Today we announced that Core Impact Pro will be integrated with Metasploit in our next scheduled product release. As such, I just thought that I’d take the opportunity to let you know why we decided to do this.
Actually, the answer is quite simple, and it’s the same reason we do most of what we do in our products: we integrated with Metasploit because our customers wanted us to do it. This type of integration is actually something we’ve heard a good deal of feedback about, and so we’ve been examining the idea internally for a couple of years.
Many of our customers run Metasploit alongside Core Impact Pro for the same reason that many people used two scanners when Nessus was free for commercial use… that is, because they can.
Even though Core Impact Pro has far broader, deeper security content, including most of what’s in Metasploit, the truth is that it only takes that one vulnerability that you’ve missed for the bad guys to get in. If in a particular instance Metasploit has something we don’t, or something implemented differently so that it applies to a particular environment in another way, it’s worth it for testers to have that opportunity to double check and cross-reference their work.
In addition, many people run Metasploit for a while just to get started with penetration testing or because of budget reasons before they move on to using IMPACT Pro. Often they’ve learned certain things from using Metasploit, or may have customizations that they built in the framework that they haven’t yet moved over to IMPACT Pro. We want to support that evolution.
And finally, there’s the double-edged sword of being able to use an attack tool that’s fully available to anyone, as Metasploit is. It’s always possible that someday it will be used against you, so, it’s a good idea to try it out on yourself in addition to leveraging the comprehensive testing provided by IMPACT Pro.
Based on the feedback we received across our customer base, from our most technical consulting and red team clients to those who primarily use IMPACT Pro’s automation to point and shoot, we are providing two levels of Metasploit integration for each type of user.
For the expert, who is using Metasploit by hand to test systems, we’ll provide a way for a system with Meterpreter loaded on it through a Metasploit compromise to then have an IMPACT Pro agent loaded on it. This way, the user can use IMPACT Pro’s follow-on tools, including pivoting, local privilege escalation, assessment of multiple attack vectors and reporting, with that system in our product’s environment.
For the point and shoot user, we are integrating our automation with Metasploit’s db_autopwn feature so that they can take advantage of Metasploit’s basic capabilities via IMPACT Pro without first having to learn how to use them.
Many people may ask why we would integrate with the “competition,” especially since the Metasploit project is now owned by a commercial entity and likely to spawn new commercial products. Our view is that the Metasploit Project is not purely competition (see my blog post on the topic when the project was acquired) and that open source projects in every market help educate users and bring together creative ideas to push the involved technology’s value even further.
Every new user of Metasploit is a new potential user of IMPACT Pro in the future. The framework allows more people to see and understand what the penetration testing process can do for them, and then they can look to us for the most advanced, commercial automated penetration testing technology that has been professionally built and matured for almost a decade.
We know that to be successful, we have to provide the most value in IMPACT Pro that we can, and that this value is best defined by our customers; as long as we keep listening to them, we will continue to stay ahead of any competition.
A market leader always benefits most from continuing development in its space as long as they stay open to their current and future customers, and can move quickly to address demand. As I said above, the real reason we’re announcing Metasploit integration today is the same reason we do almost everything we do at Core Security today – because our users wanted it.
-Fred Pinkett, Vice President of Product Management