Q&A: HD Moore on Metasploit, Disclosure and Ethics

We conducted our third live chat this week, this one with HD Moore, the founder of the Metasploit Project and the CSO of Rapid7. Moore got a lot of great questions on a wide variety of topics, so if you weren’t able to join us, here’s a full transcript of the chat. 

We conducted our third live chat this week, this one with HD Moore, the founder of the Metasploit Project and the CSO of Rapid7. Moore got a lot of great questions on a wide variety of topics, so if you weren’t able to join us, here’s a full transcript of the chat. 

Dennis Fisher: Hi everyone, and welcome to our live chat with HD Moore.       

Dennis Fisher: This one came in through Twitter: Where did the original idea for Metasploit come from?

HD_Moore: Metasploit was started as a curses-based network game similar to “Overkill”; the idea was that the local network would be represented as a grid and live hosts would show up as points on the map. As you ran various exploits, the payload would spawn a listener that echoed the user ID, allowing a network scanner to keep score. It was the game you could play anywhere. The game was originally called “BFEG” – the acronym should make sense for anyone who played DOOM.   

Dennis_fisher: Via Twitter: what are the commercial plans for metasploit?     

HD_Moore: As of yesterday, we now offer Metasploit Express – a commercial penetration testing product that is supported by the Rapid7 team and shares a common codebase with the open source Metasploit Framework. The Express product is made up of three components; the open source framework itself, the Workflow Manager, and the User Interface. We are using the exact same framework code in the commercial product as is available for free from the Metasploit.com web site. By using a shared codebase, we have a vested interest in making sure that the open source framework continues to improve. All exploits, payloads, and core functionality in the Express product is available through the open source framework APIs.             

Dennis_fisher: Are there a lot of companies still that don’t think pen testing is important?       
HD_Moore: Over the last 10 years, awareness of vulnerability assessments and the available tools has increased dramatically. Adoption of penetration testing and the related tools and products is still behind, but this should improve as more companies become aware of the benefits gleaned from penetration testing. I personally feel that the Metasploit project has helped increase awareness in this area.             

ryanaraine: What’s your policy on disclosure as it relates to putting exploits for unpatched vulnerabilities into Metasploit? Is there a “responsible” approach to doing this, in your mind?       
HD_Moore: The official policy is that any vulnerability in the public domain is fair game to add to the Metasploit Framework. We want to make sure that for any public threat, our users have the ability to test their systems and their defenses, even if no patch is available.              

Dennis_fisher: What is the craziestweirdest hardware platform you have seen or heard of that somebody got Metasploit running on?        
HD_Moore: The most bizarre platform we have ever seen Metasploit running on was a wrist-watch; an attendee of the recent SOURCE Boston conference said that he was able to get Metasploit running on his Linux-based watch, but he had trouble getting the wifi drivers working correctly to use it.               

Dennis_fisher: via email: will there always be an open source version of the framework?       
HD_Moore: Absolutely. The great thing about the BSD license is that if we don’t do a good job of maintaining the framework, someone else can fork it. That is a great motivator to putting resources into the open source codebase.              

me: With the integration between Metasploit Express and Nexpose, whats next on the horizon?     
HD_Moore: Long term we want the NeXpose and Metasploit products to be able to share data in both directions. Right now, we use Metasploit exploit information to help prioritize vulnerabilies in the NeXpose interface, and we have the ability to import NeXpose data into Metasploit (and Metasploit Express). The next step is to bring the results from a penetration test using Metasploit back into the NeXpose interface, and allow ticketing, remediation, and risk prioritization based on live penetration test results         

danuxx: what would be the difference between Metasploit express and CANVAS/Core Impact?     
HD_Moore: Tons! The goal of Metasploit Express is to make penetration testing easy to automate and extremely effective; this means going outside of just exploits and automating common penetration testing tasks. We think we made great progress with the first version of Metasploit Express, but this we still have a long way to go. I want penetration testing tools and products to become as commonplace as port scanners and vulnerability assessment tools — we want penetration testing to become much more mainstream.            

ryanaraine: a quick follow up: define and “public domain”.        
HD_Moore: By public domain; I mean any exploit being actively exploited in the wild, or where the details or patch are already public       

danuxx: What is the cost of a Metasploit express license?        
HD_Moore: Metasploit Express is about $3000 USD, per user, per year             

Darren:  It seems a bulk of the security risks are based around older versions of Windows. Do you see this impacting the frameworks usability in the next 2-5 years?       
HD_Moore: No doubt that standard buffer overflows are going the way of the dodo when it comes to consumer operation systems. The terrible (or great, depending on what you do) thing is that all of those third-party products and rich client-side applications are still as bad as ever. We are finally seeing reasonable improvements around browser security, but we still have a long way to go before standard exploits become less effective. Long-term, I believe typical code execution flaws will start to dry up as we move to managed code platforms and sandboxes. The move to 64-bit will help as well. However, keep in mind that most of the random SCADA gear being sold today still uses old x86 processors, often running consumer operating systems.        

