We knew it was coming, so read on. If you want a live demo with HD Moore, join him for a live Metasploit Pro demo on November 2nd @ 2pm Eastern. Register here: http://bit.ly/dqhMZB


And let's not forget this...


For full press release:
http://www.rapid7.com/news-events/press-releases/2010/2010-introduces-metasploit-pro.jsp

For product info:
http://www.rapid7.com/products/metasploit-pro.jsp

Don

This is exciting news.  The price is rather hefty, but I believe it is still cheaper than Core IMPACT.  I can't wait until someone does a side by side comparison of the two.  I will have to play with the trial version in the mean time.

BTW - you were also asking about a comparison of Core vs Metasploit Pro. Pro is very new, so no public comparison is available yet but check out the HackMiami Pwn-Off between Core Impact Pro and Metasploit Express, which has a smaller feature set than Metasploit Pro.

You can read the review here: http://www.n00bz.net/

Hi BillV,

no, I'm not with HackMiami - yes, they're cool guys. I'm actually with Rapid7, the people behind Metasploit. On this forum to keep the community informed of recent developments and to answer questions about Metasploit.

Chris

Ahem Hate to be the bearer of realistic news here, but I think I'll wait until metasploit professional has matured a bit. The difference between Core and Metasploit would be Core's capability and experience at developing weaponized 0day from reversed Patch Tuesday's and advisories.

HDMoore is a helluva guy (hey HD, I know you pop in from time to time) however, Core has some seriously scary guys. HD is literally a one man team (very effective one not to take anything away whatsoever.) Metasploit was and is popular because of the granularity involved with being able to plop in anything your heart desires. From a "geek" slash "hacker" perspective its cool however, from the Whitehat/Crystalbox side of the show... No one is getting their hands dirty. After all, WTH would I be plopping down $30k for Core or to be more precise $3k for a contractor license Two ways to skin a cat here.

Anyhow, unless Rapid7's MSploit Pro is ready to deploy some highly effective unseen exploits immediately, I anticipate MSploit Pro to be a real slow seller. I mean this in a respectful, articulate and "matter of factly" tone so don't confuse it with negativity. Right now, if I can't "get it poppin" with Canvas + Metasploit community + some social engineering, then I move on to Core when financially practical. I can't think of a reason to replace or "assist" my existing tools so it would be a hard pitch to my CTO.

me: "I need MSploit Pro"
him: "why I just got you Canvas with exploit packs"
me: "Because I uh.... Well metasploit community is limited..."
him: "to what... What could it possibly do that you couldn't socially engineer your way in"
me: "reports!"

Make sense? Most of the times I have to fight tooth and nail for tools that I need and I have to make my budget money go the distance. I LOVE playing with tools, but until I see something "to the extreme", I would be hard pressed arguing the case to purchase it. I DL'd a copy, just haven't had time to play with it yet. I would love to put it to my OWN testing then make a vid to post As I've shown before, I managed to get more "exploited" with Canvas than I did metasploit: http://www.infiltrated.net/Metasploit-Express-Versus-Canvas/

HD, thanks for coming back again and clarifying things. First off, thanks for the many years of reading material and keeping metasploit cool. Second, congrats on doing things your way with metasploit even with the Rapid7 purchase/joint venture, I'm sure politricks can be a pain sometimes but hopefully Rapid is smart enough to let you continue running the metasploit show. Thirdly... Yes! I will get around to putting a video on Metasploit Express to counter Metasploit versus Canvas (just really busy) I know I said I would and I haven't forgot...

Anyway, its good to see the numbers (how many developers, etc.), albeit known that many companies don't like sharing this information (perhaps we could go kick chameleon @ eeye). It gives a lot of credibility for those who are unaware of 1) metasploit 2) Rapid7 and 3) the merger/buyout between the two.

Don't get my initial post wrong, I love metasploit, I use it intensely professionally and academically (learning) for a variety of things not limited to penetration testing. I'm aware of ExploitHub's POV and direction and would love to see that pan out. It would likely be a "sick" mashup for pentesters if a ZDI/iDefense approach was taken. "Mix and match your metasploit modules." THAT would be worth it by far.

I spoke with Ivan Arce via email about this one time (pay for play security research) and they (Core) decided it didn't fit their model. THAT is something to think about for a moment. Look @ what Dave @ Immunity has going on with like D2 Exploit pack, etc., or ZDI. Any indications/hints of you guys (Rapid+Metasploit) doing the same - Pay for Play/Security Research/Exploit Wednesdays_to_Metasploit_Modules?