Turns out, the week between Christmas and New Years was pretty slow, at least as far as Metasploit Framework development was concerned. This release has a few small spot fixes on Framework, and a handful of new modules.
The most significant addition to the framework was TheLightCosine's work on the appropriately scary-sounding ShadowCopy library. Based on the research published by Tim Tomes and Mark Baggett, the modules implementing this library enable an attacker to leverage a Windows target's Volume Shadow Copy service to make "backups" of otherwise locked file resources. This is handy for snagging, among other things, the Security Accounts Manager (SAM file), running databases, et cetera, without having to worry about locked files. Pretty neato.
Brandon Perry did some work on gathering information about a target organization -- not just a target computer or network -- via his newly committed Corpwatch modules. These use the Corpwatch_API to dump information gathered from SEC filings on publicly-traded companies. This kind of reconnaissance can be useful for an initial penetration engagement, since it can give clues to relationships between organizations and where entry points into the target network might lurk. We also have a new exploit from Metasploit community contributor Fady Mohamed Osman for CoCSoft's StreamDown streaming media server (BID-51190), so thanks to him for that.
Year in Review
This update represents the first update of 2012, though technically, most of the work was finished in 2011, so it's kind of the last update from last year. Community contributor Chris John Riley put together a quick list of all the new modules for Metasploit introduced in 2011. You can read that list on his blog, so I won't really rehash it here. However, I'd like to take a minute to throw some bullet points out there about the growth and change that's been going on in Metasploit over 2011 aside from the module shuffle.
- Introduced an "unstable" module tree, which is now the unstable branch for experimental and unstable modules
- Integrated Nmap's NSE script library via a module mixin.
- Msfvenom was released to aid in payload generation
- Meterpreter got native support for persistent HTTP and HTTPS transports
- Created the vSploit concept for virtual exploit scenario testing
- Integrated fast offline password cracking via a John the Ripper interface to Metasploit
- Promoted the Metasploit backend database to "core feature" status
- Released the free Metasploit Community Edition
- The string "Metasploit" appeared in the title of three new books
- Migrated from SVN to Git for our source control and community contributions
So, kind of a lot. We also had six major released for the Framework in there, too, incrementing along from 3.5.1 to the current 4.1.0. According to my counts, we added 143 exploit modules, 96 auxiliary modules, 123 post modules, and 23 payloads to Metasploit Framework along the way. That's a grand total of 362 new modules (385 counting payloads, which really, you should), averaging out to just about one new security-relevant feature a day.
For those of you who rely on the msfupdate command to track Framework development, you already have these sitting in your local checkout. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new Framework hotness today when you check for updates through the Software Updates menu under Administration.
For more details on what's changed and what's current, please see Jonathan Cran's most excellent release notes.