Just in case you thought technology wasn't moving fast enough on the wrong side of the law, a new version of the leading white-hat hacker tool was announced this week.
Metasploit Pro 4 is the commercial version of the Metasploit Framework, an open-source project application that provides automated vulnerability scanners and other tools in a single interface to make it simpler for security pros to test their own sites.
Software developer Rapid7 bought Metasploit in 2007 and converted it to the same kind of commercial/open set of product editions that Oracle and Sun each did with Java.
The commercial version gets the good stuff first, though much of the technology trickles through to the open source version.
The new angle for v 4 is integration -- more than a dozen application scanners, vulnerability testers and other tools are integrated into the package to let good guys do a wide range of testing and vulnerability scanning without having to switch tools.
The new version also adds a cetral database to store all the security information , which can be exported in XML and shared across a secret IRC channel. It also allows exploit attempts to be automated and run faster and more frequently than a simple human could manage.
It can also import security data – both exploits and code, and configuration and usability data. It also supports cloud computing and virtualization by being deployed as a VMware virtual machine and run as a VM on Amazon's EC2 infrastructure-as-a-service as an image in one of several versions of Linux.
Few other penetration testing tools are equipped to bring so much additional information on exploits and configs with them.
How much use that would be to a white hat working full time for the same company, while staying put all the time is questionable.
How useful it would be to a hacker for whom every night is another server and another set of problems to crack with as wide a variety of tools as it would take, preferably all in one place so they can jump up and move to the Shetland Isles or some other bucolic and relatively narc-free site on a moment's notice.
Rapid7's tools and association with the favorite toolkit of top hackers makes it a favorite of both legitimate and non-legitimate security professionals.
I don't know what groups like LulzSec, Anonymous and Web Ninjas would do without MS and its new features. They have such a hard time getting into other people's servers already..