Skip navigation
All Places > Metasploit > Blog > 2015 > February

Let's Make Meterpreter

help-me-help-you.jpgMetasploit, as you know, is quite near and dear to my heart. But, but it's not mine -- it's yours. This week, we're taking a survey of what features and functionality you want to see, and it's directed specifically to the open source community of both users and developers. If you're purely a Metasploit Pro user, feel free to give your feedback as well, of course. I won't stop you, but we expect this one to skew heavy to the open source crowd.


Also, I'm intensely lazy, and I hate writing technical roadmaps, much to the consternation of my management here at Rapid7. So, to that end, I'm asking for you to help me shirk my responsibilities as a Visionary Thought Leader, and take just three to six minutes to dream a little of where you'd like to take Meterpreter and the other post-exploit payloads. I believe we can do some really interesting, scary, fun things in there to advance the state of the art of penetration testing. We already have some good ideas of where to go in terms of stability and maintainability, thanks to Brent Cook's Maxing Meterpreter's Mettle initiative, so it's time to start thinking about pure functionality.


So, do me a solid, help me help you by punching the SurveyMonkey, and please don't tell my boss that you did this for me. It'll be just between us. Thanks. I owe you one.


WordPress Hacking

This week, we've seen a surge in WordPress modules landing for Metasploit, all shepherded in by Rob Carr with help from our resident WordPress savant, Christian FireFart Mehlmauer. Among these modules includes a handy, generic WordPress Admin Console exploit module, for use after you happen to get a privilege escalation through some other means. With it, you can drop the PHP Meterpreter payload, or any of about a dozen other compatible payloads, including the usual connect-back shells, listening shells, or download/exec command injections.


We have quite a collection of WordPress-based modules these days -- about thirty all together. Does this mean that WordPress is just an inherently insecure web publishing platform? Absolutely not! The vulnerabilities exploited by the vast majority of these modules are introduced by certain WordPress plugins, of which there are tens of thousands. Not every one of them has undergone a thorough security audit. Of course, nearly all of them are free and open source, so where were you on that security audit, anyway? It's all our responsibility, after all.


In the end, we do only have 30-ish modules, which accounts for less than 0.1% of all the plugins available. Of course, the WP plugins the Metasploit community does care about tend be pretty popular on their own -- the recent Photo Gallery exploit targets the plugin of the same name, which had about 600,000 downloads.


Generally, the use case for these exploits is to target that one internal WordPress server that HR or Finance or someone else set up on the company network, and that installation isn't maintained by the official IT organization, never gets updated, and basically ends up sitting there, unaccounted for, offering a more privileged path to the corporate network for the intrepid pen-tester. The lesson to be learned is that if you're going to take on some shadow-IT functions, you need to keep abreast of the latest patches and vulnerabilities, just like a real IT department. WordPress is fun and pretty easy to use, but you need to be careful with this stuff. This goes quintuple if your WordPress site is on the Internet.


New Modules

Since last week's blog post, we have 3 new exploits and 1 new auxiliary module. The only non-WordPress module this week comes from Juan Vazquez, who implemented an exploit for a ZDI-disclosed bug in HP's Client Automation software.


Exploit modules


Auxiliary and post modules


Check out what's included in this week's binary release over at Thao's most excellent release notes.

Last week, we had a live webcast to talk about how Metasploit Pro helps pentesters be more efficient and save time. There were so many attendees, which made it possible to have great conversation. First of all, I want to thank you folks who have taken the time from their busy schedules to watch us live. There were many questions our viewers asked us, and we were not able to answer all of them due to time limitations. In this post, you will find the answers for those questions.


First things first. If you would like to read a recap of the webcast, go here: Top 3 Takeaways from the "Escalate your Efficiency: How to Save Time on Penetration Testing" Webcast, and if you would like to watch the webcast go here: .On Demand Webinar: Escalate Your Efficiency: How to Save Time on Penetration Testing.

Questions and Answers

In order to protect identities of our attendees, we taken out any identifiable information from the questions. Thus, some questions may have been reworded.

Is there a tutorial available for some of the finer points of using Metasploit Pro?

There are quite a bit of content available. We will continue to generate new content as we add new features in the future. Feel free to start here: Metasploit Online Help.

