Re: Commercial Exploit Tools

[HD Moore <hdm () digitaloffense net>]

On 9/29/2011 2:42 PM, Kent Blackwell wrote:
> Greetings all,
>
> I work for a DoD organization as a penetration tester. We currently
> use a combination of open source tools and eEye Retina for our tests,
> however some excess cash in the budget has given us the opportunity to
> grab ourselves a commercial exploitation tool. Given that our
> distribution of choice is Backtrack 5 the most obvious choice was
> Metasploit Pro. I checked out the most recent list of exploit tools on
> seclists, but as the survey is hitting the five year mark I'd expect
> things have changed. A quick Google at some alternatives gave me a
> list of sponsored ads that I have zero trust in so I figured I'd probe
> the community here.
>
> My question is what commercial exploitation tools do you use and
> what's your opinion on them. I don't need a huge, detailed explanation
> of the tool, just an opinion and the name of the tool. Thanks in
> advance!

Feel free to put Metasploit Pro to the test. We provide a competitive
level of exploit coverage (with all exploits available under the open
source framework) and strive to go beyond just "pop a shell" and solve
real needs in the penetration testing and vulnerability management
space. This includes a strong focus on multi-user collaboration, import
of dozens of tool exports (NeXpose, Retina, etc), customizable
reporting, extensive password testing (brute force, replay, and spot
testing), and a wide range of features that we find useful when
conducting our own engagements. We dogfood our products religiously and
a large portion of the development team consists of former penetration
tests, including some with DoD experience.

We provide a free trial if you want to conduct your own evaluation:

http://www.rapid7.com/downloads/metasploit-pro.jsp

The Metasploit Pro development team is the same group of folks that work
on the Metasploit Framework and are highly active within the security
community. We have a policy of transparency that no commercial
competitors can offer. Metasploit Pro sales directly fund the continued
development of the open source Metasploit Framework too :)

-HD

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------