YOU ARE HERE: HOMEAbout Metasploit licensing

About Metasploit licensing

Update on 2019 Jan 2.

The information below is being outdated, it keep here for historical record purpose.

Metasploit latest license will remain either open source, ie Metasploit Framework or Metasploit Pro edition only. And it available under license subscription (LS) basis only, and drop previous perpetual license (PL).


Metasploit for commercial will use either Express or Pro edition.

For your quick summary for what cover by each edition, please see the special table compile:

Feature Details Metasploit Framework Metasploit Community Metasploit Express Metasploit Pro
License Use one of several editions. Commercial licenses are annual named-user licenses with unlimited installs per user. / 2nd year onward Renewal on time rate Free Free $5,000 / $ 1,750.00 $20,000 / $ 7,000.00
Quick Start Wizards Conduct baseline penetration tests to find low-hanging fruit, web app tests, or phishing campaigns. Shortcut the first steps of an engagements and go deeper after the Wizard completes. Y
Smart Exploitation Have Metasploit auto-select all exploits that match fingerprinted devices and services. Select a minimum reliability ranking for safe testing. Supports dry-run to see which exploits would be run before launching them. Y Y
Credentials Bruteforcing Try out the most common or previously captured passwords on more than a dozen service types with one command. Password hashes can be automatically cracked if based on weak passwords or used in pass-the-hash attacks. Y Y
MetaModules MetaModules simplify and operationalize security testing for IT security professionals. Many security testing techniques are either based on cumbersome tools or require custom development, making them expensive to use. To expedite this testing, MetaModules automate common yet complicated security tests that provide under-resourced security departments a more efficient way to get the job done. MetaModules include operations for network segmentation and firewall testing, passive network discovery, and credentials testing and intrusion. Y
Closed-loop Risk Validation Verify vulnerabilities and misconfigurations to prioritize risks and return the results into Nexpose Y
Web App Testing Scan, audit and exploit web applications for vulnerabilities, including the OWASP Top 10 2013. Y
Social Engineering For Penetration testers: Send out phishing emails containing attachments or links to websites hosting exploits or fake login forms. Create USB flash drives with malicious files to compromise a machine.

For security programs: Send out simulated phishing emails to measure user awareness, including how many people clicked on a link in an email or entered credentials on a fake login page, and deliver training to users who’ve shown risky behavior.

Y
Pro Console Advanced command-line functionality of Metasploit Pro to get access to new, high-level commands, better manage your data and generate a single report for all activities, increasing your overall productivity. Y
Reporting Create basic penetration testing reports without cutting and pasting information, including audit reports and compromised hosts reports.

Pro Edition only: Create reports for web application testing and social engineering campaigns as well as compliance reports that map findings to PCI DSS or FISMA requirements.

(Y) Y
Anti-virus Evasion Use Dynamic Payloads to get past anti-virus solutions, wasting no time on writing your custom payloads, encoding existing Metasploit Framework payloads, and testing if they get past particular AV solutions. Y
VPN Pivoting Get full layer-2 network access through a compromised host, enabling you to use any network-based tool through a compromised host, e.g. a vulnerability scanner, to get more visibility and use advanced techniques. Y

 

 

Detailed Metasploit Editions Comparison Table

 