Is Metasploit Pro licensed specifically for a named user or can it be licensed to support a moderate scale remotely located pen test group arrangement?

As of right now, we only support licensing based on number of users. However we are investigating different licensing options, and we will take your suggestion into consideration.

Does Metasploit Pro license limit how many IP addresses that can be added to a project?

No, it does not. Our licensing model is based on number of users. There are no license limitations around number of IP addresses. Please keep in mind that if you plan to test a large network, we strongly suggest you run Metasploit Pro on a beefy machine to prevent any performance issues.

Is one of the UI improvements the ability to pause scanning to accommodate multiple small testing windows?

Yes. We have recently released the Pause & Resume feature to Metasploit Pro. Currently it is only available for the Credential Reuse task. However we are planning to extend the feature to other tasks in the future.

Our organization is just about to train our ISSO to conduct internal penetration testing in house utilizing Metasploit Pro. What features should we begin testing to introduce us "newbies" to the world of pentesting?

Metasploit Pro comes with an easy to use web interface to simplify pentesting as much as possible. Personally, I would start with a phishing/social engineering campaign to quickly assess your employees since this type of testing requires a lot less technical knowledge. Additionally, an easy win may be scanning your network for vulnerabilities with Nexpose and validating found vulnerabilities with Metasploit to determine which vulnerabilities you should focus on fixing first. Here is a good read to get started: Introduction to Penetration Testing.

Can I develop an exploit in Metasploit Pro?

You actually do not need Metasploit Pro to develop an exploit. Metasploit Pro is not a tool for reverse engineering an application to look for zero day vulnerabilities and write exploits. It is an application to consume available exploits in an efficient manner. If you would like to learn how to write exploits, feel free to start with following pages:

Contributing to Metasploit

Metasploit Resource Portal

What are the learning curves between the editions? I have used Metasploit Framework several years ago so I am not totally new to pentesting.

Metasploit Pro consumes same modules that Framework does, so as far as exploit content goes, there is not much difference. However, Metasploit Pro comes with some additional features, most of which we talked about during the webinar, that might require some reading and learning. We know that many of our users have used Framework in the past and they are used to command line, thus, we are going to bring some of those commands to Metasploit Pro web interface in 2015 to make it even easier to use. Overall, the learning curve is not that steep.

Can I use my own word list when I customize a bruteforce attempt?

Yes, you can. Even though bruteforce functionality does not take a wordlist as an input, a wordlist can be used to generate a list of credential pairs which then can be imported to be used for bruteforce.

Is there an option for passwords in different languages for bruteforce?

Currently there is not. You can however create your own custom list of credential pairs from any language wordlists, and then import it for bruteforce.

How can I customize the password mutation feature for a bruteforce attempt?

Password mutation feature comes with several mutation options. Currently we do not support adding customized mutation rules, however this is something we are looking to implement in the future.

What can I expect in a typical 100 PC network including servers and workstations to spend in hours when performing bruteforcing? Does speed changes between Metasploit Editions, say Community vs. Pro?

We would very much like to give you an answer for this; however, it really depends on many factors such as network speed, mutation rules, password combinations, number of services, etc. The best way to learn is to actually try this on your own network with your custom configuration. This way you can create your baseline and go from there. Running speed of any task does not differ between versions.

Do you have any suggestion for a good place to get a good username and password list to use?

Here is a collection of mirrors:

If you are interested in building personalized wordlists for specific situations, here is a good starting point: Errata Security: Extracting the SuperFish certificate.

We started using task chains extensively and at some point realized that they don't function as setup when we update the machines. Are task chains dependent on the projects created?

Yes, task chains are project dependent and cannot be replicated across projects.


How often are you utilizing embedded outdated, insecure components of applications and systems for exploitation (similar to GHOST)?

When there is a high impact vulnerability becomes available, the turnaround is usually pretty fast. When Shellshock came out, there was an exploit released within 24 hours. The turnaround time really depends on how difficult (or easy) the issue is to exploit. If there's a reasonable network vector (rather than a mere local-only vulnerability), and the likely impact of the vulnerability.

If the Metasploit framework is unable to break a hash, say an MD5 hash, what other resources would you use or how would you go about using Metasploit to figure out how to crack the hash?

