The State of the Metasploit Framework.pdf

•

0 likes•9 views

egypt

Presented at Derbycon, 2016

Technology

The State of the
Metasploit Framework
@egyp7

James Lee
@egyp7
Metasploit Developer
Community Manager
$ whoami
2

Statistics and
graphs and
stuff
3
http://resources.metasploit.com/

229
New Modules
git log --name-only --diff-ﬁlter A --since='2015-09-25' | grep '^modules' | wc -l
4

Over 800 Pull Requests merged
github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:<2015-09-26
6

176
unique authors
git log --since 2015-09-26 --format=%aE | sort | uniq -c
7

4765
Commits
git log --since 2015-09-26 --format=%aE | sort | wc -l
8

1588
Dead References to OSVDB
git grep OSVDB modules/ | wc -l
10

Breaking up is hard to do
Rex is huge and old
We’re slowly but surely breaking it up into smaller pieces
12

New msfconsole commands
options (alias of `show options`)
advanced (alias of `show advanced`)
13

tools/ Organization
Context
Dev
Exploit
Memdump
Modules
Password
Recon
14

msu_ﬁnder
tools/exploit/msu_ﬁnder.rb
Grabs download links for Microsoft patches
ruby msu_finder.rb -q ms15-100
15

Mettle
Portable POSIX payload
Runs on MIPS routers, Android phones, and desktop Linux
Uses Meterpreter protocol
Brent and Adam will cover this more Sunday at 13:00
16

Mainframes
Lots of work by Soldier of Fortran and Bigendian Smalls
Payloads
Auth’d RCE via job system
17

Module Documentation
Write in markdown
Lives in documentation/modules/
View with info -d
18

New Modules
git log --since 2015-09-26 --name-status | grep '^As*modules'

encoder/x64/zutto_dekiru
Similar in form to shikata_ga_nai
21

Not a traditional encoder
Embeds x86 shellcode in an existing BMP image
XOR’d and Stego’d across all the bits
Modiﬁes the header so the BMP itself is executable shellcode
encoder/x86/bmp_polyglot
22

ImageTragick
exploit/unix/ﬁleformat/imagemagick_delegate
You probably already forgot about this one
24

Shellshock
IPFire
Advantech Switches
Legend IRC Bot
Xdh IRC bot
25

Malware
Phoenix Exploit Kit
DarkComet
Legend IRC bot
Xdh IRC bot
26

Security Stuff
Fortinet SSH backdoor
Chkrootkit LPE
Metasploit Pro authenticated RCE
Metasploit Pro pre-auth cookie deserialization
27

Pageant Jacker
post/windows/manage/forward_pageant
Creates a local unix socket like ssh-agent(1)
Forwards to remote Pageant (PuTTY’s ssh-agent(1) equiv)
28

Privilege Escalation on Windows
ms16_016_webdav
ms16_032_secondary_logon_handle_privesc
windows/local/applocker_bypass
windows/misc/regsvr32_applocker_bypass_server
29

Privilege Escalation on Linux/Unix
chkrootkit
Exim
Docker daemon
30

Privilege Escalation on OSX
libmalloc
● Fun oldschool env cleaning fail
● write-ﬁle-as-root bug
31

XOR packet obfuscation
Gets rid of the ~static strings in TLVs
34

Reverse Listener Comm
Set a handler listening on a Meterpreter session
36

Reverse Port Forwarding
portfwd add -R -L 10.0.0.40 -l 22 -p 22
40

Windows: show_mount command
Lists all mounted ﬁlesystems
Including network shares
44

Android: sqlite_query command
sqlite_query -d <path> -q <query>
sqlite_query -d
/data/data/com.android.browser/databases/webviewCookiesChromium.db -q
'SELECT * from cookies'
45

Android
Registers itself as a service to run in the background
46

Where
FreeNode #metasploit
community.rapid7.com
@metasploit on twitter
Github Projects
48

Hackathon?
Come to Austin and hang out with us
Hack all the things
● Maybe in the early summer?
● A week or so?
49

