Last updated at Thu, 08 Feb 2024 21:27:39 GMT
Don't Be (too) Naked in Vegas
Wow, it's exactly two more weeks today until DEFCON. While Rapid7 has had a vendor presence at Black Hat for many years (at booth #541), this year is, I believe, the first time that we'll have a vendor table at DEFCON. I'm super stoked about both gigs, since the Black Hat booth will give us an opportunity to unload give away a fresh new batch of Metasploit T-Shirt Design contest artifacts designed by contest winner R-OR. Check it out, pictured at right. For the DEFCON table, we'll be gouging selling a specially-branded, retro-designed T-shirt as an EFF fundraiser, since we really dig the idea of independent security researchers not going to jail for contributing their free time to various open source security projects, like ours.
I really, really like the fact that Rapid7 has taken to open-sourcing our conference swag. It resonates so well with our open source security mission. It would be so easy -- and wrong -- to try to bottle up Metasploit and take the open source projects into crippleware land. Rapid7 could reserve all the cool stuff (code AND T-shirts) for paid customers, but that's just not in our DNA. Incidentally, it would also be a disaster. Metasploit's strength, relevance, and effectiveness is hugely dependent on the efforts of the open source security community.
Now, don't get me wrong, there is some cool stuff in Metasploit Pro that you won't find elsewhere, but we remain committed to keeping the core functionality and content free and available on the Internet. Perhaps this is irrational, and it's definitely radical (in both the literal and 80's slang senses), but it's what keeps me, at least, still fired up and passionate about the social and technical missions for Metasploit.
If you'd like to meet some of the people who make Metasploit go, please drop by our table at the vendor room at DEFCON.
Speaking of giving away our secret sauce for free...
Metasploit Credential Overhaul
A few days ago, we published a new branch at our GitHub repository: the staging/electro-release branch, and the metasploit-credential repository which features an overhaul of how Metasploit credential management works. These aren't the credentials you might use to log into Metasploit Pro, mind you, these are the credentials that you pick up by some of the hundreds of password-stealing / -guessing / -cracking modules. In these days of common, default, reused, and predictable passwords for common and not-so-common devices and applications, it's difficult to justify a penetration testing engagement without having a solid run at scoring some of the client's passwords.
The idea behind the Metasploit Credential gem is to have a "fully-fledged data model for tracking, storing, importing, and reasoning about credential data," to quote Trevor Rosen, my counterpart and engineering manager for the Metasploit Applications development team here at Rapid7. It's cool computer-sciencey stuff. If you're interested in diving in, feel free to clone the GitHub repo, check out the online documentation (pulled entirely from source), and start poking around in there. None of this is in the master Framework repo yet, so don't worry too much about what all this might mean for you yet. But, we wanted to give exploit devs a heads-up about what's coming up for the next version of Metasploit.
We'll have some documentation up in just a few days, right before the pilgrimage to Las Vegas. Also, there will be some exciting news related to this open source rework. Keep an eye out.
New Modules
We have seven new modules this week, including a trio of auxiliary modules by David Bloom taking advantage of some weaknesses in DbVisualizer. Also, pay special attention to Jon Hart's most excellent NTP Protocol Fuzzer, which you should absolutely never use against a production environment unless you want to make a point about Denial of Service attacks, such as, "Hey, are you using Kerberos? When your NTP server gets borked, how do you login?" That kind of thing.
Exploit modules
- Script Web Delivery by Andrew Smith "jakx", Ben Campbell, and Chris Campbell
- Wordpress WPTouch Authenticated File Upload by Christian Mehlmauer and Marc-Alexandre Montpas
Auxiliary and post modules
- NTP Protocol Fuzzer by Jon Hart
- Joomla Bruteforce Login Utility by luisco100 exploits CVE-1999-0502
- Multi Gather DbVisualizer Connections Settings by David Bloom
- Multi Manage DbVisualizer Add Db Admin by David Bloom
- Multi Manage DbVisualizer Query by David Bloom
For additional details on what's changed and what's current, please see Chris Doughty's most excellent release notes.