[techpeace]

That's exactly what it's intended for, actually. It was built by pentesters to perform their work. I'd rather my security tools be open sourced and available for all the world to see and contribute to. Doing so also compels lazy vendors to patch awful vulnerabilities.

[jrochkind1]

Wikipedia says:

> The Metasploit Project is also well known for anti-forensic and evasion tools, some of which are built into the Metasploit Framework.

If so, how are such functions valuable for a pentest/audit?

[greedo]

Say you're doing a pentest, and your target has an IDS/IPS to both prevent infiltration and exfiltration of data. And while you discover a system that is vulnerable, the payload that you want to deploy to this vulnerable system would normally trigger an alert by an IDS. With some of the tools in MSF and BackTrack, you can use an encoding process to obfuscate the payload enough to get past the IDS/IPS.

Now a blackhat would be able to do this without BT or Metasploit. The tools are out there, and well known. So the fact that these tools are in BT and Metasploit doesn't change that. But it does make it easier for a pentester to prove a system is vulnerable, and to help a company address their vulnerabilities through remediation.