Greets
FireFart
Meatballs1
Stufus
zeroSteiner
shipcod3
h00die
talos-arch3y
pedrib
51
jhale85446
mmetince
KINGSABRI
bigendiansmalls
martinvigo
nstarke
espreto
bcoles
agix
jakxx
benpturner
h0ng10
rastating
g0tmi1k
scriptjunkie
aushack

Similar to The State of the Metasploit Framework.pdf

Chicago Docker Meetup Presentation - Mediafly

Mediafly

Enterprises today require high availability and disaster recovery for critical business systems. One of the advantages Kubernetes can bring to the table is greater reliability and stability. When disaster strikes, cluster or application recovery should be quick and dependable. Paul Curtis, Principal Solutions Architect at Weaveworks will demonstrate how to leverage Weave Kubernetes Platform and GitOps to create disaster recovery plans and highly available clusters with minimal effort on EKS. In this webinar you will learn: The 4 principles of GitOps (operations by pull request) How to build for reproducibility, security and scale with EKS from the start GitOps driven cluster and cluster lifecycle management with WKP

A GitOps model for High Availability and Disaster Recovery on EKS

Weaveworks

Jump into Squeak - Integrate Squeak projects with Docker & Github

hubx

Reverse engineering Swisscom's Centro Grande Modem

Cyber Security Alliance

LinuxLabs 2017 talk: Container monitoring challenges

Xavier Vello

Год в Github bugbounty, опыт участия

defcon_kz

bcc/BPF tools - Strategy, current tools, future challenges

IO Visor Project

BPF Tools 2017

Brendan Gregg

Es gibt viele erfolgreiche Softwareprojekte. Das bedeutet, dass viele EntwicklerInnen Applikationen und Bibliotheken weiterpflegen, die sie selbst nicht entwickelt haben. Beim Verstehen einer Codebasis steht eine Informationsquelle unmittelbar zur Verfügung: die Versionsgeschichte. Dieser Vortrag zeigt, wie die Versionsgeschichte so gestaltet werden kann, dass sie von künftigen LeserInnen einfach zu verstehen ist. Darunter finden sich Techniken wie ausführliche Commit-Messages, lineare Versionsgeschichte und Trennung von Refactorings und Änderungen.

Beautiful History

Stefan Birkner

2012 coscup - Build your PHP application on Heroku

ronnywang_tw

Cloud RPI4 tomcat ARM64

Jean-Frederic Clere

2008-06-25 Marist System z Summer Professors Series

Shawn Wells

Troubleshooting real production problems

Tier1 app

Why use JavaScript in Hardware? GoTo Conf - Berlin

TechnicalMachine

Cray XT Porting, Scaling, and Optimization Best Practices

Jeff Larkin

Magie di git

michele franzin

Elastic network of things with mqtt and micro python

Wei Lin

Ruby and Rails Packaging to Production

Fabio Kung

Pentesting111111 Cheat Sheet_OSCP_2023.pdf

faker1842002

jRecruiter - The AJUG Job Posting Service

Gunnar Hillert

Similar to The State of the Metasploit Framework.pdf (20)

Chicago Docker Meetup Presentation - Mediafly

A GitOps model for High Availability and Disaster Recovery on EKS

Jump into Squeak - Integrate Squeak projects with Docker & Github

Reverse engineering Swisscom's Centro Grande Modem

LinuxLabs 2017 talk: Container monitoring challenges

Год в Github bugbounty, опыт участия

bcc/BPF tools - Strategy, current tools, future challenges

BPF Tools 2017

Beautiful History

2012 coscup - Build your PHP application on Heroku

Cloud RPI4 tomcat ARM64

2008-06-25 Marist System z Summer Professors Series

Troubleshooting real production problems

Why use JavaScript in Hardware? GoTo Conf - Berlin

Cray XT Porting, Scaling, and Optimization Best Practices

Magie di git

Elastic network of things with mqtt and micro python

Ruby and Rails Packaging to Production

Pentesting111111 Cheat Sheet_OSCP_2023.pdf

jRecruiter - The AJUG Job Posting Service

Recently uploaded

New customer? New industry? New cloud? New team? A lot to handle! How to ensure the success of the project? Start it well! I've created the 3 areas of focus at the beginning of the project that helped me in multiple roles (BA, PO, and Consultant). Learn from real-world experiences and discover how these insights can empower you to deliver unparalleled value to your customers right from the project's start.

