Merry HaXmas to you! Each year we mark the 12 Days of HaXmas with 12 blog posts on hacking-related topics and roundups from the year. This year, we’re highlighting some of the “gifts” we want to give back to the community. And while these gifts may not come wrapped with a bow, we hope you enjoy them.
Breaking Records and Breaking Business
2016 brought plenty of turmoil, and InfoSec was no exception:
- Largest data breach: Largest breach ever, affecting more than 1 billion Yahoo users. And they were not alone: Oracle, LinkedIn, the Department of Justice, SnapChat, Verizon, DropBox, the IRS --- many organizations experienced, or discovered (or finally revealed the true extent of...), massive breaches this year.
- Record-breaking denial of service attacks: law enforcement efforts targeting DDoS-as-a-Service providers are encouraging, but Mirai achieved record-breaking DDoS attacks this year. It turns out those easy-to-take-for-granted devices joining the Internet of Things in droves can pack quite a punch.
- Ransomware: the end of 2015 saw a meteoritic rise in the prevalence of ransomware, and this continued in 2016. Healthcare and other targeted industries have faced 2-4x as many related attacks this year, some via increased coverage of ransomware in exploits kits, but mostly through plain old phishing.
Businesses and individuals continue to face new and increasing threats in keeping their essential systems and data secure. A static defense will not suffice: they must increase in both awareness and capability regularly in order to form a robust security program.
Metasploit Framework has grown in many ways during 2016, both through the broader community and through Rapid7 support. Let's look back through some of the highlights:
A surprisingly wide range of exploits were added to Metasploit Framework in 2016:
- Network management: NetGear, OpenNMS, webNMS, Dell, and more
- Monitoring and backup: Nagios XI, Exagrid
- Security: ClamAV, TrendMicro, Panda, Hak5 Pineapple, Dell SonicWall, Symantec -- and Metasploit itself!
- Mainframes, SCADA dashboards
- Exploit Kits: Dark Comet, Phoenix
- ExtraBACON; StageFright
- Content management/web applications: Joomla, TikiWiki, Ruby on Rails, Drupal, Wordpress forms
- Docker, Linux kernel, SugarCRM, Oracle test suite, Apache Struts, exim, Postgres, and many more!
Metasploit Framework provides many supporting tools, aside from those designed to get a session on a target. These help in collecting information from a wide variety of systems, staying resilient to unknown and changing network environments, and looking like you belong.
Some expansions to the toolbox in 2016 included:
- Additional persistence options: cron jobs, SSH keys, and boot services
- Improvements to payload handlers, including a universal handler
- Android: inject Meterpreter into an existing APK and re-sign
- Mettle: a new native POSIX Meterpreter
- PowerShell: run scripts even if PowerShell isn't installed on the target, upload to PowerShell Empire, and more
- Data collection: Amazon EC2 metadata, OS X Messages, subdomain enumeration, trusted Office locations -- even generate an org chart from Active Directory.
By the Numbers
Nearly 400 people have contributed code to Metasploit Framework during its history. And speaking of history: Metasploit Framework turned 13 this year! Long long ago, in a console (probably not too) far away:
Metasploit Framework 2.2 - 30 exploits
Has much changed in the last 12 years? Indeed!
Metasploit Framework 4.13.8 - 1607 exploits
In 2016, Metasploit contributors added over 150 new modules. Metasploit Framework's growth is powered by Rapid7, and especially by the community of users that give back by helping the project in a variety of ways, from landing pull requests to finding flags.
Topping the list of code contributors in 2016: Wei Chen (sinn3r), Brent Cook, William Vu (wvu), Dave Maloney (thelightcosine), h00die, OJ Reeves, nixawk, James Lee (egypt), Jon Hart, Tim Wright, Brendan Watters, Adam Cammack, Pedro Ribeiro, Josh Hale (sn0wfa11), and Nate Caroe (TheNaterz).
The Metasploit Framework GitHub project is approaching 4700 forks, and ranks in the top 10 for Ruby projects once again. It's also the second most starred security project on GitHub. None of this would have been possible if not for the dedication and drive of the Metasploit community. Together, we can continue to highlight flaws in existing systems, and better test the essential software of tomorrow. John Locke voiced in 1693 what open source security supporters continue to know well today: "The only fence against the world is a thorough knowledge of it."
So what about you?
- New to Metasploit? Check out the wiki for usage info and lots more!
- Need a refresher?
- Want to Contribute? Thank you! There are many forms that can take, and whether adding module documentation, fixing a bug, filing a bug, sharing an idea, or putting up a pull request for your first exploit module: these are all valuable!