In honor of the 10-year anniversary of Rapid7’s acquisition of Metasploit, our latest episode of Security Nation features an interview with its founder, HD Moore. You can listen to the podcast episode below, or read on for a Q&A based on our discussion about his latest project.
So, it’s been 10 years since Rapid7 somehow acquired this crazy open source project, Metasploit. Are you pleased with how things have gone?
A: Sure, yeah. So early on, if you go back to 2003 when we started the Metasploit Project, it wasn’t that popular. There were a lot of folks using it, but it wasn’t considered a tool that people wanted to use, it wasn’t considered safe to use, and it wasn’t considered something you should legally be able to use in a lot of cases.
We definitely got value out of the controversy, but if you look at the time that Rapid7 acquired the project, we only had about 33,000 users based on our subversion stats at that point. Fast-forward about a year or two, post-Rapid7, and I think we were up to 200,000 or 300,000 monthly users who were downloading the project. So even though it was being managed by a corporation and being run a little more professionally, it actually increased the user base by at least 10x over those first two years.
So I’ve been very happy. I’m happy that one, the project is still alive. It’s amazing that so many people have been involved with it, that people are still contributing to it, and that it’s still serving as this living archive of research techniques that have been discovered for the last 20-something years that are being turned into code that’s actually maintained. You know, managing a Ruby project is probably not the most fun thing in the world given how often dependencies change, but at the same time, you guys were doing a great job of keeping the project up and running and making sure it’s still viable and relevant today.
If you look at the types of things that have gone into Metasploit over the years, it started off being very focused on stack smashing, buffer overflows, and heap overflows, all that fun stuff. Those became a little less relevant after all the mitigations went into place on the varying operating systems, but things like logic bugs, protocol information leaks, and web application vulnerabilities don’t really go away, and if anything, have gotten worse. So it’s been really cool seeing Metasploit take on things like ICS, everything from like car protocols via the adapter and things like that. It’s just a huge gamut of stuff that Metasploit does now that we never thought was even relevant to the project back in 2003.
That’s wonderful to hear. What are you working on now?
A: So, I’ve always been really excited about exploring networks and finding out what’s out there and seeing just the weird menagerie of equipment that’s connected to phones, networks, wireless, and RF, all kinds of fun stuff. The work on Metasploit was great in that we got to touch lots of different protocols and devices and look into tons of research. While I was still working on Metasploit, I started doing a lot of internet-wide scanning research, which meant looking at pretty much the whole internet and trying to figure out what protocols they’re running and what services were exposed, and using some of that to do vulnerability research and find vulnerabilities. And I never really got tired of it. I still enjoy that process of exploring and finding out what’s out there, and doing everything from fingerprinting to protocol recognition, and that’s what led to my current project.
About a year and a half ago, I started a project called Rumble Network Discovery, and what we’re trying to do is make a very easy and effective way to identify what’s on your network. So, it’s basically a glorified ping scanner, but incredibly faster, more accurate, and more useful than anything else out there today.
What we noticed is that as corporate networks become more and more hardened and as people go toward BeyondCorp, they’ve got fancy SDN stuff in place now and hybrid cloud deployments. They’re treating the internal networks like a lot of folks used to treat their external networks, so most desktops have firewalls enabled. They’re scattered with all kinds of random IoT and consumer hardware devices now as companies installed everything from smart TVs to internet connections to coffee machines and whatnot.
So we’re seeing a lot of really interesting equipment show up on corporate networks. We’re also seeing corporate networks becoming more hardened than ever before. And as a result, standard discovery tools don’t work anymore. If you’re using something like a standard port scanner or even your standard IT discovery tools or technology tools, they often can’t provide you with good information anymore. So, how do you actually do accurate discovery when all the security mitigation is already in place? That’s what we’re trying to do with Rumble. We’re trying to take the same approach that a company like Rapid7 would take for vulnerability management, where instead of trying to find different ways to leak information about a device to tell you whether or not it’s been patched, we’re doing the same level of effort just to identify what a device is.
Q: Is this a paid solution or is this free?
A: It’s a commercial project. So we had a beta that ran for about six months or so that was open. We still have things like free trials, so you can still sign up and play with it, but the core public output from this thing is contributing back to open source fingerprint repositories. So even though the core of the product is commercial and we’re doing everything we can to build a sustainable business out of it, hire people, all of that fun stuff, we’re also contributing all the new fingerprints that we developed directly back to the Recog project, which is also managed by Rapid7.
