todb

12 Days of HaXmas: Metasploit closes out 2013

Blog Post created by todb Employee on Dec 31, 2013

This post is the seventh in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013.

msfconsole.png


Today is the last day of the year, so there's no better time to get all weepy and sentimental about Metasploit development over a glass or four of champagne. I continue to be amazed, honored, and humbled by the amount of talent, skill, and brute force labor that goes in to keeping the Metasploit juggernaut rolling. With that, here's a quick stat check of what we've been up to.

Major Releases

We successfully published three major releases of Metasploit over the course of the year. April saw the release of Metasploit 4.6, which solidified full integration with the Kali Linux distribution as well as coverage for the OWASP 10 (2013 edition). In July, we released Metasploit 4.7, which introduced firewall egress testing and the automation oomph introduced by Metasploit Pro's MetaModules. In November, we published Metasploit 4.8 which boasts much better integration with Nexpose (Rapid7's delightful vulnerability scanner) for vulnerability validation capabilities.

 

New Content

Coincidentally, we ended the year in 2012 with exactly 2012 modules, across exploits, auxiliary and post modules, and payloads. We're ending 2013 with 2448 modules; that's just about 1.2 modules a day, every day. Major target categories that got attention were client-side browser and file format exploits (made easier now with the new BrowserExploitServer mixin), a bunch of new cross-platform web application server-side exploits, and of course the SAP modules that we've been yammering about since October. We also now have a huge trove of new SOHO router scanners and exploits, which are themselves a subset of our newly extended ARM and MIPS embedded device target support which Juan talked about yesterday.

 

More Meterpreters

OJ talked at length earlier this HaXmas about the Windows Meterpreter overhaul, but did you know that we've made significant advances with Java Meterpreter and landed the brand new and most excellent Python Meterpreter? Yep, and the Android Meterpreter is still coming along, too. It's been a great year all around for Metasploit payloads -- we have over 100 payloads new to 2013, so if you haven't peeked in on those lately, now's a fine time to catch up.

 

More Contributors

Finally, but most importantly, we've had some amazing support from the open source security community over 2013. We've had 204 committers over the year to Metasploit, more than any other year. The depth of talent, drive, and commitment among these committers really and truly does astound me every day. Y'all are the reason why Metasploit is where it is today.

 

The top 25 commiters (according to git logs) are:

 

Name/AliasCommit Count
jvazquez-r71403
wchen-r71096
todb-r7540
jlee-r7338
Meatballs1324
wvu-r7163
dmaloney-r7155
joev-r7122
m-1-k-3121
hmoore-r794
OJ89
bturner-r771
limhoff-r770
FireFart68
swtornio51
Spencer McIntyre47
jiuweigui45
tasos-r743
nmonkee41
kernelsmith39
r3dy38
mubix35
Andras Kabai34
darkoperator33
RageLtMan32

 

And here are all the names and aliases of people who are credited with at least one commit this year: Jeff Jarmoc, Joe Vennix, g0tmi1k, Karn Ganeshen, scriptjunkie, Peter Toth, Nathan Einwechter, Matt Andreko, Doug P, root, agix, Ramon de C Valle, Console, Bruno Morisson, Charlie Eriksen, bwall, bcoles, shuckins-r7, schierlm, modpr0be, Markus Wulftange, xistence, smilingraccoon, Dejan Lukan, lsanchez-r7, rsmudge, Joshua J. Drake, Mekanismen, ChrisJohnRiley, Rick Flores (nanotechz9l)  12, SphaZ, Roberto Soares Espreto, bmerinofe, MrXors, timwr, Kacper Nowak, Thomas Hibbert, zeknox, AverageSecurityGuy, shellster, darknight007, Brandon Perry, lmercer, Ruslaideemin, KarnGaneshen, Geyslan G. Bem, dummys, jvennix-r7, kaospunk, Brian Wallace, SeawolfRN, Joshua Abraham, J.Townsend, Josh, doug, Robin Wood, dcbz, h0ng10, corelanc0d3r, Matteo Cantoni, salcho, f8lerror, TecR0c, Borja Merino, Jonathan Claudius, Boris, Sven Vetsch / Disenchant, sgabe, jonvalt, heyder, Joshua Harper, xard4s, Rich Lundeen, Brandon McCann, Ricardo Almeida, dougsko, Thomas McCarthy, Cristiano Maruti, John Sherwood, DoI, joernchen of Phenoelit, jamcut, Jon Hart, Alexandre Maloteaux, William Vu, jgor, Tod Beardsley, Davy Douhine, Shelby Spencer, ddouhine, Jonathan, Enrique A. Sanchez Montellano, Stephen Haywood, Charles Smith, trustedsec, ZeroChaos, Dhiru Kholia, Sean Verity, Daniele Martini, Patrick Webster, Thomas Ring, booboule, Tabassassin, Brandon Knight, T0X1C-1, Wolfgang Ettlinger, Frederic Basse, Ryan Wincey, CG, Jose Selvi, Nicholas Davis, joe, Trevor Rosen, Norbert Szetei, rbsec, Fernando Arias, Tyler Krpata, nemski, Henrik Kentsson, Joe Barrett, pyoor, Jonathan Rudenberg, Booboule, Trenton Ivey, Winterspite, ethicalhack3r, Alexia Cole, Rick Flores, Gerry Eisenhaur, Joe Rozner, Paul, MosDefAssassin, Till Maas, Geyslan Gregorio Bem, tkrpata, Vlatko Kosturjak, violet, Juushya, Icewall, Joff Thyer, yehualiu, Sagi Shahar, allfro, rogueclown, danielemartini, Artien Bel, Doug Prostko, Joshua Harper PI GCFE GCFA, Darren Martyn, Newpid0, Thorsten Fischer, Russell Sim, matthiaskaiser, zyx2k, TrustedSec, Matthias Kaiser, Joel Parish, julianvilas, jwpari, cbgabriel, Garret Picchioni, steponequit, Melih SARICA, Julian Vilas, Antoine, LinuxGeek247, ringt, farias-r7, bannedit, Nick Rivera, Stephen Fewer, Bouke van der Bijl, Gregory Man, TabAssassin, Sam Gaudet, luh2, Gary Spillman, Tonimir Kisasondi

 

Oh, that's some sweet, sweet SEO right there. Thanks to every single one of you for your contribution of your time and expertise to the Framework!

 

New Modules

Oh, and hey, we released the final Metasploit update for the year just now, too -- 13 new modules this week, including the veristle intelligence-gathering DNS scraper module from zeknox and an exploit for Red Hat CloudForms from Ramon. Thanks guys!

 

Exploit modules

 

Auxiliary and post modules

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Outcomes