Metasploit Express Review

Metasploit Express with Ubuntu
End of life for Metasploit Express Jun 4th 2019 - Read Notice here

The purchase of Metasploit by Rapid7 last year and the recent release of Metasploit Express has been big news in the security community.

I have finally gotten around to giving it a spin. So what is Metasploit Express? It is a web based front end for Metasploit that provides not only easy access to the underlying tool it also adds reporting and organisation to your penetration testing. Allowing projects to be saved, results stored and tested.

Sure does beat running metasploit and using a flat text file for your project database. 😉

I grabbed a copy of the Trial Version from the Metasploit website.

#chmod +x metasploit-3.4.0-linux-x64-installer.bin
# ./metasploit-3.4.0-linux-x64-installer.bin

Install was gui based and simple enough. Following the installation I was directed to web based console.


Create a user account.

Enter Product Key and Activate with A friendly reminder that we are in the world of commercial software.

Created Test1 and ran the initial scan

Resource usage is very low during scanning phase. Memory usage considerably less than firefox and barely touched the sides of CPU on my old Core2duo.

Against my 3 hosts I ran the brute force module. All settings are defaults.

Note the windows host has login Administrator with password test and admin with password. The Linux host has password of test on the root account.

I was surprised that these were not discovered during the brute scans.

I redid the brute force module after changing the root password to "toor". Success! It seems the dictionary may not have been large enough for root / test.

Update: as noted by HD Moore selecting the deep option rather than default on the brute force would have hit on "test".

Using the session from the brute forced credentials I was able to gather data from the system with prebuilt scripts and get full access via a shell.

Onto the exploitation module.

Session found on the windows XP host as expected ms08_067 was successfully exploited.

Switching to the session tab (nice that while scans are running you can move about the console) reveals prebuilt modules that can be performed with the session - collect system data, virtual desktop, access file system, and command shell. These are straight out of meterpreter.

I grabbed some system data and found the display of the collected data is clear and easy to get to.

Accessing the virtual desktop I was able to connect using a java applet, the other choice to manually use a vnc viewer was also available.

Browsing the file system is all web based, fast and responsive, allowing browsing of the system drives looking for data to snarf.

Lastly direct access to the meterpreter shell is right there, giving you full access to the session through the web console.

Reports linked here

During my testing I did not have a working NexPose Vulnerability Scanner install, however note that this is also an option for enumeration of the vulnerabilities and would be interesting to see in action.

Overall this is a quality product, utilising the underlying framework the web based front end is solid enhancement that is definitely worth the price, whether you are running metasploit on a daily basis and need access to the reporting and backend database or if you run it occasionally within your environment this puts the power of the tool only a few clicks away.