The Metasploit Framework is a development platform for creating security tools and exploits. Federico Biancuzzi interviewed H D Moore to discuss what's new in release 3.0, the new license of the framework, plans for features and exploits development, and the links among the bad guys and Metasploit and the law.
Could you introduce yourself?
H D Moore: My (real) name is H D Moore, I am the founder of the Metasploit Project and work as the Director of Security Research for BreakingPoint Systems, a provider of network test equipment. I have been involved with computer security in some form since I was 12 and have worked in the network security area since 1998. I live in Austin, Texas with Meg, my awesome and very understanding wife.
How did the Metasploit Project start?
H D Moore: I started the Metasploit Project in July of 2003 as a response to the "dying" exploit development community in the United States. At the time, "responsible disclosure" was in full swing and security researchers (and their employers) were worried about the legal consequences of releasing exploit code. Metasploit's goal was to provide detailed information and code for exploit developers, penetration testers, and researchers.
What will we find inside version 3.0?
H D Moore: Metasploit 3 is an over-engineered, incredibly extensible overhaul of the original framework. The framework has evolved from a simple exploit launcher to a powerful general-purpose security toolkit. For example, Metasploit 3 includes a set of "auxiliary" modules. These modules can do just about anything. We have auxiliary modules for reconnaissance, protocol fuzzing, denial of service, and vulnerability scanning. In the future, we plan on expanding these to include a wide range of penetration testing and research related utilities.
One of the major improvements in Metasploit 3 is the ability to execute multiple modules at the same time, using the same process and instance of the framework. This allows for multiple command shells to be obtained via a single exploit instance (browser exploits, broadcast-enabled, etc). This also allows for multiple users to share and work with the same sessions. This has been further extended, via the msfweb interface, to allow anyone on the network to use the framework in their web browser.
Most of the new framework code is platform agnostic -- as long as you have a working Ruby interpreter, some amount of functionality will be available on your system. This is in contrast to Metasploit 2, which required a Cygwin environment to work on the Windows platform. I have successfully run version 3 on a Nokia 770 Internet Tablet, an OS X laptop, and Windows desktop, and of course my Gentoo linux development system.
Reading the primary goals of Metasploit 3.0 I see "Support automated network discovery and event correlation through recon modules". Would you like to tell us more?
H D Moore: First and foremost, Metasploit 3.0 provides a stable platform for security tool development. This gives us a base to develop new attacks, automation methods, and discovery techniques.
A trend in the security community is to release a proof of concept tool as a standalone application. Often times, these tools are never updated and become obsolete. I see Metasploit 3 as a way to develop these tools and proof of concepts in a way that they can continue to be maintained and will be compatible with a wide range of operating systems.
An attack tool implemented as a Metasploit 3 module can take advantage of all of the existing APIs and protocols supported by the framework. Metasploit 3 modules can provided under whatever license the author desires, including commercial. We plan to leverage this to integrate dozens of useful utilities into the framework and allow third-parties to profit for their efforts.
We would like the ability to launch an automated assessment and attack against a target network. This is already implemented in a limited fashion via the db_autopwn command, but we still need external tools to provide the vulnerability and discovery information.
Our focus after the 3.0 release is to expand the reconnaissance module set and integrate new correlation tools and plugins. Once we cover the basics of a vulnerability assessment (port scan, service detection, vulnerability identification), we can expand into automated penetration testing.
What type of evasion techniques are part of 3.0?
H D Moore: Metasploit 3 supports evasion options for almost every module. The evasion options are broken down by protocol and can be seen with the "show evasions" command in the console interface. A module that uses the SMB, DCERPC, and TCP protocols can benefit from over 15 different evasion options.
One of the great things about the structure of Metasploit 3 is that adding a new evasion method rarely requires the modules themselves to be updated. It's even possible to develop a loadable plugin that implements new, unpublished evasion routines (and sell it, if you wish to do so).
How much did the community contribute from the first public release to version 3.0?
H D Moore: The security community has been awesome, but we know that exploit development isn't for everyone. Even those who excel at exploit development don't always want to use someone else's framework. There are four people who actively contribute to the project and at least a dozen more that send in patches and bug reports. During the 3.0 rewrite, the Metasploit team kept close tabs on who contributed what code, and although we did receive some excellent patches, nearly 100% of the framework was written by skape, spoonm, and me.
What is going on with the license terms?
H D Moore: After watching both Snort (Sourcefire) and Nessus (Tenable) deal with license abuse and change to commercial models, we decided that the best thing we can do to avoid these problems is to remove the loophole that allows them to exist in the first place. The GPL, like most open-source licenses, allows anyone to repackage and sell your code. While we want everyone to be able to use and contribute to the Metasploit Framework, we did not want see companies profit by reselling our software. At the same time, we do want security professionals and researchers to be able to use the framework to do their jobs. After careful review of all of the OSI approved licenses, we decided to hire a lawyer and write our own. The Metasploit Framework License is the final result. We believe that the license is an excellent compromise between open-source and a commercial EULA. We realized that by placing the framework under a custom license, we are preventing other projects from reusing our code. To address this, we decided to release the entire Metasploit Rex library under the 3-clause BSD license. This library provides most of the API used by the Metasploit Framework (Sockets, SMB, HTTP, encoding, etc), but does not include any user interfaces or exploit modules.