Powerful Start- the Key to Project Success, Barbara Laskowska

CzechDreamin

The Epson EcoTank L3210 is a high-performance and cost-efficient printer designed to meet the printing needs of both home users and small businesses. Equipped with Epson’s revolutionary EcoTank ink tank system, the Epson eliminates the need for traditional ink cartridges, thereby significantly reducing printing costs and plastic waste. With its PrecisionCore technology, this printer delivers sharp, vibrant prints for both documents and photos. Its user-friendly design ensures easy setup and operation, while its compact form factor saves valuable desk space. Whether it’s everyday printing jobs or creative projects, the Epson EcoTank L3210 provides a reliable and eco-friendly printing solution.

Buy Epson EcoTank L3210 Colour Printer Online.pdf

EasyPrinterHelp

The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf

FIDO Alliance

IoT Analytics Company Presentation May 2024

IoTAnalytics

Intro in Product Management - Коротко про професію продакт менеджера

Mark Opanasiuk

You’ve heard good data matters in Machine Learning, but does it matter for Generative AI applications? Corporate data often differs significantly from the general Internet data used to train most foundation models. Join me for a demo on building an open source RAG (Retrieval Augmented Generation) stack using Milvus vector database for Retrieval, LangChain, Llama 3 with Ollama, Ragas RAG Eval, and optional Zilliz cloud, OpenAI.

Introduction to Open Source RAG and RAG Evaluation

Zilliz

Buy Epson EcoTank L3210 Colour Printer Online.pptx

EasyPrinterHelp

Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf

FIDO Alliance

Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...

FIDO Alliance

How to differentiate Sales Cloud and CPQ on first glance might be tricky if you do not know where to look and what to look at. You will know :-) Managing the sales process within Salesforce is a common use case that can be managed with standart Sales Cloud. If you want to do entire quoting process you will find out Salesforce CPQ solution exists. What is then the difference if both can handle selling products? You will see comparison of 10 different features, which Sales Cloud and Salesforce CPQ handle differently. Simple question you will always remember if you should consider using Salesforce CPQ will be a cherry on top.

10 Differences between Sales Cloud and CPQ, Blanka Doktorová

CzechDreamin

This presentation dives into the practical applications of machine learning within Google's operations, providing a comprehensive overview of how to leverage AI technologies to solve real-world business challenges. Key Points Covered: - Introduction to Machine Learning at Google: Discussion on the role of ML and its evolution in enhancing Google's operational efficiency. - Experience Sharing: Insights into the team's long-term engagement with machine learning projects and the impacts on Google’s operational strategies. - Practical Applications: Real-world examples of ML applications within Google’s daily operations, providing a blueprint to adapt similar strategies. - Challenges and Solutions: Discussion on the challenges faced during the implementation of ML projects and the strategic solutions employed to overcome them. - Future of ML at Google: Insights into future trends in machine learning at Google and how they plan to continue integrating AI into their ecosystem.

Strategic AI Integration in Engineering Teams

UXDXConf

We're living the AI revolution and Salesforce is adapting and bring new value to their customers. Einstein products are evolving rapidly and navigating their limitations, language support, and use cases can be challenging. Let's make review of what Einstein product are available currently, what are the capabilities and what can be used for in CEE region and how Rossie.ai can help to learn Salesforce speak Czech. We will explore the Einstein roadmap and I will make a short live demo (based on your vote) of some Einstein feature.

