State of the Framework Address: Recent Developments in the Metasploit Framework

We interrupt your regularly scheduled programming to bring

you…

The State of the Framework

Past

We must know where we came from to know where we

are going

4.0

2003 2007 2008 2009 2011 … 2010

3.2 BSD

3.4

2012

3.0 3.6

3.1

Modules by type and release

0

200

400

600

800

1000

1200

1400

3.0 3.1 3.2 3.3 3.4 3.5 3.6 3.7 4.0

Post

Auxiliary

Exploit

Modules Over Time

0

100

200

300

400

500

600

700

800

1-M

ar-20

07

1-Ju

l-20

07

1-N

ov-2

00

7

1-M

ar-20

08

1-Ju

l-20

08

1-N

ov-2

00

8

1-M

ar-20

09

1-Ju

l-20

09

1-N

ov-2

00

9

1-M

ar-20

10

1-Ju

l-20

10

1-N

ov-2

01

0

1-M

ar-20

11

1-Ju

l-20

11

Exploit

Auxiliary

Post

Module Format

• Originally tied to directory structure

– Now more flexible

• Module broke if you mv'd it

Uses for Metasploit

• Running exploits, getting shells

• Creating exploits

Present

Focuses for 4.0

• Usability

• Scalability

• Passwords

• Better payloads

• Post exploitation

Usability

• Installers that make everything easy

• Help for most commands

• Database command improvements

• Msfvenom

Everything Works Out of the Box

• Ruby 1.9.2

• Postgres

• Java (for msfgui, armitage)

• Option to automatically update

• pcaprub

The Database

• Auto configured by installer

• Now a core feature used by lots of modules

– Almost all auxiliaries, many posts

• Scales much better than before

• Better search capabilities

• Workspaces for logical separation

Scalability

Recent Focus on Passwords

• Authenticated code execution by design is better than an exploit

• Obvious: SSH, Telnet, RDP, VNC

• Less obvious:

– MySQL/MSSQL/PostgreSQL

– Tomcat/Axis2/JBOSS/Glassfish

– ManageEngine

Payloads

• Dozens of formats and architectures

– PHP; Java (jar, war, jsp); Win32, 64; BSD; OSX

– x86, PPC, ARM, MIPS, cmd exec, …

• Reverse HTTP(s) stagers for Win32, Java meterpreters

• Railgun

Post Modules

• Biggest change in a long time

• Replaces meterpreter scripts

• More comprehensive Post-exploitation API

– OMG Railgun

– Shell sessions, too

– You should have been in Rob and Chris' talk

• My utopian ideal: post mods work on all kinds of sessions on all supported platforms

Moar Passwerdz

Uses for Metasploit

• Running exploits, getting shells

• Creating exploits

• Auxiliary modules, discovery, systems admin

• Post exploitation, looting pwned boxes

• Data collection and correlation

Future

Future of Exploits

• Continued focus on Authenticated Code Exec

– Oracle, various CMSes

• Hack all the things

Future of Payloads

• Linux meterpreter – Yes, I know I've been saying this for 3 years

• Java meterpreter to keep pace with Win32 – Thanks to mihi

• Meterpreter needs to only load stuff that makes sense for the platform

• IPv6 support for more stuff – Mostly works, 32-bit Windows and Linux payloads

– Toredo

Future of Post Exploitation

• Huge amount of community dev going into Post modules

• Password stealers for every conceivable application that stores them

– Thanks TheLightCosine!

• More local privesc exploits

More Post Exploitation

• More and better APIs

– Cross-platform pilfering

• Easier

Future of Modules in General

• Some form of exploit abstraction

• Transport should be a user option

– Not a whole different module with the same exploit code

– Example: PDF exploits over HTTP, FTP, SMB, email

Startup Time

Contributing Should be Easy

Contribution Workflow

Find a bug Submit a ticket Ask about it in

IRC

Get tired of waiting, fix it

yourself Submit a patch

Tell me I forgot about it

Remind me again

Give up

Documentation

• Two main sources of documentation right now

– Reading 500k lines of ruby source

– Asking me in IRC

• It was hard to write, it should be hard to read, dammit!

Documentation

• Updated users' guide

• Updated developers' guide

• Clean up rdoc

Installation Should be Easier

• Everything should *really* work out of the box

• Everything should be configurable from the commandline

• Install Express/Pro without another big download of mostly the same stuff

– I know, shameless plug, but hey it pays for all the rest of this

Uses for Metasploit

• Running exploits, getting shells

• Creating exploits

• Auxiliary modules, discovery, systems admin

• Post exploitation, looting pwned boxes

• Data collection and correlation

• And….

Why?

• Metasploit should be the first and the last tool you need

• Anything that gets you access

– Proof positive tool

– Not just exploits, identities

• Maintain that access

• Use your access to achieve your goals

• Store all of the above in a manageable way

Questions?

• If I have ever kickbanned you in #metasploit, I'm sorry

– But not that sorry, you should have googled more