We have recently added a tool to lookup MD5 hashes on publicly available databases:

Additionally, you can combine John the Ripper and Metasploit to attack MD5 hashes with this module: modules/auxiliary/analyze/jtr_linux.

Could you add a service to find default login credentials for Tomcat?

There is a Metasploit module already for Tomcat to perform login attempts. It is called "Tomcat Application Manager Login Utility" and its path is "auxiliary/scanner/http/tomcat_mgr_login". Additionally, here is our module database. Feel free to search for other modules.

With the release of msfvenom, is there going to be any compatibility with users who have developed payloads and tools in msfencode and msfpayload?

We don't anticipate any gaps in functionality -- msfvenom has been in "public beta" for years now, and there should already be a 1:1 feature parity. That said, if you notice something not working for your use case between msfpayload + msfencode and msfvenom, please open a GitHub issue here.

When will GPU password cracking be available?

Currently, we do not have any plans on adding GPU password cracking as a feature. However, John the Ripper has some excellent toolchains for this, and Metasploit can import the results pretty easily.


Metasploit is a great tool however it is only a tool. PCI V3 requires that the pentest is "based on industry-accepted penetration testing approaches (for example, NIST SP800-115)". What is the penetration testing methodology used by your pentesters with Metasploit?

We believe that there is no single methodology for PCI compliance. Generally, companies use a vulnerability management solution to try to fix as many vulnerabilities as they can. Some also performs initial penetration testing and this is where Metasploit Pro can help. Finally, consultants can come in to provide pentesting. We actually like this order because consultants should help you find the things you could not. I would not call this a methodology, however if you approach a PCI engagement in this order, then you can get the most out of your compliance engagement, not just PCI check in the box. Feel free to read more about this topic starting with this article: What You Should Take Away from the PCI DSS 3.0.

Is it simpler to run a WiFi penetration test using Pineapple with Metasploit Pro compared to Metasploit Framework? | Can you add WiFi pentest integration?

Once you have a connection to a WiFi network though Pineapple or any other tool, then you can use Metasploit Pro or Metasploit Framework as intended since the WiFi becomes just another network. In this case, all additional features of Pro will be available for you to use. However, as far as getting access to a WEP or WPA protected WiFi network, Metasploit Pro or Framework has no functionality to do this, and we are not planning on adding this functionality at this time.


So some of your experts are stating that you shouldn't focus all your work on automated tools such as your own Metasploit, that you should spend the time to learn the tools individually/manually, however other experts are touting Metasploit as the be all end all tool to use. What are your thoughts on this?

Metasploit Pro can replace many tools for various tasks thereby makes the user more efficient. Additionally, we can make the argument that if you know Metasploit very well, you may not have to spend time on learning bunch of other tools. The reality is, as long as pentesting stays as a broad and complicated subject, there will always be many tools out there for different purposes, and a good pentester should always be familiar with different options.


Is there a set of questions or a methodology that can be used to interview a good pentester?

There are many approaches to interviewing a pentester. Here are two examples:

  • Hands On, Practical Interview | Interviewee is given access to a lab network with various systems along with couple pentesting tools, and various objectives which interviewee is expected to complete. With this approach, interviewer can observe the interviewee while interviewee executes a small size pentesting while utilizing different tools and techniques.
  • Theriocal, Story Telling Interview | Interviewee is asked a list of questions to assess the overall knowledge (this step can be combined with practical interview). Interviewee is also expected to share several examples of past work and discuss various situations that the person had to overcome.

Interview questions will vary depending on the interviewee; however I find this article a good read.

This is it for this blog post. As always, feel free to reach out to us @metasploit if you have further questions. Thank you Metasploit Team for assisting me with these answers.

