Darknet Diaries - 114: HD
Episode Date: April 5, 2022HD Moore (https://twitter.com/hdmoore) invented a hacking tool called Metasploit. He crammed it with tons of exploits and payloads that can be used to hack into computers. What could possibly... go wrong? Learn more about what HD does today by visiting rumble.run/.SponsorsSupport for this show comes from Quorum Cyber. They exist to defend organisations against cyber security breaches and attacks. That’s it. No noise. No hard sell. If you’re looking for a partner to help you reduce risk and defend against the threats that are targeting your business — and specially if you are interested in Microsoft Security - reach out to www.quorumcyber.com.Support for this show comes from Snyk. Snyk is a developer security platform that helps you secure your applications from the start. It automatically scans your code, dependencies, containers, and cloud infrastructure configs — finding and fixing vulnerabilities in real time. And Snyk does it all right from the existing tools and workflows you already use. IDEs, CLI, repos, pipelines, Docker Hub, and more — so your work isn’t interrupted. Create your free account at snyk.co/darknet.
Transcript
Discussion (0)
Did you know that in 1982, a robot was arrested by the police?
Yeah, get this.
It was standing on North Beverly Drive in Los Angeles,
and it was there handing out business cards to people.
It could talk, too, and it was telling people random robot things.
Well, it was causing a commotion.
People were just standing around it staring, traffic jams, honking.
It was making a scene.
The police wanted to put a stop
to it. They looked around and in the robot to try to find who was controlling it, but they couldn't
figure it out. So they started dragging it off and the robot started screaming, help, they're trying
to take me apart. The officer disconnected the power source and took the robot into custody.
They put it in the cop car and drove it down to the Beverly Hills police station. It turned out it was two teenage boys that were remotely controlling it. They borrowed their
father's robot to pass out his robot factory business cards. It's funny how time changes
our interest in things. If a robot stood on the same corner today handing out business cards,
it would hardly be noticed. But in 1982, that was quite the scene.
Sometimes it just takes us a while to get accustomed to the future.
These are true stories from the dark side of the internet.
I'm Jack Recider. This is Darknet Diaries.
This episode is sponsored by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete.me. Delete.me is a subscription service that finds and removes
personal information from hundreds of data brokers' websites and continuously works to keep it off.
Data brokers hate them because Delete.me makes sure your personal profile is no longer theirs
to sell. I tried it and they immediately got busy scouring the internet for my name and gave me
reports on what they found.
And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private by signing up for Delete Me.
Now at a special discount for Darknet Diaries listeners.
Today, get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries and use promo code darknet at checkout.
The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries
and enter code darknet at checkout.
That's joindeleteme.com slash darknetdiaries and use code darknet.
Support for this show comes from Black Hills Information Security. Thank you. give them a call. I'm sure they can help. But the founder of the company, John Strand,
is a teacher, and he's made it a mission to make Black Hills Information Security world-class in security training. You can learn things like penetration testing,
securing the cloud, breaching the cloud, digital forensics, and so much more. But get this,
the whole thing is pay what you can. Black Hills believes that great intro security classes do not
need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and find links to their
webcasts to get some world-class training. That's blackhillsinfosec.com. Blackhillsinfosec.com.
You ready to get into it? Do you have your sixth cup of coffee today?
I did, yeah. I just fell apart. You sound like a guy who's just really turned
on to like, you know, 11.
That's a default, I think.
You talk fast.
You build things quickly.
I mean, it's just
moving all the time for you.
Okay.
So, what's your name?
H.D. Moore.
And what was some of the early stuff that you were doing security or hacking-wise when you were a teenager?
I was at Internet Hoodlum.
Got my start on the old BBS days.
Hang out with a friend of mine.
He'd fall asleep early, leave his Mac there with his various BBS accounts,
and start dialing around, figure out what he can get to,
download the zines, figure out how to dial into all the fun
Unix machines in town. How to dial into all the fun
Unix machines in town? See, back in the 90s, there weren't a lot
of websites that you could just spend your time endlessly scrolling through.
But there were a bunch of computers configured to accept connections from outsiders. And the way to
connect to these computers wasn't over the internet, but simply to dial up that phone
number directly and see if a computer picked up. And if a computer picks up, now it's time to
figure out what even is this machine and why is it listening to people dialing into it?
And you could find some weird stuff listening for inbound connections,
stuff you probably shouldn't be getting into,
but the system just was not configured to stop anyone.
HD lived in Austin, Texas,
and was curious to find if any computers were listening
for connections in his town.
