necessary development has already been done by the community for Metasploit Express). Thus, it is not unlikely that Rapid7 will be able to capitalize on investor interest in their company to create further growth (if Rapid7 is interested of course).

Thoughts

The new features boasted in Metasploit Express all seem relevant although it is unclear what is not “full” about the current Graphical User Interface (GUI) leveraged by the open source Metasploit framework. Also automation largely already exists in the? the autopawn capabilities boasted by the open source Metasploit Framework.? This raises the question, what is really the difference?

It would seem as though the development is more focused on ease of use than anything. However, shouldn’t this have been the focus of the open source version as well? It is the opinion of SecAnalysis that “ease of use” as a competitive differentiator between a commercial offering and a open source solution is rarely a good thing. In such a scenario the vendor benefits from the open source project being clunky, broken, and unusable.? Many may argue that this will not be the case with the Metasploit Framework, however, this does raise the question, “If Metasploit express advancements are making the Metasploit Framework capabilities easier to use, where is the incentive for the open source project to move in the same direction?”

HD Moore and team are well over due for getting paid for the excellent work they have done on the open source Metasploit Framework. They represent one of the most influential and yet humble and easy to work with teams within the security industry. There is no question that any profit HD and team gain is well earned. Where there are questions are within the realm of the purpose of releasing a commercial Metasploit offering. Visionaries and pioneers within the security, especially in the realm of exploitation frameworks, people like HD Moore as well as David and Justine Aitel (of Immunity) have earned their place amongst the leaders in the security industry. Up until this point there has been a relative balance between all of the much needed market players in exploitation frameworks. This is largely due to the vision that HD Moore had for his Metasploit Framework. As the exploitation framework market continues to evolve, one can only hope that HD Moore has found the components to realize his vision and Rapid7 is not defining (if not destroying) that vision to push their business agenda…

The Battle for My Home Network

Mar 16, 2010   //   by SecAdmin   //   Defense, Research  //  Comments Off

In considering new topics for blog posts, I came to realize that it may be interesting to spend a few posts discussing aspects of my home network. While I do not by any means consider my home infrastructure the Fort Knox of home network security, I would venture to say it is a little bit above and beyond the average home network. To start the series, I would like to talk about something very near and dear to my heart, Vulnerability Management. Several years ago, after progressing in my entry-level position as a State Police Information Security Officer, I was given a lateral promotion into a Vulnerability Management Coordinator (VMC) position within a large state government.

Due in no small part to the fact that I was still a little “wet behind the ears” I was extremely dependent on tools in the early phases of my transition into the role of VMC. Thus, I am very selective when it comes to choosing the right vulnerability scanner, even in my home. Over the next two days I will be selecting a primary vulnerability scanner for my home network by researching industry leading freeware/community/trial vulnerability management solutions. In particular the following vulnerability scanners will be considered:

  • Tenable Nessus (Home Feed)
  • Rapid7 NeXpose (Community Edition)
  • SAINT
  • eEye Retina
My early prediction is that I will mostly likely decide on Rapid7′s NeXpose CE. Rapid7 NeXpose is amazingly similar to their commercial product which is rapidly making waves within the security market. Furthermore, NeXpose Community Edition really exceeds my needs despite coming at the low price of free. I think NeXpose will most likely be challenged by Nessus. Not too long ago I had written Nessus off as a rapidly declining vulnerability assessment platform. In fact my disappointment with my once favorite vulnerability assessment platform was so upsetting to that I even decided to produce a mock break-up letter with Nessus. Recent developments however are highly influential. Nessus now sports a beautiful user interface that is hosted server-side, thus breaking the client-server model that Nessus was previously dependent on. These contributing factors could eventually give Nessus a leg up on NeXpose, but that remains to be seen.

| The Battle For My Home Network