I disliked the tool completely. First and foremost, there is no way to 'automate' a penetration test. The exploit collection is sufficiently limited that you're about likely to use it maybe once in 50 assignments. Admitted they had exploits for new vulnerabilities fairly early, but not early enough to justify the cost of the tool.
I also found it rather unstable, it crashed often, and (as usual) most of the time, exploits did not pull through.
Considering it is:
a) GNU GPL
b) It makes exploit creation very easy using PERL
c) Modifying exploits is trivial
d) New exploits are posted as Metasploit PERL modules (just the other day the Windows Message Queuing remote exploit was released as a metasploit module)
e) It's very easy to use
f) The exploits are *very* reliable
g) The exploits are not obscure
I agree there's no way a full pen test can be automated but was looking to core impact to provide a cheap alternative to getting third party pen testers in, I realise the testing is in no way as comprehensive but was hoping it'd give more of an insight than no testing.
Sahirh by unstable do you mean it crashed locally or the targets? I've had metasploit for a while but it seems more geared towards linux / unix etc whereas our PCs are 99.9% windows based (unfortunately).
The core impact sales people tell me it has the ability to install agents on remote PCs by sending crafted emails to users. Once they open the email, if they're vulnerable impact installs a level0 agent and contacts the main console which in my case will be outside the firewall... very handy indeed if it is actually that easy.
I'm in two minds as to what to do, I just wish they had a trial version!
If your not looking for a full penetration suite, but an excellent vulnerability scanner for windows check out GFI languard. I use it at my internship and it seems to keep well updated as well as easy to use(with the ability of remote vulnerability scanner agents as well). The good thing is that it comes with a trial! :-P You can check it out
. Hope this helps.