AI revolution and Salesforce, Jiří Karpíšek

CzechDreamin

Extensible Python: Robustness through Addition - PyCon 2024

Patrick Viafore

WSO2CONMay2024OpenSourceConferenceDebrief.pptx

Jennifer Lim

Already know how to write a basic SOQL query? Great! But what about an *aggregate* SOQL query? You know, the kind that uses aggregate functions like COUNT & MAX along with GROUP BY and HAVING clauses? No? Well, get ready to learn how to slice & dice your org’s data right inside your own dev console. From finding duplicate records to prototyping summary & matrix reports, learn the ins and outs of aggregate queries during this fast-paced but admin-friendly session on advanced SOQL concepts.

SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...

CzechDreamin

AI presentation and introduction - Retrieval Augmented Generation RAG 101

vincent683379

IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx

Abida Shariff

This talk focuses on the practical aspects of integrating various telephony systems with Salesforce, drawing on examples from implementations in the Czech scene. It aims to inform attendees about the spectrum of telephony solutions available, from small to large scale, and their compatibility with Salesforce. The presentation will highlight key considerations for selecting a telephony provider that integrates smoothly with Salesforce, including important questions to support the decision-making process. It will also discuss methods for integrating existing telephony systems with Salesforce, aimed at companies contemplating or in the process of adopting this CRM platform. The discussion is designed to provide a straightforward overview of the steps and considerations involved in telephony and Salesforce integration, with an emphasis on functionality, compatibility, and the practical experiences of Czech companies.

Integrating Telephony Systems with Salesforce: Insights and Considerations, B...

CzechDreamin

Heather Hedden, Senior Consultant at Enterprise Knowledge, presented “Enterprise Knowledge Graphs: The Importance of Semantics” on May 9, 2024, at the annual Data Summit in Boston. In her presentation, Hedden describes the components of an enterprise knowledge graph and provides further insight into the semantic layer – or knowledge model – component, which includes an ontology and controlled vocabularies, such as taxonomies, for controlled metadata. While data experts tend to focus on the graph database components (RDF triple store or a label property graph), Hedden emphasizes they should not overlook the importance of the semantic layer.

Enterprise Knowledge Graphs - Data Summit 2024

Enterprise Knowledge

Where to Learn More About FDO _ Richard at FIDO Alliance.pdf

FIDO Alliance

Recently uploaded (20)

Powerful Start- the Key to Project Success, Barbara Laskowska

Buy Epson EcoTank L3210 Colour Printer Online.pdf

The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf

IoT Analytics Company Presentation May 2024

Intro in Product Management - Коротко про професію продакт менеджера

Introduction to Open Source RAG and RAG Evaluation

Buy Epson EcoTank L3210 Colour Printer Online.pptx

Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf

Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...

10 Differences between Sales Cloud and CPQ, Blanka Doktorová

Strategic AI Integration in Engineering Teams

AI revolution and Salesforce, Jiří Karpíšek

Extensible Python: Robustness through Addition - PyCon 2024

WSO2CONMay2024OpenSourceConferenceDebrief.pptx

SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...

AI presentation and introduction - Retrieval Augmented Generation RAG 101

IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx

Integrating Telephony Systems with Salesforce: Insights and Considerations, B...

Enterprise Knowledge Graphs - Data Summit 2024

Where to Learn More About FDO _ Richard at FIDO Alliance.pdf

The State of the Metasploit Framework.pdf

1. The State of the Metasploit Framework @egyp7

2. James Lee @egyp7 Metasploit Developer Community Manager $ whoami 2

3. Statistics and graphs and stuff 3 http://resources.metasploit.com/

4. 229 New Modules git log --name-only --diff-ﬁlter A --since='2015-09-25' | grep '^modules' | wc -l 4

