April has been a busy month in Metasploit-land.

The Metasploit Community Book is on a roll, with tons of new content straight from the community. We are still looking for volunteers to help with this project by developing new content and editing the existing text. This is a strictly non-profit effort and we have no intention of partnering with a publisher for this project. Hard-copies will eventually be provided by print-on-demand publishing. If you would like to help, please drop us an email at msfdev[at]metasploit.com.

The auxiliary module Scanner mixin now supports threaded execution for the run_host() and run_batch() methods. This speeds up common tasks like SMB version scanning and defacement via PUT requests. The end goal is to support a vulnerability assessment engine built on the Metasploit Framework, using the auxiliary module backend and the database plugins.

I spoke at CanSecWest about the new shiny in Metasploit 3 and gave a quick lightning talk on our response to the recent ANI vulnerability. CanSecWest was awesome this year (as usual) and it was great to hang out with the regulars and meet some new faces.

Matt Miller (skape) and I will be teaching a class at Black Hat USA 2007, so sign up if you want to become a Metasploit 3 ninja :-)

Need to pwn some Microsoft DNS servers? Metasploit 3 has the answer. Our two exploit modules (SMB, TCP) work across all affected versions of Windows (2000 SP0-SP4, 2003 SP0-SP2) and include targets for a variety of versions and languages. These exploits will work even when hardware DEP (NX) is enabled, by exploiting a technique published by skape and skywing in the Uninformed Journal. A big thanks to the two anonymous contributors that tag-teamed 2003 SP0-SP2 ( DEP) support More information about the underlying vulnerability can be on the CVE page. Yes, this bug is still unpatched...

Mike Whitehead submitted a set of patches that add theme support to the Metasploit 3 Web Interface. The new themes kick ass and will merged into the stable tree in the coming weeks. If you want to view out the existing themes or build your own, check out the latest code from the Metasploit 3 trunk, start msfweb, and use the Options screen to change the current theme. Theme files can be found in the data/msfweb/public/stylesheets/skins/ subdirectory of the framework.

The Metasploit Fund is in full swing, so if you would like to help the project, please contribute today. Your donation may be tax-deductible if you are a US resident. The Fund will be used to sponsor bug bounties, feature development, and development hardware purchases. The Metasploit Fund is a Hacker Foundation project.

-HD