Feature Details Metasploit Framework Metasploit Community Metasploit Express Metasploit Pro
Pricing
License Use one of several editions. Commercial licenses are annual named-user licenses with unlimited installs per user. / 2nd year onward Renewal on time rate Free Free $5,000 / $ 1,750.00 $20,000 / $ 7,000.00
User Interface
Web-based User Interface User-friendly web-based user interface that increases productivity and reduces training needs. Y Y Y
Command-Line Interface Basic command-line interface, most prominently used in Metasploit Framework. Y Y
Pro Console Advanced command-line functionality of Metasploit Pro to get access to new, high-level commands, better manage your data and generate a single report for all activities, increasing your overall productivity. Y
Penetration Testing
Comprehensive Exploit Coverage Metasploit includes the world’s largest public collection of quality-assured exploits. Y Y Y Y
Manual Exploitation Select a single exploit to launch against a single host. Y Y Y Y
Basic Exploitation Select a single exploit to launch against any number of hosts in your environment. Y Y Y
Smart Exploitation Have Metasploit auto-select all exploits that match fingerprinted devices and services. Select a minimum reliability ranking for safe testing. Supports dry-run to see which exploits would be run before launching them. Y Y
Exploitation Chaining Automatically combine several exploits and auxiliary modules, e.g. to compromise Cisco routers Y
Evidence Collection Collect evidence of compromise with one button, including screenshots, passwords and hashes, and system info Y Y
Post-exploitation Macros Automatically launch a customized set of post-exploitation modules after successfully compromising a machine, e.g. to automatically collect evidence from hosts. Y
Persistent Sessions Re-establish a session after a connection gets interrupted, e.g. because of a phished user who closes his laptop. Y
Bruteforcing Credentials Try out the most common or previously captured passwords on more than a dozen service types with one command. Password hashes can be automatically cracked if based on weak passwords or used in pass-the-hash attacks. Y Y
Social Engineering Send out phishing emails containing attachments or links to websites hosting exploits or fake login forms. Create USB flash drives with malicious files to compromise a machine. Y
Web App Testing Scan, audit and exploit web applications for vulnerabilities, including the OWASP Top 10 2013. Y
IDS/IPS Evasion Get to the target without being detected through IDS/IPS evasion Y
Anti-virus Evasion Use Dynamic Payloads to get past anti-virus solutions, wasting no time on writing your custom payloads, encoding existing Metasploit Framework payloads, and testing if they get past particular AV solutions. Y
Payload Generator Generate stand-alone Classic Payloads through an easy-to-use interface Y
Proxy Pivoting Use a compromised machine to launch an exploit against another target. Y Y Y Y
VPN Pivoting Get full layer-2 network access through a compromised host, enabling you to use any network-based tool through a compromised host, e.g. a vulnerability scanner, to get more visibility and use advanced techniques. Y
Reporting
Basic Reporting Create basic penetration testing reports without cutting and pasting information, including audit reports and compromised hosts reports. Y Y
Advanced Reporting Create reports for web application testing and social engineering campaigns as well as compliance reports that map findings to PCI DSS or FISMA requirements. Y
Productivity Enhancements
Quick Start Wizards Conduct baseline penetration tests to find low-hanging fruit, web app tests, or phishing campaigns. Shortcut the first steps of an engagements and go deeper after the Wizard completes. Y
MetaModules MetaModules simplify and operationalize security testing for IT security professionals. Many security testing techniques are either based on cumbersome tools or require custom development, making them expensive to use. To expedite this testing, MetaModules automate common yet complicated security tests that provide under-resourced security departments a more efficient way to get the job done. MetaModules include operations for network segmentation and firewall testing, passive network discovery, and credentials testing and intrusion. Y
Discovery Scans Leverage the integrated nmap scanner in combination with advanced fingerprinting techniques to map out the network and identify devices Y Y Y
Replay Scripts Generate scripts that replay an attack so that your customers can test if remediation worked. Y Y
Data Management Track all discovered and found data in a searchable database. Find outliers through the Grouped View. Y Y Y
Tagging Tag hosts to assign hosts to mark an import source, a person, mark the scope of a project, or flag high-value targets. Use tags to refer back to hosts in later actions. Y
Task Chains Create custom workflows to start manually, schedule once or on an ongoing basis. Y
Pro API Use an advanced, fully documented API to integrate Metasploit Pro into SIEM and GRC solutions or create custom automations and integrations. Y
Integrations Integrate out-of-the-box with GRC and SIEM solutions Y
Team Collaboration Work on the same project with several team members, splitting the workload and leveraging different levels of expertise and specialization. Share all information and create a unified report. Y
Security Programs
Closed-loop Risk Validation Verify vulnerabilities and misconfigurations to prioritize risks and return the results into Nexpose Y
Managing Phishing Exposure Send out simulated phishing emails to measure user awareness, including how many people clicked on a link in an email or entered credentials on a fake login page, and deliver training to users who’ve shown risky behavior. Y
Vulnerability Verification
Vulnerability import Import output files from Nexpose and third-party vulnerability scanners Y Y Y Y
Web vulnerability import Import output files from various third-party web application scanners Y Y
Nexpose scans Start a Nexpose scan from within the interface. Results are automatically imported to Metasploit. Y Y Y
Direct Import Directly import existing Nexpose scans by site. Y
Vulnerability exceptions Push vulnerability exceptions back into Nexpose after verification, including comments and expiration date of how long vulnerability should be suppressed from Nexpose reports. Y Y
Closed-loop Integration Tag and push exploitable vulnerabilities back to Nexpose for follow-up. Y
Re-run Session Re-run an exploit to validate that a remediation effort, e.g. patch or compensating control, is successful. Y Y
Support
Community Support Get peer support through Rapid7 Security Street Y Y Y Y
Rapid7 Support Get Rapid7 24/7 email and phone support Y Y