Open-Source Metasploit Framework 5.0 Improves Security Testing

The first major milestone update to the open-source Metasploit Framework since 2011 is now available, making it easier for security researchers to test cyber-security defenses against exploits.

Metasploit 5

Among the most widely used tools by security researchers is the open-source Metasploit Framework, which has now been updated with the new 5.0 release.

Metasploit Framework is penetration testing technology, providing security researchers with a variety of tools and capabilities to validate the security of a given application or infrastructure deployment. With Metasploit, researchers can also test exploits against targets to see if they are at risk, in an attempt to penetrate the defensive measures that are in place. The 5.0 release of Metasploit introduces multiple new and enhanced capabilities, including automation APIs, evasion modules and usability improvements.

"As the first major Metasploit release since 2011, Metasploit 5.0 brings many new features, as well as a fresh release cadence," Brent Cook, senior manager at Rapid7, wrote in a blog post. 

The Metasploit project celebrated its 15th anniversary in 2018 and iterates on major version numbers infrequently. The Metasploit 5.0 update is the first major version change since Metasploit 4 was released in 2011. While major version numbers have not iterated frequently, a steady stream of exploit modules and incremental improvements are continuously added to Metasploit.

The Metasploit project itself was created by HD Moore, with commercial efforts moving to Rapid7 in 2009 after the effort was acquired. Rapid7 provides the commercially supported Metasploit Pro version of the Metasploit Framework.

Metasploit 5.0 Features

Among the core new features in Metasploit 5.0 is the extensibility of the framework's database back end, which can now be run as a REST web service. By extending the database as a web service, multiple external tools can pull from the same base and interact with each other.

"This release adds a common web service framework to expose both the database and the automation APIs," the release notes for Metasploit 5.0 states. "This framework supports advanced authentication and concurrent operations." 


Metasploit has had different types of evasion capabilities since at least the 3.0 release in 2006. Evasion refers to the ability to get around, bypass or "evade" a target's existing defenses, which could include antivirus, firewall, intrusion prevention system (IPS), or other technologies and security configurations. With the evasion modules capability in Metasploit 5.0, researchers can now more easily create and test their own evasion module payloads.

"The purpose of the evasion module type is to allow developers to build executables specifically to evade antivirus, and hopefully this creates a better pentesting experience for the users," Wei Chen, lead security engineer at Rapid7, wrote in the GitHub code commit for the evasion module.


Metasploit 5.0 now also brings improved usability for security researchers to test multiple targets at scale.

"While Metasploit has supported the concept of scanners that can target a subnet or network range, using an exploit module was limited to only one host at a time," Cook wrote. "With Metasploit 5.0, any module can now target multiple hosts in the same way by setting RHOSTS to a range of IPs or referencing a host’s file with the file:// option."

Usability also gets a boost with improved performance, including faster startup and searching capabilities than in previous versions of Metasploit. Additionally, with Metasploit 5.0, researchers are now able to write and use modules in any of three programming languages: Go, Python and Ruby. Overall, development for Metasploit 5.0 benefited from an updated process that included a stable branch that is used by Rapid7 and other distributions for everyday use and an unstable branch where new development can be rapidly added before it’s ready for broader consumption. 

"The takeaway is that Metasploit now has a more mature development process that we hope to continue leveraging in the future to enable even bigger improvements to the code base," Cook wrote.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.