Security-Database: As I asked you before when I first see Metasploit merging with Rapid7, should we expect a closed source of metasploit as this happened with Nessus !!!       
HD_Moore: Absolutely not. Metasploit will always be open source, regardless of what we do on the commercial side. The license guarantees this       

Dennis_fisher: via email from Mubix: If you had an “I’d rather be” sticker on your car, what would it say?       
HD_Moore:  Scraping This Sticker Off      

amaged:  Where did all the exploit writers that we had back in the early years of this decade went?       
HD_Moore: Between 2001 and 2003 many of the “old school” exploit developers moved on – some of them changed industry entirely, others went into management, and others continue to write exploits today, but either keep the private, or release them under a new handle. Its still a pretty small world when it comes to exploit development and vulnerability research.       

ryanaraine:  What’s the story with that badass Miami Vice white suit at Black Hat last year? Are you breaking it out again?

HD_Moore:  It was a coordination fail with a friend of mine; here it is, being done right: http://www.flickr.com/photos/fredowsley/4549609341/        

Fitty_RST: Is it true that black_death helped you coding the Metasploit?       
HD_Moore: I am not sure; the core members of the Metasploit team were Matt Miller (skape) and Spoonm <real name censored>. The handle “black_death” doesn’t ring a bell       
Dennis_fisher: from Jack Daniel: what would YOU like to tell us? I know you have lots of knowledge to share.       
HD_Moore: Find something you love to do, then figure out how to get paid to do it. Too many folks getting started in security look at it as a min/max of optimising skills based on potential salaries. If you are passionate about what you do, the rest is easy       
brianT:  what does the HD stand for?       
HD_Moore:  My first name is actually “H” (one letter), my middle name is “D”, this is the name I have always had, but the reason behind it is a much longer story that requires a significant infusion of alcohol to answer.       

1epi:  What will be the *major* differences between metasploi express and the old one ?       
HD_Moore: Metasploit Express uses the open source framework; the advantages to Metaspoit Express over the normal framework are ease of use, a slick user interface, commercial support, some really cool automation, detailed audit logs, and reporting. You can see some of the screenshots online at http://www.metasploit.com/express/gallery/        
parker: People often ask me how to get started with Metasploit. I tell them to load it in a VM along with a couple different target OS’s and start banging on it. They are rarely successful. How would you answer that question?       
HD_Moore: The hardest part about learning Metasploit is finding a safe target to test against. The Windows licensing model makes it really tough for us to share a standardized image, however, we just released (soon to be announced) a free Linux virtual machine you can use for target practice with both Metasploit and Metasploit Express. You can find the BitTorrent link online at http://www.metasploit.com/express/community/ and a blog post with full details will be available later today       
danuxx: What do you think about windows os security improvements (SafeSEH, NX, DEP, ASLR, etc)? is it going to be easier to bypass those security controls? Taking into consideration Skape and others are now in the defensive side.       
HD_Moore: Skape and his work on SEHOP basically killed SEH overwrites. NX, DEP, and ASLR all make things more difficult, as does the slow migration to 64-bit architectures. We are going to see more attacks against third-party applications missing these protections and much more complicated and potentially less reliable exploits for client-side applications. Over the long term, I think that memory corruption flaws will eventually be focused on embedded devices and consumer electronics, with input validation, logic bugs, and social engineering attacks becoming the norm.       
danuxx: CANVAS/Core Impact delivers ready to use exploits one day- to one week of delay from discovery. Does Metasploit express will get the resources to do that?       
HD_Moore: Metasploit Express has the ability to update within the product; it uses the same exploits and payloads that commit to the Metasploit Framework. Currently, Metasploit has support for over 550 exploits, which is pretty competitive with the commercial offerings today. We do not see exploit coverage as a differentiator for the Express product and will continue to add exploits as we write them to the free tree. The update frequency for Express is still being defined, but weekly would give us enough time for QA and should be doable.       
1epi: Who is working on exploit dev on metasploit express ?       
HD_Moore: Exploit development in the Express product is exactly the same as exploit development in the open source framework. Joshua Drake manages the exploit development process in Metasploit as a Rapid7 employee and we continue to receive contributions from around the world; which are all reviewed and sanitized by the core team     