Eray Yilmaz - @erayymz

Sr. Product Manager, Metasploit

Penetration Testing is a complex process that requires attention to detail, multi-tasking, extensive knowledge of different attack vectors, available vulnerabilities and exploits, and patience. Recently erayymz, Senior Product Manager at Rapid7 spoke with pen testing professionals Leon Johnson, Senior Consultant at Rapid7, and Dustin Heywood, Manager of Security Assurance at ATB Financial. They discussed how to take advantage of automation with Metasploit Pro to simplify penetration testing processes in the webcast "Escalate your Efficiency: How to Save Time on Penetration Testing". Read on for the top 3 takeaways from their technical, in-depth conversation:

1) Metasploit is to a Pen Tester as a Scalpel is to a Surgeon Not using automation for penetration testing is akin to a surgeon performing surgery without using tools. Historically, pen testing was a step by step approach with the ever increasing attack surface adding more steps all the time. It is immeasurably more difficult and time-consuming to keep your security strong when bogged down by the repetitive tasks required by penetration testing. Metasploit Pro makes it possible for security professionals to get extremely repetitive and labor-intensive tasks done with just a few clicks, enabling users to spend more time on customized solutions, targeted pen tests, or any other project on their plate that will ensure greater security for their organization.

2) Credential Security Flaws can be Confronted Credentials continue to be the #1 attack vector when it comes to compromising networks. With this in mind, the Metasploit team has added a credentials management system to the Pro edition of Metasploit. Features like the Credentials Domino MetaModule and simplified bruteforcing provide huge time-savings and improved security visibility for penetration testers so that credentials are no longer an unmanageable blind spot. (These features are demo'd in the webcast - check it out now.)

3) Compliance is but a framework to build upon Requirements in frameworks like PCI and HIPAA provide a minimum standard checklist for organizations. Truly strong security is dependent on the strength and ability of a penetration tester getting to go off script and check out possible weaknesses in networks and infrastructures beyond what regulatory guidelines cover. Tools like Metasploit Pro take away the busy legwork in the process, allowing penetration testers to get the job done more thoroughly and quickly.

The juiciest parts of the webcast were the Q&A with the live audience and getting to dive into the product to see how Metasploit Pro gets tasks like credential management, bruteforcing, AV evasion, VPN pivoting, and task chains done in a few simple clicks. To experience the full broadcast: view the on-demand webcast now.

Java Remoting: Sign Me Up!

java-logo.pngThis is a pretty exciting week for advancing the state of the art of penetration testing with Metasploit, thanks in large part to Juan Vazquez's work on the new protocol-level support for Java Remote Method Invocation (RMI). If you've never heard of it before, it's probably because, like me, you haven't done much (or any) Java programming since school. Java RMI is essentially a network-exposed API, usually listening on 1617/TCP, and, as it turns out, often enabled by accident due to some misconceptions around the native security offered. While Oracle's documentation (and other sources) suggest using an SSL or SSH tunneling mechanism to secure RMI, it looks like there are more than a few implementations where there was some... confusion... regarding the difference between a merely encoded protocol, and an encrypted protocol.


Keeping up on this kind of application protocol research is pretty crucial in exposing new (to you) sources of weakness and avenues of attack in an enterprise network. After all, there are only so many CSRFs and XSSes you can report on before the client starts getting a little glassy-eyed and wondering if there's anything else to worry about in the network under test.


You can read up on Juan's working notes on the original pull request, PR4560, but if you're really serious about learning up on using this stuff on your next engagement, you should register at InfoSec Southwest, coming up in April here in Austin -- Juan will be discussing all this at length in his talk, Reviewing and Abusing Java Remote Interfaces (Server-side Attacks). It's a gripper, and you'll be better prepared to tackle it when it pops up on your next port scan.


New Modules

Since last week's blog post, we have 4 new exploits and 4 new auxiliary modules, including not only the Java RMI, but a pair of modules targeting Google's Chromecast and Amazon's Fire TV devices. That William Vu guy just seems pretty obsessed with forcing you to watch what he wants to watch if you're glued to a networked TV screen. At least he's not eavesdropping on your private conversations (yet). We also have some bruteforcing modules for Splunk, Zabbix, and Chef, three popular operations suites for managing loads of data, servers, and configurations, from the reclusive and possibly mythical Metasploit Jedi HD Moore.


Exploit modules


Auxiliary and post modules


Also be sure to check out what's included in this week's binary release of Metasploit Pro, Express, and Community over at Thao's most excellent release notes.

Metasploit 4.11.1 Released!

Hi all! I'm happy to announce that Metasploit 4.11.1, the latest dot version of Metasploit Community, Express, and Pro has been released. You can fetch the updates using the usual methods -- in the UI, with msfupdate, or with apt-get, depending on your binary distribution. Git source checkouts don't really notice these version bumps, of course, since the normal bundle install && git pull -r commands will take care of everything, and if you're that sort, you're tracking bleeding-edge HEAD anyway.


