nDepth Employee Contributions to Open Source Security Software, November 2025 Edition

METASPLOIT PROJECT

The Metasploit Project, owned by Rapid 7, is a computer security program which is the world’s most used penetration testing framework. This Free and Open Source Software (FOSS) is used by nearly all penetration testers, and is extremely common in training courses from SANS, EC-Council, and many others.

The Metasploit Project, being Open Source Software, flourishes from the contributions of the community. nDepth’s own Mike Cyr (h00die) is a frequent contributor to the project and has continued to spend their personal time conducting security research and providing enhancements to Metasploit for the benefit of the security community. This month, h00die contributed the following enhancements:

PERSISTENCE REVAMP

Much of the Metasploit contributions by h00die over the last two months have been related to persistence. The persistence revamp mentioned in our last writeup requires all persistence modules to be converted and tested, so don’t be surprised to see more and more of them. Along the way, new ideas pop up as well!

NEW MODULE: WINDOWS WSL REGISTRY PERSISTENCE

While on the surface this new module name sounds rather boring, it’s actually a first of its kind. Windows introduced Windows Subsystem for Linux (WSL) in 2016. This amazing new feature allows users to run Linux systems within Windows. Many developers flocked to this as a way to cut down on their overhead of running two complete operating systems, or other non-built-in software to windows like Docker.

The new persistence module allows for someone to establish a Linux persistence, inside of the Windows host, and launch it from Windows. This is the first metasploit module which is supposed to run on one family of operating systems but target a different one. This module can be incredibly useful for red teams and penetration testers as they test how covert they can be. Does your Windows anti-virus find Linux malware?

NEW MODULE: WINDOWS STARTUP FOLDER PERSISTENCE

Windows 95 introduced the Startup folder. Applications placed in this folder would start automatically when Windows starts. The startup folder is one of the oldest persistence methods on Windows, however Metasploit lacked the very simple module to exploit it. The wait is over; this module has now been added to the Metasploit Framework.

NEW MODULE: WINDOWS TASK SCHEDULER PERSISTENCE

Windows task scheduler is similar to the Linux cron daemon, in that it can schedule events to occur. This new persistence module utilizes this functionality to obtain persistence on Windows by scheduling a payload to execute at a user’s specified time.

NEW MODULE: WINDOWS TASK SCHEDULER PERSISTENCE

DOCUMENTATION CLEANUP

As part of hacktoberfest, h00die submitted a cleanup of module documentation. During the original formalization of the documentation specifications, it was decided that module options would be bold. Later, a spec change made each item into a level 3 heading. Unfortunately, an effort never occurred to update the previously created documentation, so this effort took care of that. In total 352 files were edited to adhere to the newer specifications.

UPDATED PERSISTENCE MODULES

Other modules were updated to the new persistence methodologies including:

Windows Service
Windows Registry
OSX/Multi Periodic Script
Linqpad

To view this month’s contributions, check the following links: