Looking back on the past year, it’s hard to believe everything that the Metasploit team and community have accomplished. In compiling this post, I was constantly saying to myself, ‘Wow, was that only a few months ago?’ There were certainly a lot of fond memories. I hope you also find something to love in these 12 Memorable Metasploit Moments.
We began the new year on the tail of the very first Metasploitable3 Capture the Flag contest. The first contest was so popular that we revamped it entirely for 2017 with all new challenges, new flags, a new OS, and a custom deployment system. Foreshadowed at BSides Austin in May, our crack team ran a successful game at Rapid7’s UNITED Conference and later a free-for-all community CTF with over 500 participants! Will there be a 2018 Metasploitable CTF? I’m definitely interested in seeing what the community and folks within Rapid7 come up with next.
Google Summer of Code
Almost as old as Metasploit itself, the Google Summer of Code offers college students the opportunity to work on an open source project for a summer, while earning a stipend and gaining experience. We had a great set of students in the first year of the Metasploit project participating, which resulted in improved Linux stagers, a new Rex FTP library, and a ton of Metasploitable3 improvements.
To keep everyone up-to-date with the latest developments inside and outside of Rapid7, we have made it a point to regularly update the blog with what’s new and cool. In a unique twist at Rapid7, the Metasploit team also posts demos of interesting Metasploit features every 2 weeks on the Youtube channel. Look forward to even more in the coming year (and help us hit 10,000 subscribers!). There’s even a new Metasploit Slack channel, complete with IRC bridge, to make our world a little more connected.
Metasploit.com got a complete overhaul this year, which made it easier to update, nicer to use, and a lot sexier looking. It now has a lot more useful information about Metasploit Framework, related projects, and even tracks live development statistics. In the coming year, we are making it into a live documentation portal as well, which will make it easier to know how to use the latest features, write modules, and hack the planet.
Metasploit stretches all the time to gain new exploitation methods and techniques. This year Metasploit moved into the physical domain, with interfaces for software-defined radios, cars, industrial control systems, and more. The hardware bridge subsystem provides glue that allows modules to interact with devices not just over IP networks, but over almost any physical interconnect. Not to be outdone, the famous Lorcon2 wireless exploitation modules have also been resubmitted for review, including support for WiFi drone spoofing! Look forward to more interesting hardware modules in the coming year year.
Community and Rapid7 developers worked together to land over 225 new modules in 2017, which is over 75 more than last year. Some of my favorites included:
The first new encoder and nop generator modules in years! The nop generator came with support for ARM 64-bit payloads (common in new cell phones, servers, printers, and other gadgets), while the encoder added the ability to chain multiple encoders in a single payload.
@jennamagius and @zerosum0x0, sherpa’d by @wvu, brought to Metasploit one of the first working MS017-010 scanner and exploit modules, after working diligently through the Shadow Brokers "Lost In Translation" leak, even fully reverse-engineering and reimplementing the EternalBlue exploit.
Continuing the SMB exploit trend of 2017, the samba/is_known_pipename exploit, put together by @hdm and @bcoles and discovered by @steelo, added a near-universal method of exploiting many versions of Samba. Techniques used in that module are now being applied to the GoAhead LD_PRELOAD CGI module, which exploits a related bug.
auxiliary/admin/dns/dyn_dns_update is one of my favorite ‘sleeper’ modules of the year. Developed by @kingsabri and polished to a shine by @mubix, it allows a user, with a specially configured DNS server, to take over hostnames without authentication right from the network. This is enabled in more places than you might think, which leads to some easy wins for a pen tester or red team.
@zerosteiner added support for the railgun extension to Python Meterpreter, which enabled it to be used both on macOS and on Linux. A fun new module, post/linux/gather/gnome_keyring_dump, uses this functionality to extract credentials from Linux desktops.
The Metasploit device lab at Rapid7 has grown a good amount this year. Our Polycom HDX 7000 has gotten a good workout as we have landed 2 different remote exploits for it: exploits/unix/polycom_hdx_auth_bypass and exploits/unix/misc/polycom_hdx_traceroute_exec. Whether authenticated or unauthenticated access, these devices are easy targets, so definitely keep them isolated or patched.