The release notes have been published here, thanks to Metasploit Documentrix Thao Doan, but the fundamental reason for this update is to get Metasploit up to Ruby 2.1.5. So, you should enjoy some fairly significant performance speedups once you get yourself updated -- it's like adding racing stripes to the side.


Adventures in UXSS

This has been a pretty big week with universal cross-site scripting (UXSS) bugs. Unlike your usual XSS, UXSS bugs live in your browser, not a particular web page, which spells trouble for your view of the World Wide Web. In order to demonstrate the disastrous effects of leaving UXSS unpatched, we disclosed R7-2015-02, a bug in the implementation of X-Frame-Options (XFO) on the web version of Google's Play Store. This XFO gap can be combined with previously disclosed UXSS bugs present in several Android browsers.


Unfortunately, it looks like Google is pretty adamant about not developing patches for pre-KitKat Android browsers, so expect to see the trend in Android malware masquerading as legitimate Play Store apps march steadily forward. More broadly, non-malicious, but merely unscrupulous, app developers have every incentive to continue preying on these (often brand new) lower-end devices, since installing and triggering their apps without user knowledge or assent is pretty drop-dead easy and I imagine a fine way to boost your installation numbers.


It's important to reiterate that the module by Joe Vennix depends on a gap in X-Frame-Option based protections around the Play store. It's possible that Google could mitigate this attack for pre-KitKat browsers on that front, but unfortunately, XFO protections are really difficult to implement correctly today. XFO is great for isolating certain, valuable pages from getting iframed in some other web site for the purpose of clickjacking. However, relying on XFO as a defense against all Javascript injection seems to be a bit Quixotic quest. It's just too easy to miss one important vector, especially if you have a domain footprint as big as -- or come to think of it,


Speaking of Microsoft, this week, Metasploit exploit warrior-monk Wei _sinn3r Chen also banged out a UXSS exploit for a vulnerability disclosed in the most recent versions of Microsoft Internet Explorer. Patch Tuesday has come and gone, but alas, this Same-Origin Policy (SOP) busting bug has not been fixed yet. So, if your current penetration testing engagement includes a phishing component, and your client makes heavy use of Internet Explorer and some intranet-based Web services, now is a pretty excellent time to get some XSS action on those sweet, sweet trusted local intranet zones. Metasploit ships with a few sample UXSS snippets to get you thinking about how to best leverage a UXSS to demonstrate risk.


Note, while the currently committed module does not support automatic XFO-busting today (unlike the Play store module), it doesn't mean that evading XFO is impossible. While such evasions tend to be fairly site-specific, the tactic of sending an overlong URL to trigger a 414 (rather than a 404) response code seems to be pretty reliable for many web server configurations. In other words, if you'd like to take a crack at updating the IE UXSS module to be more generally useful in the face of XFO, patches are accepted.


New Modules

Since last week, we have four new exploits, and two new auxiliary modules (the latter being the two above-discussed UXSS-based modules). At long last, we're now shipping a towelroot-workalike module for local rooting of Android devices, thanks primarily to Tim Wright, Brent Cook, and of course, noted iPhone hacker and gentleman-about-town, Geohot. Also in the realm of local privilege escalation is Jay Smith and Matt Bergin's implementation of MS14-070, a tricky elevation bug in some versions of tcpip.sys (details on Korelogic's blog). We don't often do a lot in the way of local exploits, given that Metasploit is much more remote-oriented, but it's nice to see two come in on the same week.


Exploit modules


Auxiliary and post modules


For additional details on what's changed and what's current in 4.11.1, please see Thao's most excellent release notes.

Vulnerability Summary

Due to a lack of complete coverage for X-Frame-Options (XFO) support on Google's Play Store web application domain, a malicious user can leverage either a Cross-Site Scripting (XSS) vulnerability in a particular area of the Google Play Store web application, or a Universal XSS (UXSS) targeting affected browsers, to remotely install and launch the main intent of an arbitrary Play Store provided Android package (APK).


