Fresh Web Libs


As we head into the holiday season here in the U.S., Metasploit core developers Tasos @Zap0tek Laskos and James @Egyp7 Lee finished up a refresh of the Metasploit fork of the Anemone libraries, which is what we use for basic web spidering. You can read up on it here. The Metasploit fork isn't too far off of Chris Kite's mainline distribution, but does account for Metasploit's Rex sockets, adds in a few more defaults for directory busting, and decorates up some of the classes to make them easier to get at from Metasploit modules.


This update also sees a slew of brand new web scanning libraries which Zapotek has been banging on for a while now. You may already be familiar with Tasos from Arachni fame -- another Ruby project that's specifically geared toward webapp security scanning and exploitation. These new libraries in Metasploit should make exploit development for web apps considerably easier, so expect to see more documentation and examples using these libraries in the coming weeks.


Attack of the SAP Modules


Meanwhile, we've been pawing over a sizable pile of auxiliary modules geared toward the discovery, use, and abuse of SAP NetWeaver services, all submitted initially by community contributor @nmonkee. SAP, apparently has a footprint of 100,000 companies world wide, so it shouldn't be too uncommon to run into a SAP installation on a client site. You can read about these new modules in some depth in a blog post over at MWR Labs.


If, like @nmonkee, you are sitting on a dozen or so modules focusing on a particular technology, we are of course happy to help you get those all cleaned up and committed to the mainline Metasploit distribution. If you'd like some assistance with reasonable disclosure of vulnerabilities, we're similarly here and ready to serve.


New Modules


It's not just SAP and webscanning this week -- we've got a new ZDI exploit for Oracle and an exploit for Invision IP.Board, and another SCADA module (this one's a fuzzer for MODBUS, so that's fun). For more, check out Metasploit's Exploit Database.





If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.


For additional details on what's changed and what's current, please see the most excellent release notes.