Now a while back I had a little go with Metasploit when it was 2.x, and to be frank it was a little scary and confusing. I could tell there was a lot of power under the hood, as it were, but I didn't have the time to get to grips with it.
Now I've just set up a 2k server target and installed Metasploit 3 on my attack machine. Without reading any documentation, I started Metasploit for the first time and five clicks and two IPs added later I had owned the target.
Five clicks and a little common sense.
Is anyone nervous that this might be taking the edge off the skills of your profession? I've been unfortunate enough to work with "paper" MCSEs and CCNAs** who have NO idea about what they're doing, and I don't like the way they dilute the skills pool. I can foresee a rash of idiots with meta and a copy of nessus labeling themselves as security consultants (not to mention IRC channels worldwide filled with skiddies who think themselves uber-leet because they took a live CD into school and now have domain admin).
Now I'm not trying to put the metasploit team down, far from it, I can now use the "power" that was just outside my grasp and I can tell I'm going to have a lot of fun with it and even after a few mins of use I can tell that some very very smart people have spent a long long time making this.
Nor am I trying to put pro-pentesters down, I know there's more to pentesting than just scanning and running exploits*** and the skilled professionals will survive much longer than the unskilled, but how easy is too easy? Wouldn't you like to keep it just a little bit black-art? or is it good that this tool makes it easier for poeple to aproach the topic and then progress to a higher understanding?
* this is no mean feat by any standards
** in the intrests of honesty you should know I have neither of these qualifications
*** please tell me I'm right on this one