This post is the tenth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013.


For the past couple of months, the Austin office of Rapid7 saw an increased number of unwilling donut offerings made by employees who failed to secure their computers while away from keyboard. These attacks only resulted in confusion and disappointments for the rest of the company, because only a few of the victims actually bought donuts. The agents of the People's Republic of Metasploit were summoned on Friday, and successfully identified the secret vigilante as "TheLightCosine".

"The donut attacks were extremely effective and sophisticated," says HD Moore, Chief Research Officer at Rapid7 and founder of the Metasploit Project. Forensics evidence suggests these hacking incidents began as early as November of 2013, most likely sooner. A compromised machine by the secret vigilante would send an e-mail like the following to the company's internal network using the machine owner's established session:

The agents of the People's Republic of Metasploit started an investigation last week, and attempted a counter-intelligence technique known as "webcam_stream" in order to catch TheLightCosine in the act. "webcam_stream" is also now available for download, but current Metasploit users should receive it with a msfupdate. This is actually a meterpreter command that allows the user to turn on a remote webcam and stream it live.

To achieve this, the operation team set up a honeypot with an active webcam_stream session:

The function would create, and automatically open a local Javascript-based player for the live stream. However, instead of playing locally, the agents also streamed it to their smartphones, which can be done by setting up a web server and host the live feed (in JPEG format). They left the honeypot workstation's desktop unlocked, and waited.

At 12:39 p.m., TheLightCosine emerged from the darkness and began his assault against the honeypot. The strategy paid off, and the agents managed to get a good look of the hacker live from the phone:

Armed with high-powered "N-Strike" nerf guns, "TheLightCosine" was finally arrested by the agents following a raid at his workstation in the office on Tuesday. "I'm in total shock right now," says fellow worker James Lee, Metasploit's core developer, "But I do like donuts."

Check out the alternate ending.

Special thanks to the crew to make the photo shoot happen: TheLightCosine, William Vu, James Lee, Jennifer Chen.