For folks who don’t know the background of Recog, a few years ago, we took the Nexpose fingerprint database within the commercial Nexpose product, made it open source, then modified Metasploit and Metasploit Pro to also use the same database. Going forward, Rapid7 maintains this thing, but lots of other companies contribute fingerprints back into it. So it’s becoming kind of a cross-company open source fingerprint database that is being used by multiple products, including Rumble. So as we build out new Rumble fingerprints for things like TLS fingerprints, TLS subject and issuer regexes, all the mDNS work we put in recently is all going right back into the open source Recog project, which then in turn powers things like Nexpose, Metasploit, Metasploit Pro, and other projects that are based on it.
Q: So how does Rumble relate to Nmap? It seems like there is some confusion when comparing the two, so could you help clarify that?
A: Oh, sure thing. I mean, Nmap’s great. I’ve been using it for I think 20 years now. It’s kind of a gold standard for port scanning. The things that you want to do with Nmap are typically port scan the network and identify services, and what Nmap is really good at is not only telling you what a very particular service is running, but also what exact OS a device is running.
What it’s not so great at telling you is what the device physically is. So, Nmap can be a great tool for telling you exactly what Linux kernel version is running on which device or which web server is running on which port. But if you’re trying to figure out whether something is a Roku, smart TV, or printer, that’s not what Nmap is about. It’s a different level of discovery.
What we’re trying to focus on at Rumble is, how do we very quickly identify what a device is, what its purpose is, and other information about it, such as its MAC address and its extra IP address, with the least amount of traffic we can send. But we don’t necessarily care about all the security stuff. We’re not looking for vulnerabilities. We’re not looking for the exact kernel version. So it’s a little different use case in the sense that Nmap is kind of a general-purpose tool that’s used by a ton of people and products, and we’re very much focused on device identification and discovery.
Q: So it sounds like they’re very complementary, then.
A: Definitely. We expect that most people who have an interest in tools like Rumble probably have already used Nmap and vice versa. There’s a lot of overlap there. It’s more a question of whether you’re trying to do a quick identification of everything on your network vs. wanting to know what the thing actually is. That’s where our focus on the Rumble side might pay off better than using Nmap or another open source tool and the command line. That’s not to say you can’t get similar results, but it often takes a lot more work.
Q: Can Rumble tell me if I have a device that has several IP addresses on the same network?
A: Absolutely. That’s one of the things we spend the most time on. Remote MAC address discovery goes a long way toward uniquely identifying a device and identifying multi-home devices. Because if you can find 15 devices on the same network with the same MAC address, you can almost guarantee they are the same physical device. So using things like the MAC address, you can uniquely identify hardware.
The nice thing about having a SaaS product is we can figure out those things pretty quickly and blacklist them. So we have a pretty good idea of which MAC addresses are bunk, and which ones are not unique in those cases. The same thing goes for the IP side. We’ll find ways we can leak the list of interfaces of a device remotely without credentials.
So we’ll use things like NetBIOS to get the list of remote IP addresses on a Windows device unauthenticated across the network, across multiple hops. We’ll then use the fact that we can see all those multiple IPv4 addresses on it. We can then link those devices together in the display and say that these are actually the same physical device. And the last piece where this really comes together is now we have a way to uniquely correlate devices across multiple hops away. You can then track them as your IP addresses move. So we spent a whole lot of time doing things like accurate IP tracking, and I think asset inventory is something that most people in the security space are using security products to accomplish today. But these security products weren’t really designed to do inventory. So Rumble is an attempt to build an inventory-first project and really focus on just doing discovery.
This all sounds great. Where are you headed next with this thing?
A: So right now, it’s just me working on this. We’ve had about 3,000 users in the beta tracking about 3 million assets. After we’d gone through the first month and two-thirds of sales, we were up to 75 paid customers. We’ve got a pretty good roadmap ahead and are hoping to start hiring people starting next year.
Our customers have been amazing. The product wouldn’t be what it is today without all the feedback we got from beta users and all of them calling us out for our boneheaded mistakes in UX, things like that. It’s still definitely not the product we want to build and it’s definitely not done yet, but we’ve gotten a lot closer because of the great feedback from the beta community.
Thanks so much to HD for sharing his Rumble project on Security Nation! If you’d like to listen to the podcast episode in full, you can listen and subscribe here.
This interview has been lightly edited for clarity.