Quick reply to idr0p as it relates to msfd. The "msfd" daemon (telnet interface to msfconsole) will not change, but you can use the new RPC interface to access a remote metasploit console over SSL + authentication.

Just chiming in real quick; The Metasploit team within Rapid7 consists of six full-time developers, the core community team is another 10, and we leverage the wider community contributions in our products as well. This collaborative approach for the shared core framework is why the commercial versions are more than competitive with other products on the market and why we continue to invest in the community.

The Metasploit commercial products are selling well not because they contain exclusive exploits, but because they make penetration testing relatively simple and handle the annoying parts of security work (automation, auditing, reporting, team collaboration). Most of what you can do in the commercial products can be done with the free framework, this is intentional, and our differentiators are really around how you use the capabilities within the framework, not the capabilities themselves.

The great thing about using the same Metasploit core as the free product is that you can leverage modules written by third-party developers. The exploithub.com project is one approach to getting access to additional exploits, but any exploits developed internally for the free version of Metasploit Framework can be used seamlessly with the commercial products.

-HD

Nice new video! This comparison highlights one thing that Metasploit Express does really well - it will not run an exploit in the Great category unless it can precisely fingerprint the target. The latest video, the target is running Windows 2003 and is missing the MS08-067 patch. In the default configuration, you can't fingerprint the language pack or presence of NX on this OS version.

The reason why Metasploit Express skipped this system is that it could not reliably fingerprint it and choose the correct target. It appears that CANVAS just launched the exploit anyways, which is why you got a shell Running the same CANVAS attack against a non-English version of that 2003 installation would likely just crash the svchost process. If the SP1/SP2 version of 2003 is used, you also have to content with ROP/NX targets. CANVAS may work even better here, but without accurate OS and language pack fingerprinting (ie. the user specifies the target based on their knowledge), this will also crash non-English systems.

At the end of the day, CANVAS still got a shell on this system, where Metasploit Express did not, but the stability of the target network is often just as important as whether you get in during most engagements.

If you have time to do another comparison, try running against a larger number of systems and include some that are not the English language pack.

Awesome! Looking forward to seeing the next video, hopefully we can get db_autopwn rewritten/replaced in the next couple months. Covertness is the least of its problems right now, its simply not reliable.

Great video! Canvas has come a long way in terms of usability.

There are two things I would like to point out about this demo; first, the SQLite adapter is no longer supported for automation as of 3.4.0, as it hits all sorts of fun bugs when you run more than a few threads. Second, the db_autopwn command is complete trash, the only exception is when you choose a specific set of modules with -m or through port exclusions. We have debated just getting rid of it, but too many people still use it for us to just remove the command. Its definitely due for a rewrite.

If you are looking for an even comparison, I recommend trying Metasploit Express (our commercial product). The exploit engine in Metasploit Express is not based on db_autopwn in any sense; instead, it buckets exploits by reliability, sorts by disclosure date, and orders the attacks to make sure the best exploit is always used first for a particular target. This engine will also leverage OS fingerprints and make sure that only a single attack is launched against a particular service of a particular host at the same time. This results is quick network-wide exploitation, all through a web browser, and with the full power of the Metasploit payloads.

You can get a free 7-day eval of Metasploit Express at the URL below. All proceeds from Metasploit Express directly contribute to the development of the open source Metasploit Framework.

http://www.metasploit.com/express

If you want to see how Metasploit Express stacks up against other commercial tools, take a look at the recent Hack Miami shootout results:

http://www.n00bz.net/metasploit-express/

-HD