Last updated at Tue, 05 Dec 2023 19:46:26 GMT

On this first anniversary of Rapid7's acquisition of The Metasploit Project, we are proud to announce the release of the newest version of the Metasploit Framework, 3.5.0, with over 600 exploits and tons of bug fixes.

A lot has happened in the last year.  Twelve months ago, lots of folks were asking whether the acquisition was going to mean the end of Metasploit.  To address some of those questions a year ago, I promised several things.  First, I promised Quality Assurance and fewer bugs; Jonathan Cran is our dedicated quality assurance tester and has produced an excellent testing procedure as well as numerous methods for automating the framework.  Because of the team's emphasis on quality, many show-stopping bugs were found and fixed long before they caused a problem for anyone.  I promised faster development and a glance at our subversion history will show you just how much faster: we have had more commits in the last year than the previous three combined.  I promised more exploits.  A year ago, Metasploit contained 445 exploits.  Today there are 613, due in large part to Josh Drake whose tireless efforts have brought us exploit modules for many of the bugs being exploited in the wild.  I also promised greater stability and new features.  In the last year, we've vastly improved the framework itself and launched two successful commercial products around it.  Before the acquisition, meterpreter was only for 32-bit Windows.  Now it supports PHP, 64-bit Windows (thanks to Stephen Fewer), and Java (thanks to Michael Schierl) and Philip Sanderson has made considerable progress on support for POSIX.  When possible, it also now encrypts its communications and compresses files when downloading.  Additionally, several important bug fixes have increased meterpreter's reliability and scalability.

But most importantly, I and others at Rapid7 promised that the Metasploit Framework would continue to be Free.  We have not wavered on that promise, nor will we -- the Framework is still available under the same BSD license.

Today's 3.5.0 release adds even more functionality including scriptjunkie's Java GUI as a replacement for the old msfgui which relied on buggy and unmaintained GTK libraries. Thanks to a plugin by Zate Berg, you can now control Nessus directly through msfconsole.  Another new plugin, from Jonathan Cran, gives you the ability to control VMWare virtual machines as well.  Database imports have been expanded to include Retina, Netsparker, and our own Metasploit XML which you can create with the new db_export command.  An improvement to the meterpreter script API design makes it much easier to avoid duplicating code.  For advanced users with specific networking requirements, the bind address for reverse payloads can now be controlled independently from LHOST with the ReverseListenerBindAddress option.  This release also fixes a long-standing issue on Windows-native ruby that prevented background threads from working.  As a result, the new installer no longer requires Cygwin and Windows users should notice a considerable performance increase.  The msfcli interface has been revamped and now has the ability to run background exploits and catch more than one shell.  For a more detailed list of changes see the release notes.

Many of these improvements in the free Metasploit Framework were made possible or accelerated by the funds provided by the commercial Metasploit products, including the new Metasploit Pro, which Rapid7 announced yesterday.  One year ago, an enterprise-class penetration testing tool would set you back the cost of new car. Today, commercial Metasploit editions are available at between half and a tenth of that price, benefiting both the commercial sector and the open source community.

In the last twelve months, the community that some said would abandon us has flourished -- our active user base has grown five-fold.  We have had more patches, more bug reporters, more contributors, and generally more involvement.  Over one million unique IPs downloaded and updated the framework in the last year.  I think we can safely say Metasploit is here to stay.

I'm glad I was able to keep my promises but I'm equally glad that this prediction came true: "From my perspective, it's going to be awesome."