Presented at Derbycon, 2016

1. The State of the
Metasploit Framework
@egyp7

2. James Lee
@egyp7
Metasploit Developer
Community Manager
$ whoami
2

3. Statistics and
graphs and
stuff
3
http://resources.metasploit.com/

4. 229
New Modules
git log --name-only --diff-filter A --since='2015-09-25' | grep '^modules' | wc -l
4

5. Module Counts
5

6. Over 800 Pull Requests merged
github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:<2015-09-26
6

7. 176
unique authors
git log --since 2015-09-26 --format=%aE | sort | uniq -c
7

8. 4765
Commits
git log --since 2015-09-26 --format=%aE | sort | wc -l
8

9. Commits to metasploit-framework
9

10. 1588
Dead References to OSVDB
git grep OSVDB modules/ | wc -l
10

11. Cool Stuff Grab Bag

12. Breaking up is hard to do
Rex is huge and old
We’re slowly but surely breaking it up into smaller pieces
12

13. New msfconsole commands
options (alias of `show options`)
advanced (alias of `show advanced`)
13

14. tools/ Organization
Context
Dev
Exploit
Memdump
Modules
Password
Recon
14

15. msu_finder
tools/exploit/msu_finder.rb
Grabs download links for Microsoft patches
ruby msu_finder.rb -q ms15-100
15

16. Mettle
Portable POSIX payload
Runs on MIPS routers, Android phones, and desktop Linux
Uses Meterpreter protocol
Brent and Adam will cover this more Sunday at 13:00
16

17. Mainframes
Lots of work by Soldier of Fortran and Bigendian Smalls
Payloads
Auth’d RCE via job system
17

18. Module Documentation
Write in markdown
Lives in documentation/modules/
View with info -d
18

19. New Modules
git log --since 2015-09-26 --name-status | grep '^As*modules'

20. Lols
multi/manage/set_wallpaper
20

21. encoder/x64/zutto_dekiru
Similar in form to shikata_ga_nai
21

22. Not a traditional encoder
Embeds x86 shellcode in an existing BMP image
XOR’d and Stego’d across all the bits
Modifies the header so the BMP itself is executable shellcode
encoder/x86/bmp_polyglot
22

23. SMB Delivery
Works like web_delivery
23

24. ImageTragick
exploit/unix/fileformat/imagemagick_delegate
You probably already forgot about this one
24

25. Shellshock
IPFire
Advantech Switches
Legend IRC Bot
Xdh IRC bot
25

26. Malware
Phoenix Exploit Kit
DarkComet
Legend IRC bot
Xdh IRC bot
26

27. Security Stuff
Fortinet SSH backdoor
Chkrootkit LPE
Metasploit Pro authenticated RCE
Metasploit Pro pre-auth cookie deserialization
27

28. Pageant Jacker
post/windows/manage/forward_pageant
Creates a local unix socket like ssh-agent(1)
Forwards to remote Pageant (PuTTY’s ssh-agent(1) equiv)
28

29. Privilege Escalation on Windows
ms16_016_webdav
ms16_032_secondary_logon_handle_privesc
windows/local/applocker_bypass
windows/misc/regsvr32_applocker_bypass_server
29

30. Privilege Escalation on Linux/Unix
chkrootkit
Exim
Docker daemon
30

31. Privilege Escalation on OSX
libmalloc
● Fun oldschool env cleaning fail
● write-file-as-root bug
31

32. Persistence on Linux
ssh
at, cron
32

33. Meterpreter

34. XOR packet obfuscation
Gets rid of the ~static strings in TLVs
34

35. New extensions
Python
Powershell
BF
35

36. Reverse Listener Comm
Set a handler listening on a Meterpreter session
36

40. Reverse Port Forwarding
portfwd add -R -L 10.0.0.40 -l 22 -p 22
40

41. ...

42. ...

43. ...

44. Windows: show_mount command
Lists all mounted filesystems
Including network shares
44

45. Android: sqlite_query command
sqlite_query -d <path> -q <query>
sqlite_query -d
/data/data/com.android.browser/databases/webviewCookiesChromium.db -q
'SELECT * from cookies'
45

46. Android
Registers itself as a service to run in the background
46

47. Get involved

48. Where
FreeNode #metasploit
community.rapid7.com
@metasploit on twitter
Github Projects
48

49. Hackathon?
Come to Austin and hang out with us
Hack all the things
● Maybe in the early summer?
● A week or so?
49

50. Questions?
@egyp7

51. Greets
FireFart
Meatballs1
Stufus
zeroSteiner
shipcod3
h00die
talos-arch3y
pedrib
51
jhale85446
mmetince
KINGSABRI
bigendiansmalls
martinvigo
nstarke
espreto
bcoles
agix
jakxx
benpturner
h0ng10
rastating
g0tmi1k
scriptjunkie
aushack