brianT: Besides a strong passion for what you do what else do you credit for your success?      HD_Moore: Lack of a social life and a very understanding wife 🙂   

me: Can you send me instructions on getting Metasploit Express (or even Metasploit) running on my Droid 😉       
HD_Moore: Express would not be supported directly on the droid, however you can install Express on a remote server and access the web interface from any mobile device supporting SSL and javascript. The interface works just fine on the iPhone and the n900. Running the open source framework on the droid should possible if you root it and install native Ruby; we are working on jRuby support, but its not ready for production use yet       

offroad99ff: Are you involved in any other open source development projects?       
HD_Moore: I wish I was – I am way behind on WarVOX development and haven’t had time to significantly contribute to other projects over the last year.       

Raaka: HD: GP-Gpu’s (Nvidia 470 or Geforce 9000 series or Nforce 790SLi motherboards etc) are getting cheap does it make any deffence in exploit development application security? becasue the developers are choosing to use CUDA using 100’s of cores       
HD_Moore: I think we are starting to reach the point where GPU technology (and more importantly, compilers that don’t require refactoring) are starting to change the economics of consumer level high-performance computing. Security algorithms that depend on raw computing power alone (the WPA hashing routine) are going to be hurt the worst; but I look forward to the day that trivial hashes are just a GPU lookup to crack       

JimK: I just heard about Metasploit Express. Can you talk about what features it has re report generation?       
HD_Moore: Metasploit Express uses a backend database to store the results of every action and the state of the target network. The reporting capabilities are split between “live reports” and “generated reports”; the live reports let you generate a report at any state of the penetration test. If you simply want to scan for live hosts and report it, just use the Scan feature and go print out a report. If you want to show the screenshots and audit logs of all of the systems you compromised, the detailed audit report covers this. The generated report types include Word and PDF; these are static once generated and do no change based on the state of the test. We also support generating XML and ZIP reports, which contain a full XML schema for building your own reports or integrating into third-party tools. Finally, we have a report type called “Replay” which exports a ZIP file containing Metasploit Console resource scripts – these can be plugged into the free framework to reproduce every successful exploit in Express on a separate system, allowing you to give your client a way free value-add for reproducing your test results.        

Darren: What is the relationship with the folks over at Offensive-Security and any idea if we can expect to see more “Unleashed” documentation.       
HD_Moore: We have a friendly relationship with the Offensive Security folks, but nothing formalized. The Metasploit Unleashed is a great resource and we hope they continue to update it.       
danuxx: which has been the more challenging exploit that you have developed?       
HD_Moore: I would split this into two categories; the ones where my skill level was severely lacking (my first exploit for the Apache chunk encoding bug took months to make reliable) and expoits where the exploit conditions are really tough. My favorite exploit is a bug in a CA product where the product would dereference a random heap pointer. By sending repeated requests that triggered an exception, the heap would never be freed, and eventually the memory address used to store the incoming request would align with the random corrupted heap pointer, leading to code execution.        
thew00: what made you started doing on what you do now?       
HD_Moore: I have always liked breaking things; software is fun because you can keep breaking the same product over and over again without having to bust out the crazy glue. These days its still about breaking things; its just highly automated and methodical 🙂       

t0futim: has your position on ethical disclosure changed over the last 3 years? if so, how?       
HD_Moore: My view on disclosure hasn’t changed much since I got started – my personal view is that the fastest way to fix something is to publish information about it.        
ryanaraine: What OS/browser combo do you personally use? And why?       
HD_Moore: Is Ryan tuning his exploits? He already has me running a Java chat client, what else does he need? (I am actually using Windows 7 64-bit and Firefox; but I spend 90% of my time inside one of the 10 VMs I have running)     

danuxx: Which is the methodology you used to find bugs? do you use SPIKE for fuzzing? 🙂          HD_Moore: I try to strike a balance between reversing engineering and fuzzing – dissect a product just enough to figure out where requests are processed and what types of inputs may cause problems, then write a specific fuzzer to target that. I wrote most of the fuzzer modules in Metasploit, which can give you some idea about my approach (modules/auxiliary/fuzzers/)        

Dennis_fisher: We’re just about out of time. Thanks everyone for joining the chat, and HUGE thanks to HD for his time today. Thanks and we’ll see everyone next month for our next live chat!  

Suggested articles