5. Module Counts 5

6. Over 800 Pull Requests merged github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:<2015-09-26 6

7. 176 unique authors git log --since 2015-09-26 --format=%aE | sort | uniq -c 7

8. 4765 Commits git log --since 2015-09-26 --format=%aE | sort | wc -l 8

9. Commits to metasploit-framework 9

10. 1588 Dead References to OSVDB git grep OSVDB modules/ | wc -l 10

11. Cool Stuff Grab Bag

12. Breaking up is hard to do Rex is huge and old We’re slowly but surely breaking it up into smaller pieces 12

13. New msfconsole commands options (alias of `show options`) advanced (alias of `show advanced`) 13

14. tools/ Organization Context Dev Exploit Memdump Modules Password Recon 14

15. msu_ﬁnder tools/exploit/msu_ﬁnder.rb Grabs download links for Microsoft patches ruby msu_finder.rb -q ms15-100 15

16. Mettle Portable POSIX payload Runs on MIPS routers, Android phones, and desktop Linux Uses Meterpreter protocol Brent and Adam will cover this more Sunday at 13:00 16

17. Mainframes Lots of work by Soldier of Fortran and Bigendian Smalls Payloads Auth’d RCE via job system 17

18. Module Documentation Write in markdown Lives in documentation/modules/ View with info -d 18

19. New Modules git log --since 2015-09-26 --name-status | grep '^As*modules'

20. Lols multi/manage/set_wallpaper 20

21. encoder/x64/zutto_dekiru Similar in form to shikata_ga_nai 21

22. Not a traditional encoder Embeds x86 shellcode in an existing BMP image XOR’d and Stego’d across all the bits Modiﬁes the header so the BMP itself is executable shellcode encoder/x86/bmp_polyglot 22

23. SMB Delivery Works like web_delivery 23

24. ImageTragick exploit/unix/ﬁleformat/imagemagick_delegate You probably already forgot about this one 24

25. Shellshock IPFire Advantech Switches Legend IRC Bot Xdh IRC bot 25

26. Malware Phoenix Exploit Kit DarkComet Legend IRC bot Xdh IRC bot 26

27. Security Stuff Fortinet SSH backdoor Chkrootkit LPE Metasploit Pro authenticated RCE Metasploit Pro pre-auth cookie deserialization 27

28. Pageant Jacker post/windows/manage/forward_pageant Creates a local unix socket like ssh-agent(1) Forwards to remote Pageant (PuTTY’s ssh-agent(1) equiv) 28

29. Privilege Escalation on Windows ms16_016_webdav ms16_032_secondary_logon_handle_privesc windows/local/applocker_bypass windows/misc/regsvr32_applocker_bypass_server 29

30. Privilege Escalation on Linux/Unix chkrootkit Exim Docker daemon 30

31. Privilege Escalation on OSX libmalloc ● Fun oldschool env cleaning fail ● write-ﬁle-as-root bug 31

32. Persistence on Linux ssh at, cron 32

33. Meterpreter

34. XOR packet obfuscation Gets rid of the ~static strings in TLVs 34

35. New extensions Python Powershell BF 35

36. Reverse Listener Comm Set a handler listening on a Meterpreter session 36

37.

38.

39.

40. Reverse Port Forwarding portfwd add -R -L 10.0.0.40 -l 22 -p 22 40

41. ...

42. ...

43. ...

44. Windows: show_mount command Lists all mounted ﬁlesystems Including network shares 44

45. Android: sqlite_query command sqlite_query -d <path> -q <query> sqlite_query -d /data/data/com.android.browser/databases/webviewCookiesChromium.db -q 'SELECT * from cookies' 45

46. Android Registers itself as a service to run in the background 46

47. Get involved

48. Where FreeNode #metasploit community.rapid7.com @metasploit on twitter Github Projects 48

49. Hackathon? Come to Austin and hang out with us Hack all the things ● Maybe in the early summer? ● A week or so? 49

50. Questions? @egyp7

51. Greets FireFart Meatballs1 Stufus zeroSteiner shipcod3 h00die talos-arch3y pedrib 51 jhale85446 mmetince KINGSABRI bigendiansmalls martinvigo nstarke espreto bcoles agix jakxx benpturner h0ng10 rastating g0tmi1k scriptjunkie aushack