Top Features Overview: Free vs. Commercial Metasploit Editions


FeatureDetailsMetasploit FrameworkMetasploit CommunityMetasploit ExpressMetasploit Pro
LicenseUse one of several editions. Commercial licenses are annual named-user licenses with unlimited installs per user.FreeFree$5,000Call
Quick Start WizardsConduct baseline penetration tests to find low-hanging fruit, web app tests, or phishing campaigns. Shortcut the first steps of an engagements and go deeper after the Wizard completes.


Y
Smart ExploitationHave Metasploit auto-select all exploits that match fingerprinted devices and services. Select a minimum reliability ranking for safe testing. Supports dry-run to see which exploits would be run before launching them.

YY
Credentials BruteforcingTry out the most common or previously captured passwords on more than a dozen service types with one command. Password hashes can be automatically cracked if based on weak passwords or used in pass-the-hash attacks.

YY
MetaModulesMetaModules simplify and operationalize security testing for IT security professionals. Many security testing techniques are either based on cumbersome tools or require custom development, making them expensive to use. To expedite this testing, MetaModules automate common yet complicated security tests that provide under-resourced security departments a more efficient way to get the job done.


Y
Closed-loop Risk ValidationVerify vulnerabilities and misconfigurations to prioritize risks and return the results into Nexpose


Y
Web App TestingScan, audit and exploit web applications for vulnerabilities, including the OWASP Top 10 2013.


Y
Social EngineeringFor Penetration testers: Send out phishing emails containing attachments or links to websites hosting exploits or fake login forms. Create USB flash drives with malicious files to compromise a machine.

For security programs: Send out simulated phishing emails to measure user awareness, including how many people clicked on a link in an email or entered credentials on a fake login page, and deliver training to users who've shown risky behavior.



Y
Pro ConsoleAdvanced command-line functionality of Metasploit Pro to get access to new, high-level commands, better manage your data and generate a single report for all activities, increasing your overall productivity.


Y
ReportingCreate basic penetration testing reports without cutting and pasting information, including audit reports and compromised hosts reports.

Pro Edition only: Create reports for web application testing and social engineering campaigns as well as compliance reports that map findings to PCI DSS or FISMA requirements.


(Y)Y
Advanced Anti-virus EvasionUse advanced anti-virus evasion techniques, such as custom executable templates, to ensure that your payload does not get stopped by anti-virus solutions on the target host.


Y
VPN PivotingGet full layer-2 network access through a compromised host, enabling you to use any network-based tool through a compromised host, e.g. a vulnerability scanner, to get more visibility and use advanced techniques.


Y



Detailed Metasploit Editions Comparison Table


FeatureDetailsMetasploit FrameworkMetasploit CommunityMetasploit ExpressMetasploit Pro
Pricing




LicenseUse one of several editions. Commercial licenses are annual named-user licenses with unlimited installs per user.FreeFree$5,000Call
User Interface




Web-based User InterfaceUser-friendly web-based user interface that increases productivity and reduces training needs.
YYY
Command-Line InterfaceBasic command-line interface, most prominently used in Metasploit Framework.Y

Y
Pro ConsoleAdvanced command-line functionality of Metasploit Pro to get access to new, high-level commands, better manage your data and generate a single report for all activities, increasing your overall productivity.


Y
Penetration Testing




Comprehensive Exploit CoverageMetasploit includes the world's largest public collection of quality-assured exploits.YYYY
Manual ExploitationSelect a single exploit to launch against a single host.YYYY
Basic ExploitationSelect a single exploit to launch against any number of hosts in your environment.
YYY
Smart ExploitationHave Metasploit auto-select all exploits that match fingerprinted devices and services. Select a minimum reliability ranking for safe testing. Supports dry-run to see which exploits would be run before launching them.

YY
Exploitation ChainingAutomatically combine several exploits and auxiliary modules, e.g. to compromise Cisco routers


Y
Evidence CollectionCollect evidence of compromise with one button, including screenshots, passwords and hashes, and system info

YY
Post-exploitation MacrosAutomatically launch a customized set of post-exploitation modules after successfully compromising a machine, e.g. to automatically collect evidence from hosts.