Our QNAP NAS has also been busy, with two other remote modules: exploits/linux/misc/qnap_transcode_server and auxiliary/gather/qnap_backtrace_admin_hash, which steals admin credentials.
Many other devices in our hardware lab were vulnerable to exploits/linux/samba/is_known_pipename, a more-or-less universal Samba exploit that works on many software versions and CPU targets.
auxiliary/client/mms/send_mms and its companion plugin, “session_notifier“, give Metasploit the ability to send text messages, and call you whenever you get a shell. The rssfeed plugin lets you track session activity through your phone or computer’s RSS feed reader as well.
As Metasploit's Documentarian-in-Chief, and submitting perhaps the largest set of pull requests for the year, @h00die and a team of new contributors have pushed Metasploit to now have at least 475 documented modules, an effort started last year by @sinn3r, @tdoan, and many others.
Finally, Metasploit got the highly-anticipated ability to scan and dump the index for Gopher servers via the auxiliary/scanner/gopher/gopher_gophermap module! I love older protocols, you never know when they'll show up next!
There are many cool modules that landed this year, but unfortunately we don't have space to cover them all here. Luckily you don't have to take our word for it, since every one of them is available for free in Metasploit Framework!
Metasploit’s Meterpreter payload was originally designed to provide a post-exploitation agent for Windows machines. Java, Python, and PHP versions came along later, and made post-exploitation easier on non-Windows targets as well. Now Meterpreter has expanded to support working on over a dozen different Linux architectures, MacOS, native Android, and iOS, with more on the way. Whether you’re targeting a mainframe or a lightbulb, there’s a Meterpreter for every occasion.
In addition to omnipresence, Meterpreter learned a few new tricks. Support for packet-level encryption allowed the Windows Meterpreter to become 5-times smaller, since it no longer needed to carry a full TLS stack. The 'kiwi' module became more modularized and easier to synchronize with Mimikatz upstream, though see below for unintended consequences. Meterpreter now supports customized HTTP headers, which can be used to impersonate unsecured domains. There's even DNS transport support in the works, thanks to the hard work of the community.
One of my favorite ‘bugs’ we fixed this year was really a lesson in being careful. For years, as alluded to in this tweet, the ‘kiwi’ extension in Meterpreter has had a special feature that would enable a light show on servers whenever it was in use. We finally got the message and disabled it but it does go to show you can lead a horse to code, but you can’t make him read it :)
SMBv2 support has been anticipated in Metasploit for some time already. WannaCry and other exploits related to SMBv1 have only accelerated the need. We went full-force into implementing all of the required methods for SMBv2 filesystem and basic DCERPC support. As a result, we are nearing completion of full client-side support for SMBv2 modules, with server and session support anticipated for 2018. The Ruby SMB project has been moving . Check out the latest Metasploit Demo video to see it in action: https://youtu.be/7JLfryEqmWA?t=601
There’s a Snake in My Module
Another semi-controversial but highly anticipated Metasploit feature is the ability to run modules written in other languages, with Python being given a heavy emphasis. Currently, Metasploit already has 2 modules that leverage this experimental feature (one exploit, and one DoS module), with several more on the way. Got an idea for a module, but can’t quite get the hang of Ruby? Chat with us on IRC or Slack and see how you can help out.
This year, we also hosted the very first Open Source Metasploit hackathon in Rapid7’s Austin office. Combine a rotating cast of contributors, way too much food, a couple of guitars, and some incredibly outsized laptops, you end up with some great Metasploit hacking and fun. We're in the planning stages of our first International Metasploit Hackathon next year, which should be an even bigger success.
Moose Moving On
Finally, we should recognize the Metasploit members who moved on from the project this year: James ‘egypt’ Lee, Lance ‘darkbushido’ Sanchez, and David ‘thelightcosine’ Maloney. They contributed a lot to the project over the last 5+ years, and we’ll always remember them, whether poring over code commit logs, or just following them on Twitter (don’t worry, they’re still alive!). So long friends, and thanks for all the shells!