Affected Platforms

Many versions of Android 4.3 (Jelly Bean) and earlier ship with browsers with UXSS exposures, as discussed in this Rapid7 blog post. Users of these platforms may also have installed vulnerable aftermarket browsers, as discussed in this TrendLabs blog post. Of the vulnerable population, it is expected that many users are habitually signed into Google services, such as Gmail or YouTube. These mobile platforms are the the ones most at risk. Other browsers may also be affected.


Simplified Demonstration of the XFO Gap

The following Javascript is sufficient to elicit a response from the domain without an appropriate XFO header:


document.body.innerHTML="<iframe src='"+
  (new Array(2000)).join('aaaaaaa')+"'></iframe>"


The following Ruby script also illustrates the lack of XFO:


require 'net/http'
require 'uri'
uri = URI.parse("{"a" * 10000}")
@r = Net::HTTP.get_response uri
ret = @r.each_header {|x| puts x}
if ret["x-frame-options"]
  puts ret["x-frame-options"]
  puts "Missing x-frame-options!"



Using a browser not susceptible to widely known UXSS vulnerabilities, such as Google Chrome, Mozilla Firefox, or the Dolphin Browser, can help mitigate the lack of universal XFO for the domain. Not being logged into a Google account while using any browser is also an effective mitigation.


Metasploit module description

The Metasploit module combines two vulnerabilities to achieve remote code execution on affected Android devices. First, the module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in versions of Android's open source stock browser (the AOSP Browser) as well as some other browsers, prior to 4.4 (KitKat). Second, the Google Play store's web interface fails to enforce a X-Frame-Options: DENY header on some error pages, and therefore, can be targeted for script injection. As a result, this leads to remote code execution through Google Play's remote installation feature, as any application available on the Google Play store can be installed and launched on the user's device.



The Play Store XFO vector was was reported by Joe Vennix of Rapid7, Inc., which leverages a UXSS vulnerability reported by Rafay Baloch.




Dec 12, 2014 (Sat): Initial disclosure to, assigned issue ID 4-2061000005664

Jan 07, 2015 (Wed): Disclosure to CERT/CC, assigned VU#715092

Feb 10, 2015 (Tue): Public Disclosure and Metasploit module landed

#1 Attack Vector: Credentials

According to the Verizon Data Breach Investigations Report, credentials are the number #1 attack vector used to compromise networks. This news comes with no surprises. Credentials have been and most likely will continue to be one of the top attack vectors for years to come.


With credentials-based attacks becoming exponentially more topical, it's become more critical than ever to focus on credentials management and reuse. Metasploit has always provided the ability to leverage credentials in attacks, but it was a cumbersome and inefficient process. There was not an easy way to manage and use credentials that were collected from compromised systems. So in 2014, we dedicated a great deal of time to developing new features that enabled our users to easily manage and reuse credentials easily and efficiently.


Managing Credentials Made Easy

In August of 2014, we have released a major feature, a one-stop shop, to handle all credentials, in a single view in Metasploit Pro. Since then, we have received tons of feedback from our customers in terms of how it has helped them streamline the process of managing and using credentials, especially with large projects. Additionally, we also introduced a new feature that simplifies using credentials on other targets. Reusing credentials is a very common practice, but it was a very manual process before. With this improvement, we expected to save our users a lot of time by enabling them to reuse credentials very quickly and efficiently.




These two features were only half of the story. Metasploit Pro had a bruteforce feature prior that was lacking certain features and was cumbersome to use. We also needed to provide more tools to our users to help them save even more time on their penetration testing engagements. Fast forward to December of 2014; we released a new MetaModule that simplified to reuse credentials, and we made significant improvements to bruteforce functionality.


Owning the Network with Credentials

The new bruteforce workflow not only looked significantly better, but it also included new functionality that enabled customers to test common factory defaults and previously collected credentials. Password mutations, which were removed in Metasploit 4.10.0, were re-added to the bruteforce workflow to enable users to append and prepend characters to passwords as well as perform leetspeak substitutions. The new "Time Between Attempts" configuration helps prevent account lockouts during bruteforce attempts. I was particularly excited about the Credentials Domino MetaModule. It completely automates the credentials reuse scenario thereby enabling our users to focus on other parts of testing process that may require more manual effort. It also comes with network visualization view that analyzes the results of the reuse attempts which makes it very easy to clearly identify weak hosts within a network.