Y
Persistent SessionsRe-establish a session after a connection gets interrupted, e.g. because of a phished user who closes his laptop.


Y
Bruteforcing CredentialsTry out the most common or previously captured passwords on more than a dozen service types with one command. Password hashes can be automatically cracked if based on weak passwords or used in pass-the-hash attacks.

YY
Social EngineeringSend out phishing emails containing attachments or links to websites hosting exploits or fake login forms. Create USB flash drives with malicious files to compromise a machine.


Y
Web App TestingScan, audit and exploit web applications for vulnerabilities, including the OWASP Top 10 2013.


Y
IDS/IPS EvasionGet to the target without being detected through IDS/IPS evasion


Y
Advanced Anti-virus EvasionUse advanced anti-virus evasion techniques, such as custom executable templates, to ensure that your payload does not get stopped by anti-virus solutions on the target host.


Y
Proxy PivotingUse a compromised machine to launch an exploit against another target.YYYY
VPN PivotingGet full layer-2 network access through a compromised host, enabling you to use any network-based tool through a compromised host, e.g. a vulnerability scanner, to get more visibility and use advanced techniques.


Y
Reporting




Basic ReportingCreate basic penetration testing reports without cutting and pasting information, including audit reports and compromised hosts reports.

YY
Replay ScriptsGenerate scripts that replay an attack so that your customers can test if remediation worked.

YY
Advanced ReportingCreate reports for web application testing and social engineering campaigns as well as compliance reports that map findings to PCI DSS or FISMA requirements.


Y
Productivity Enhancements




Quick Start WizardsConduct baseline penetration tests to find low-hanging fruit, web app tests, or phishing campaigns. Shortcut the first steps of an engagements and go deeper after the Wizard completes.


Y
MetaModulesMetaModules simplify and operationalize security testing for IT security professionals. Many security testing techniques are either based on cumbersome tools or require custom development, making them expensive to use. To expedite this testing, MetaModules automate common yet complicated security tests that provide under-resourced security departments a more efficient way to get the job done.


Y
Discovery ScansLeverage the integrated nmap scanner in combination with advanced fingerprinting techniques to map out the network and identify devices
YYY
Data ManagementTrack all discovered and found data in a searchable database. Find outliers through the Grouped View.
YYY
TaggingTag hosts to assign hosts to mark an import source, a person, mark the scope of a project, or flag high-value targets. Use tags to refer back to hosts in later actions.


Y
Task ChainsCreate custom workflows to start manually, schedule once or on an ongoing basis.


Y
Pro APIUse an advanced, fully documented API to integrate Metasploit Pro into SIEM and GRC solutions or create custom automations and integrations.


Y
IntegrationsIntegrate out-of-the-box with GRC and SIEM solutions


Y
Team CollaborationWork on the same project with several team members, splitting the workload and leveraging different levels of expertise and specialization. Share all information and create a unified report.


Y
Security Programs




Closed-loop Risk ValidationVerify vulnerabilities and misconfigurations to prioritize risks and return the results into Nexpose


Y
Managing Phishing ExposureSend out simulated phishing emails to measure user awareness, including how many people clicked on a link in an email or entered credentials on a fake login page, and deliver training to users who've shown risky behavior.


Y
Vulnerability Verification




Vulnerability importImport output files from Nexpose and third-party vulnerability scannersYYYY
Web vulnerability importImport output files from various third-party web application scanners

YY
Nexpose scansStart a Nexpose scan from within the interface. Results are automatically imported to Metasploit.
YYY
Direct ImportDirectly import existing Nexpose scans by site.


Y
Vulnerability exceptionsPush vulnerability exceptions back into Nexpose after verification, including comments and expiration date of how long vulnerability should be suppressed from Nexpose reports.

YY
Closed-loop IntegrationTag and push exploitable vulnerabilities back to Nexpose for follow-up.


Y
Re-run SessionRe-run an exploit to validate that a remediation effort, e.g. patch or compensating control, is successful.

YY
Support




Community SupportGet peer support through Rapid7 Security StreetYYYY
Rapid7 SupportGet Rapid7 24/7 email and phone support

YY