HD Moore is the CSO at Rapid7 and Chief Architect of Metasploit, an open-source penetration testing platform. HD founded the Metasploit Project with the goal of becoming a public resource for exploit code research and development. Rapid7 acquired Metasploit in late 2009. In this interview HD Moore talks about the transition to Rapid7, offers details on the development and different versions of Metasploit and discusses upcoming features.
What was it like bringing a rather famous open source product with a dedicated user-base like Metasploit into a corporate environment with Rapid7?
The presence of Rapid7 behind the Metasploit Project has dramatically increased the acceptance of our software within corporate environments. A little-known fact is that customers of our commercial products also receive partial support for the open source product as part of our standard contract. This provides a level of commercial support that was not available previously.
How much did the opportunities within Rapid7 increase Metasploit development?
In the last twelve months since the acquisition, Metasploit has increased its user base by five-fold, almost doubled the number of exploit modules, and added over 150,000 lines of new code. This growth rate is due to a combination of the six dedicated developers on the core team as well as increased outreach and contributions from the community.
Most of the features in the commercial products are rooted in functionality we contributed to the open source code base. This dependency between commercial and open source allows us to continue focusing resources on the free code even while we are actively working on the commercial product line.
How much did the Metasploit user-base grow since it’s been under the Rapid7 umbrella?
We track our user base through a combination of unique IPs hitting our our online update (SVN) server. This metric represents users who actually update the product after installing it, so we feel it is more accurate than raw download counts. Prior to the acquisition, this number was approximately 22,000 unique IPs per month.
As of last September, we are at approximately 120,000 unique IPs, or a five-fold increase in active users. If we look at a combination of unique IPs that have downloaded or updated the framework over the last twelve months, the total number is now greater than one million.
What are the differences and features of the different Metasploit versions available today?
The Metasploit Framework is our open source “core”, it is provided under the liberal BSD license and its still where most of our development efforts are spent.
The Metasploit Express product, which provides a GUI (web-based), access to all of the standard Metasploit Framework features, but also exposes a workflow for conducting penetration tests with Metasploit. While the Metasploit Framework can be considered a bag of tools, Metasploit Express combines those tools to accomplish specific tasks.
The Metasploit Express interface walks through the process of scanning, exploiting, and bruteforcing a target network. Evidence can be quickly collected from compromised machines and fed back into the exploit and bruteforce tasks to go even further, using techniques like Pass-the-Hash and SSH key reuse. After the penetration test is complete, high-quality reports can be generated and used to report the findings and provide an audit log of every action taken during the test.
On October 20th, we launched Metasploit Pro, which builds on Metasploit Express to provide multi-user team support, social engineering campaigns, web application exploitation, advanced evasion techniques, and my personal favorite, VPN Pivoting. Where Metasploit Express is a great product for accelerating the penetration testing process, Metasploit Pro goes even further by enabling security teams to coordinate penetration tests through a central interface and conduct security tests at every level against the target network, from the human aspect (social engineering) down to the nitty gritty server-side exploits.
The VPN Pivot functionality in Metasploit Pro turns any compromised machine into a remote ethernet interface into the target network. This enables users to compromise an internal machine (say, through a browser exploit), and then use the VPN Pivot to continue to scan and exploit other internal machines behind the firewall.
Unlike other pivoting technologies, VPN Pivot can be used any network tool, as it creates a real interface on the Metasploit Pro system. This allows standard penetration testing and vulnerability assessments tools to be used over the interface created by Metasploit Pro. To cap things off, we added the ability do create custom reports, using the JasperSoft reporting engine and the iReport graphical report editor.
All three products share the same exploits, payloads, and libraries. The difference is the additional functionality, scalability, team support, and general scope of each tool. The Metasploit Framework is still a first class tool for exploit development and penetration testing, but the commercial products make it significantly easier to leverage these capabilities at a larger scale.
What are your plans for the near future? What features can Metasploit users look forward to?
With the Metasploit 3.5.0 release (all products share the same version number), we are going head-first into web application security. This required a huge overhaul of the backend database and we still have additional work to do in updating our web modules and filling in the gaps where coverage is missing.
Most of my personal development work is focused on the web application testing capabilities of Metasploit and making sure that we can interoperate with the other products that our users leverage today.
On the payload side, we are slowly but surely expanding Meterpreter support to platforms beyond Windows. Philip Sanderson, one of our community developers, has done an amazing job of completing the POSIX Meterpreter payload, and we are in the process of integrating his work into the framework.
Over the last few months we have also added native PHP and Java payloads, making it easier than ever to obtain advanced functionality through web application and Java server vulnerabilities. We are still investing resources into exploit coverage; both through dedicated exploit engineer, and by working with the community to port more exploits to the Metasploit platform.