As we wrapped 2014, I felt really good about the improvements and new features we have added to Metasploit. I strongly believe 2015 will be a great year for us. We will continue to add new features, and improve usability along the way.


As always, your feedback is really important to us, feel free to reach out to us here on the Community, via Rapid7 Customer Portal, or tweet us @rapid7 and @metasploit any time.


Eray Yilmaz - @erayymz

Sr. Product Manager, Metasploit



Hello World

My name is Eray Yilmaz, and I am the new Product Manager of Metasploit. It has been three months since I have joined Rapid7, and I wanted to share my experiences with you so far. Before we get to that, here is tiny bit about myself:


I am a 28, married, and fairly new father. I went to UTSA where I majored in Information Assurance and Information Systems, and received my B.B.A. Like anyone else in our industry, I have done my fair share of IT work, from helpdesk to managing networks, operating systems, etc. Like many geeks out there, I used Metasploit in the past, and now I can proudly announce that I am one of the people responsible for its future.


If you want to learn more about what I have done in the past, feel free to check my Linkedin profile.


Hello Rapid7

When I learned about the position at Rapid7, the idea of being part of great group of people who get Metasploit to the next level really excited me. I knew about Rapid7's acquisition of Metasploit, and I was aware of their commercial products, Metasploit Express and Pro. However, I have never used the commercial versions myself in the past, mainly because I haven't done much pen testing in the past couple years. As I was considering the position and going through the interviews, there were two things really got my attention:


1. People's Republic of Metasploit (the folks in Austin, TX): During my interview, I was amazed with the dedication and care that Metasploit Team had for the product. To them, this was not simply a product but something that they truly enjoyed being part of. After the interviews, I really was drawn into the role even more, and felt that I needed to be part of this amazing team - yes, we really call ourselves People's Republic of Metasploit -.

2. Rapid7's Take on Metasploit Framework: It was super clear, from day one, that Rapid7 really respects Metasploit Community and understands its importance. Rapid7 truly believes that Metasploit Framework and Metasploit Community are as equally important as our commercial versions. I was really moved by this since it is really hard to find companies that support open source projects at this level.


At this point, things were looking great, and I went ahead made a decision to accept the position and move my family to Austin, TX.


Past Three Months

I am not going to lie; the first month was hard. One of the best things about Rapid7 is also one of the hardest things that you have to go through as a new employee. Despite the fact that Rapid7 is 15 year old company, it does not act like one. It is very much like a startup which I like a lot. This is why I was meeting with so many people to learn as much about the company as possible, which felt like drinking from a fire hose some time. I spent almost a month trying to understand everything about the company and trying to get to know Metasploit Team as much as I could.


One of the things I liked the most was how much our customers cared about the product as well. I had numerous customer calls to talk about the product and to listen their thoughts and feedback around how can we make the product even better. I truly believe that when you have customers invested in your product, not just financially, it makes the the team even more dedicated towards improving the product.


Metasploit Framework

Before I say anything else, I want to thank to our open source community for supporting Metasploit Framework, which would not be a great tool like it is today without your support.

Tod Beardsley and I are always brainstorming about how we can push the Metasploit Framework forward. One of the things on our radar is to make educational content available to our users and exploit committers. todb and tdoan are doing great work with the external resource portal to make it easier to locate external educational content. You can expect more initiatives like this to come up in the future.


Metasploit Community / Express / Pro
As I was coming up to speed, I was also learning a lot about the commercial products, specifically Metasploit Pro. It was clear to me that this version gives the user two distinct advantages:


1. Web Interface: We all know pen testing can get really complicated, especially if you are dealing with many targets at one time. One of the advantages of using a graphical interface is that it makes it easier to handle multiple work streams (multi-tasking) thereby improving efficiency and enabling the user to do more things in a short period of time. Metasploit's user interface tries to do just that, making it easier and more efficient for the user. While this is certainly true for users new to pen testing, veteran pen-testers maintain a preference for Framework. That’s ok by us. Framework is an awesome product and with your help it continues to get even better. We will keep investing in the UI version to make pen-testers as efficient as possible. Stay tuned for 2015 as you will see many UI improvements coming up in near future.


