Day dawns for Metasploit 3.0

H D Moore unveils the latest release

Protecting against web application threats using SSL

What type of evasion techniques are part of 3.0?

H D Moore: Metasploit 3 supports evasion options for almost every module. The evasion options are broken down by protocol and can be seen with the "show evasions" command in the console interface. A module that uses the SMB, DCERPC, and TCP protocols can benefit from over 15 different evasion options.

These options cover settings such as the maximum DCERPC fragment size, whether to obfuscate different SMB transactions, and how many bytes to send at a time in each TCP segment. Client-side modules, such as browser exploits, support compression, chunked encoding, and unicode obfuscation, in addition to any Javascript-based encoding implemented in the module itself. Web application exploits support all of the "standard" encoding methods (unicode, hex encoding, etc) in addition to things like header padding, junk relative directories, and pipelined requests.

One of the great things about the structure of Metasploit 3 is that adding a new evasion method rarely requires the modules themselves to be updated. It's even possible to develop a loadable plugin that implements new, unpublished evasion routines (and sell it, if you wish to do so).

How much did the community contribute from the first public release to version 3.0?

H D Moore: The security community has been awesome, but we know that exploit development isn't for everyone. Even those who excel at exploit development don't always want to use someone else's framework. There are four people who actively contribute to the project and at least a dozen more that send in patches and bug reports. During the 3.0 rewrite, the Metasploit team kept close tabs on who contributed what code, and although we did receive some excellent patches, nearly 100% of the framework was written by skape, spoonm, and me.

What is going on with the license terms?

H D Moore: After watching both Snort (Sourcefire) and Nessus (Tenable) deal with license abuse and change to commercial models, we decided that the best thing we can do to avoid these problems is to remove the loophole that allows them to exist in the first place. The GPL, like most open-source licenses, allows anyone to repackage and sell your code. While we want everyone to be able to use and contribute to the Metasploit Framework, we did not want see companies profit by reselling our software. At the same time, we do want security professionals and researchers to be able to use the framework to do their jobs. After careful review of all of the OSI approved licenses, we decided to hire a lawyer and write our own. The Metasploit Framework License is the final result. We believe that the license is an excellent compromise between open-source and a commercial EULA. We realized that by placing the framework under a custom license, we are preventing other projects from reusing our code. To address this, we decided to release the entire Metasploit Rex library under the 3-clause BSD license. This library provides most of the API used by the Metasploit Framework (Sockets, SMB, HTTP, encoding, etc), but does not include any user interfaces or exploit modules.

Metasploit LLC is a Texas-based company created to hold the copyrights, trademarks, and domains of the Metasploit Project. Each of the core developers transferred their copyrights to the LLC, allowing us to enforce our licensing terms and put a corporate face on the project. The LLC earns no income, sells no services, and has no commercial plans.

Will you continue to maintain the 2.0 branch since it's under the GPL v2?

H D Moore: No. We may commit a few patches from time to time, but the branch has been "dead" since January of 2007.

This release includes support for kernel-mode payloads. What difficulties did you have to overcome to implement this feature? How does it work?

H D Moore: Matt Miller did an excellent job of designing a kernel-to-userland staging system that supports a wide range of exploits in a reliable fashion. A great description of how this stager was developed can be found in his Uninformed Journal article.

How does it work from and against Windows Vista?

H D Moore: Vista will introduce some interesting challenges when it comes to exploiting memory corruption vulnerabilities, but most of the features in Metasploit will require no modification to work on that platform. The Windows version of the framework uses the native Ruby interpreter and provides all functionality through the new web interface. As long as Ruby works properly on Vista, the Framework should work just fine.

In terms of payload coverage, there may be a few payloads that will not work completely under Vista, but these are either non-critical or easily fixed. When targeting a Vista system, the Meterpreter payload really shines, since a "generic" Meterpreter shell avoids the usual problems with running a command shell, and opens the way for local exploits through the use of dynamically loaded extensions. Kernel-mode payloads have not been tested yet, but will likely require modifications to work properly. This should be doable in a way that will maintain backwards compatibility with Windows XP SP2. The real question is whether we will find enough memory corruption bugs for these payloads to be useful.

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story


Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.