Metasploit LLC is a Texas-based company created to hold the copyrights, trademarks, and domains of the Metasploit Project. Each of the core developers transferred their copyrights to the LLC, allowing us to enforce our licensing terms and put a corporate face on the project. The LLC earns no income, sells no services, and has no commercial plans.
Will you continue to maintain the 2.0 branch since it's under the GPL v2?
H D Moore: No. We may commit a few patches from time to time, but the branch has been "dead" since January of 2007.
This release includes support for kernel-mode payloads. What difficulties did you have to overcome to implement this feature? How does it work?
H D Moore: Matt Miller did an excellent job of designing a kernel-to-userland staging system that supports a wide range of exploits in a reliable fashion. A great description of how this stager was developed can be found in his Uninformed Journal article.
How does it work from and against Windows Vista?
H D Moore: Vista will introduce some interesting challenges when it comes to exploiting memory corruption vulnerabilities, but most of the features in Metasploit will require no modification to work on that platform. The Windows version of the Framework uses the native Ruby interpreter and provides all functionality through the new web interface. As long as Ruby works properly on Vista, the Framework should work just fine. In terms of payload coverage, there may be a few payloads that will not work completely under Vista, but these are either non-critical or easily fixed. When targeting a Vista system, the Meterpreter payload really shines, since a "generic" Meterpreter shell avoids the usual problems with running a command shell, and opens the way for local exploits through the use of dynamically loaded extensions. Kernel-mode payloads have not been tested yet, but will likely require modifications to work properly. This should be doable in a way that will maintain backwards compatibility with Windows XP SP2. The real question is whether we will find enough memory corruption bugs for these payloads to be useful.
How do you decide what exploits to work on?
H D Moore: I work on whatever exploit that happens to look interesting, useful, or immediately relevant to other things I am working on.
Is there any plan to develop attacks for embedded devices such as routers, smartphones, PDAs, iPhones, etc?
H D Moore: Absolutely. The difficulty with adding a new platform to Metasploit is that we can't just add exploits and payloads; we must also add architecture-specific encoders, decoding stubs, and nop-generation modules. This is a question of free time and development resources, which have both been very low while we worked on completing the 3.0 release.
And what about rootkits?
H D Moore: Rootkits and other forms of persistent backdoors have not been the focus of the Metasploit Project. We believe there are quite enough tools out there already for this purpose and have no interest in duplicating those efforts. At the same time, we realize that payloads such as VNC injection and the Meterpreter come awfully close to being a backdoor. The distinction is that no new security flaws are created by the use of these payloads. For the most part, all traces of the Metasploit payloads disappear as soon as the victim process exits or the system is rebooted.
Some people claim that your project helps the bad guys do bad things...
H D Moore: The Metasploit Framework strives to be an open platform that anyone can use for just about any purpose. Our users include security researchers, academics, system administrators, penetration testers, software vendors, and yes, even script kiddies. The value provided by making the software available to everyone outweighs any damage caused by the minority that uses the software to illegally access computer systems. The Framework isn't all that great as a script kiddie tool, since the amount of disk space and library requirements make it cumbersome to transfer between compromised hosts.
When you imagine a typical Metasploit user, what do you think of?
H D Moore: If I had to pick an average, I would say a sales engineer at a security product vendor. These folks use Metasploit to demonstrate what their products can do and what their competitor's products can't. I believe these folks actually outnumber the security researcher community.
Some pen-testers prefers doing things "by hands" and don't believe in automatic tools... do you think Metasploit is giving more power to script kiddies, or pros need it as well?
H D Moore: The Metasploit Framework is definitely a "hands-on" tool. Every aspect of exploitation can be controlled, configured, and monitored by the user. Many of the convenience features, such as automatically attaching to a spawned command shell, can be disabled at run time. The automation features in version 3.0 are crude and would likely cause havoc if used on an enterprise network. The Framework is a great way to enhance existing tools and skill sets, but will never replace the role of the penetration tester or skilled analyst. On the flip side, you really need to understand security testing to effectively use the Metasploit Framework. The user must select an exploit, understand which target would be most effective, and choose a payload appropriate for the task. Compared to commercial solutions like Core Impact, Metasploit has a high learning curve and a serious "geek factor". We like it that way.
Do you see a day when exploits and/or frameworks like Metasploit are regulated by the law?
H D Moore: Exploits are already regulated by law in some countries (France and Germany). I do what I can to prevent this from coming to pass in the United States, by donating to the EFF and trying to make a strong case for the usefulness of exploit code. In the US, exploit regulation would kill research and lead to a degrading state of security for all US companies. Vendors patch because exploits are available, without "above ground" exploits that anyone can access, there is no motivation to patch flaws.