2. Pro Features: Metasploit Pro is powered with Metasploit Framework, along with some additional features, such as metamodules, reporting functions, social engineering features, vulnerability validation wizard, etc. Some of these are additional capabilities that are only available in Metasploit Pro, and some of them are designed to automate common tasks.


I want to finish this blog post saying that there are many challenges ahead of us, both on Framework and the commercial side, and we are happy to accept those challenges and convert them into opportunities to make Metasploit even better in the future. I am super happy to be part of People's Republic of Metasploit.


Eray Yilmaz - @erayymz

Sr. Product Manager, Metasploit

Updating Like It's 1999

Now, before I get started, let me just say that I love the folks over at Malwarebytes. They do a lot of good work, and I'm constantly recommending their products to my friends and family in those vulnerable times of need. And if that all sounds like an apology, it is. Sorry, guys. But dang.


This week, we have an exploit module from community contributor Gabor Seljan which exploits a design flaw in the way MalwareBytes handled updates prior to October of 2014. This flaw was reported by Yonathan Klijnsma in June of 2014. Turned out, the mechanism to check for updates was done entirely over cleartext, relying completely on trusting that this unauthenticated, unencrypted connection was legit.


In other words, a malicious actor -- say, a malware author -- could hijack the process that Malwarebytes used to check for updates by monkeying with anything in that trust chain -- the HTTP responses, the DNS resolution of MalwareBytes' content hosts, or simply by hijacking name resolution via a malicious entry in the local hosts file. By using that last technique, I'm able to quite reliably hijack the update process and drop a Meterpreter shell on the victim.




As shown here, sometimes there's a race, and MalwareBytes identifies my Metepreter executable as a threat -- but I get the shell anyway. That's pretty fun. Also, once I've hijacked the update, I seem to have a permanent, respawnable shell. Any time I restart the Anti-Malware client, I execute my saved payload, and get a reconnect to my Metasploit listener. Even uninstalling and re-installing Anti-Malware in the usual way didn't seem to wipe my evil update. Only a revert to snapshot (as a VM) was doing the trick.


Now, if the malware is on the endpoint and has sufficient permissions, it can do whatever it wants, with or without this vulnerability. This attack is only reasonable if the attacker can poison DNS responses or interfere with the HTTP connection or otherwise meddle with the network traffic, without having to first get on the target. This is completely possible when the victim is on an untrusted local network, and that's a more difficult trick. But, even the local attack is much easier if there is no attempt at secure comms.


This brings up several concerns. First, if you're going to be operating in the hostile space of malware, you absolutely need to ensure that you're, at a minimum, using reasonably secure protocols for communication. In this day and age, it's pretty unconscionable to rely on plaintext for anything important. As Ian Goldberg said at his ShmooCon 2014 address, we need to get to a point where ciphertext is the default. There's really no excuse any more. Death to HTTP.


Another troubling thing here is that while CVE-2014-4936 was assigned, and the vulnerability was reported to the vendor, there seems to be no mention of this problem in MalwareBytes' release notes. It's customary to thank the discoverer there, but more importantly, alert the user base that this is a real problem and they need to update, pronto. So, while Yonathan was thanked in the Hall of Fame, users don't appear to have been alerted. Even if they were, they would update normally... and are exposed to exactly the risk introduced by the vulnerability in the first place. It's a Catch-22 for sure, but MalwareBytes could and can mitigate this by offering some kind of offline update and announcement, and some hash signatures of a safe, manual update. So far, that doesn't seem to have happened. No release note, no announcement on Twitter, no sticky post on its forums... nothing. This is not a healthy response from a security-centered company.


I don't want to pick on MalwareBytes. Really, I don't. Everyone ships the occasional vulnerability. But if these guys, who are plenty smart and savvy to the ways of network and consumer security dropped these particular balls, how do we expect non-expert software vendors to update and handle disclosure sensibly? We need to knock this cleartext business off for starters, that much is sure. Then, let's get some kind of consistency around communicating updates, especially in the face of bugs in the updaters themselves.


New Modules

In addition to the Anti-Malware exploit, we have ten new modules since the last Wrapup blog, including a new sandbox escape exploit for Microsoft Internet Explorer, MS15-004, implemented by our own Juan Vazquez. That's a pretty big deal -- you can read up on that over at TrendLabs.



Exploit modules


Auxiliary and post modules

Filter Blog

By date: By tag: