Security Experts:

Rapid7 Helps Users Create Their Own Phishing Attacks in Metasploit Pro 4.5

Rapid7 on Friday released Metasploit Pro 4.5, the latest version of its flagship penetration testing and security risk assessment tool. The new release brings capabilities that let organizations simulate social engineering attacks and help understand just how vulnerable they may be to phishing attacks.

New Rapid7 LogoUsing the new features, users can set up fake websites to emulate real phishing attacks by entering the URL of a site they want to clone and Metasploit automatically modifies forms to capture any data submitted by users. Taking things one step further, the tool can even add client-side exploits.

Additionally, Metasploit Pro 4.5 can generate custom malware that can be put on a USB flash drive and purposely "dropped" in various spots such as the company parking lot or restrooms to find employees whose curiosity may pose a security risk to the organization.

“Metasploit Pro’s social engineering reports go above and beyond alternative penetration testing solutions by providing conversion rates, such as how many people clicked through a phishing email, how many entered username and password on a fake website, and how many systems were compromised,” the company explained in a statement.

Metasploit’s new social engineering functionality can also be useful for penetration testing engagements to compromise one or more systems as a starting point for a more comprehensive security assessment, the company said.

“Many organizations already conduct end-user trainings and implement technical security controls to protect their data, but it’s hard to know how effective these measures are, or even if you’re focusing on the right things,” said HD Moore, chief architect of Metasploit and chief security officer for Rapid7. “Metasploit assesses the effectiveness of these measures, and provides metrics and management for each step in the chain of compromise to help you reduce your risk.”

In addition, to releasing Metasploit 4.5, Boston-based Rapid7 also updated its vulnerability management solution, Nexpose, to version 5.5. New additions to that product include integrated configuration assessment to check if IT assets are appropriately configured, as well as enhanced reporting capabilities. The Nexpose update will also include the ability to deploy the product as a virtual appliance.

The new features are exclusive to the new Metasploit Pro edition, which is available immediately.