State of the Framework Address: Recent Developments in the Metasploit Framework
Upcoming SlideShare
Loading in...5
×
 

State of the Framework Address: Recent Developments in the Metasploit Framework

on

  • 1,430 views

Presented at DerbyCon, 2011

Presented at DerbyCon, 2011

Statistics

Views

Total Views
1,430
Views on SlideShare
1,408
Embed Views
22

Actions

Likes
0
Downloads
21
Comments
0

3 Embeds 22

http://paper.li 19
http://www.linkedin.com 2
http://a0.twimg.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

State of the Framework Address: Recent Developments in the Metasploit Framework State of the Framework Address: Recent Developments in the Metasploit Framework Presentation Transcript

  • We interrupt your regularlyscheduled programming to bring you…
  • The State of the Framework
  • Past
  • We must know where wecame from to know where we are going
  • 4.0 3.0 3.6 3.1 3.2 3.4 BSD2003 … 2007 2008 2009 2010 2011 2012
  • Modules by type and release140012001000 800 Post 600 Auxiliary Exploit 400 200 0 3.0 3.1 3.2 3.3 3.4 3.5 3.6 3.7 4.0
  • Auxiliary Exploit Post 1-Jul-2011Modules Over Time 1-Mar-2011 1-Nov-2010 1-Jul-2010 1-Mar-2010 1-Nov-2009 1-Jul-2009 1-Mar-2009 1-Nov-2008 1-Jul-2008 1-Mar-2008 1-Nov-2007 1-Jul-2007 1-Mar-2007 0 800 700 600 500 400 300 200 100
  • Module Format• Originally tied to directory structure – Now more flexible• Module broke if you mvd it
  • Uses for Metasploit• Running exploits, getting shells• Creating exploits
  • Present
  • Focuses for 4.0• Usability• Scalability• Passwords• Better payloads• Post exploitation
  • Usability• Installers that make everything easy• Help for most commands• Database command improvements• Msfvenom
  • Everything Works Out of the Box• Ruby 1.9.2• Postgres• Java (for msfgui, armitage)• Option to automatically update• pcaprub
  • The Database• Auto configured by installer• Now a core feature used by lots of modules – Almost all auxiliaries, many posts• Scales much better than before• Better search capabilities• Workspaces for logical separation
  • Scalability
  • Recent Focus on Passwords• Authenticated code execution by design is better than an exploit• Obvious: SSH, Telnet, RDP, VNC• Less obvious: – MySQL/MSSQL/PostgreSQL – Tomcat/Axis2/JBOSS/Glassfish – ManageEngine
  • Payloads• Dozens of formats and architectures – PHP; Java (jar, war, jsp); Win32, 64; BSD; OSX – x86, PPC, ARM, MIPS, cmd exec, …• Reverse HTTP(s) stagers for Win32, Java meterpreters• Railgun
  • Post Modules• Biggest change in a long time• Replaces meterpreter scripts• More comprehensive Post-exploitation API – OMG Railgun – Shell sessions, too – You should have been in Rob and Chris talk• My utopian ideal: post mods work on all kinds of sessions on all supported platforms
  • Moar Passwerdz
  • Uses for Metasploit• Running exploits, getting shells• Creating exploits• Auxiliary modules, discovery, systems admin• Post exploitation, looting pwned boxes• Data collection and correlation
  • Future
  • Future of Exploits• Continued focus on Authenticated Code Exec – Oracle, various CMSes• Hack all the things
  • Future of Payloads• Linux meterpreter – Yes, I know Ive been saying this for 3 years• Java meterpreter to keep pace with Win32 – Thanks to mihi• Meterpreter needs to only load stuff that makes sense for the platform• IPv6 support for more stuff – Mostly works, 32-bit Windows and Linux payloads – Toredo
  • Future of Post Exploitation• Huge amount of community dev going into Post modules• Password stealers for every conceivable application that stores them – Thanks TheLightCosine!• More local privesc exploits
  • More Post Exploitation• More and better APIs – Cross-platform pilfering• Easier
  • Future of Modules in General• Some form of exploit abstraction• Transport should be a user option – Not a whole different module with the same exploit code – Example: PDF exploits over HTTP, FTP, SMB, email
  • Startup Time
  • Contributing Should be Easy
  • Contribution Workflow Ask about it in Find a bug Submit a ticket IRCGet tired of Tell me I forgotwaiting, fix it Submit a patch about it yourselfRemind me Give up again
  • Documentation• Two main sources of documentation right now – Reading 500k lines of ruby source – Asking me in IRC• It was hard to write, it should be hard to read, dammit!
  • Documentation• Updated users guide• Updated developers guide• Clean up rdoc
  • Installation Should be Easier• Everything should *really* work out of the box• Everything should be configurable from the commandline• Install Express/Pro without another big download of mostly the same stuff – I know, shameless plug, but hey it pays for all the rest of this
  • Uses for Metasploit• Running exploits, getting shells• Creating exploits• Auxiliary modules, discovery, systems admin• Post exploitation, looting pwned boxes• Data collection and correlation• And….
  • Why?• Metasploit should be the first and the last tool you need• Anything that gets you access – Proof positive tool – Not just exploits, identities• Maintain that access• Use your access to achieve your goals• Store all of the above in a manageable way
  • Questions?• If I have ever kickbanned you in #metasploit, Im sorry – But not that sorry, you should have googled more