So he started dialing random numbers
to see if any would be picked up by a computer.
At one point, my mother was working
as a medical transcriptionist.
And the great thing in the kind of early days of internet
is that to do that,
we'd have a whole lot of phone lines going to the house.
We had two or three regular POTS lines.
We had an ISDN line and two computers.
And she went to bed pretty early.
So as soon as she was down, I was up.
And I was running ToneL um across the entire 512 area code pretty much every night for years
um and then whenever you find something interesting try to figure out what it is and what you can do
with it um some of the fun highlights from back then are like turning the hvac on and off at the
various department stores uh dialing into some of the radio transmission towers and playing with
that stuff um you know this is is obviously well before I was 18
and was too concerned about the consequences.
But just that whole process really got me into security,
security research, and eventually the internet.
This was really fun for HD.
Poking around in the dark, trying to find something interesting,
and then getting lost in that system for a while?
He was fascinated by it all.
Eventually, the internet started forming a little more,
and IRC picked up in popularity.
This was just a chat room,
and HD was spending a lot of time in the Frack Chat channel.
Now, Frack is the longest-running hacker magazine.
The first issue was published in 1985,
and by the 90s, they had quite a trove of information.
If you wanted to learn how to hack or break computers,
start by reading every issue of Frack,
and by the time you're done,
you'll be pretty knowledgeable of hacking.
So the Frack chat channel felt like home to HD,
and he loved hanging out there, learning about hacking.
We're all using our silly aliases and playing with exploits
and generally causing havoc between each other.
And out of the blue, I get a message from somebody saying,
hey, you're looking for a job. I'm like, yeah, I actually am.
And he's like, well, you're not too far. How far are you from San Antonio?
I'm like, well, I could drive there.
So he sent me an interview with Computer Sciences Corporation,
which is now just called CSC.
And they were doing work for, I think at the time it was called AFWIC
or eventually became AIA,
but the Air Intelligence Agency.
So the US Air Force is an intelligence wing.
And they were basically building tools
for various red teams inside the Air Force.
And I was like, that sounds like a lot of fun,
running exploits in the military.
I'm all about that.
So I was a really terrible programmer
and I'm not much of a better one these days,
but it was a fun first job to go down there and get these somewhat vague briefs about, we need a tool
that listens on the network for packets and does these things with them, or scans the
network looking for open registry keys and does this other stuff.
So that was my first kind of professional experience of building offensive tooling.
I think it's kind of weird that a recruiter for a DOD contractor was looking in
the frack chat room to find people to come build hacker tools in order to test the defenses of the
Air Force. But that's what happened. HD was now using his hacking skills for good. And while he
was in high school, even at some point while working for this contractor, they asked him to
see if he can hack into a local business.
That business had actually paid for a security assessment
and wanted to see if they were vulnerable.
And it was a lot of fun.
We basically just walked in and owned everything.
It was great.
Outside, inside, you know, their HP 3000 servers,
everything in between.
Had a blast doing it.
And we went back to CSE and said,
hey, we'd like to start doing more commercial pen tests.
And they came back and said, nope, we're federal.
That's it.
So we took the whole team and started a startup.
That was Digital Defense.
HD loved doing security assessments for customers.
And this is a penetration test.
Customers would hire them to see if their computers were vulnerable.
And they did other things too, like monitoring for security events
and help secure their network better.
But there was a problem, a big one, if you ask me.
Back in the late 90s, exploits were hard to come by.
See, let me walk you through how a typical pen test works.
First, you typically want to start out with a vulnerability scanner.
This will tell you what computers are on the network,
what services are running, what apps are running,
and maybe even give you an idea of what versions that software is running too.
Because sometimes when you connect to that computer,
it'll tell you what version of software it's running.
Now, as a pen tester, once you know the version of an application
that a computer is running,
you can go look up to see if there's any known vulnerabilities.
Maybe that's an old version that they're running.
And here's where the problem lies.
Suppose that, yes, you did find a system that was not updated
and was running an old version of software that has a known vulnerability.
It's simply not enough to tell the client
that their server is not patched and needs to be updated.
The client might push back and say,
well, what's really the risk for not updating?
And so that's why a pen tester has
to actually exploit the system to prove what could go wrong if they don't update. They need to act
like an adversary would. But to get that exploit so that you can demonstrate to the client that
this machine is vulnerable, that's the hard part. At least it was in the 90s. Some hacker websites would have
exploits that you could download, but those were often pretty old and out of date. So then you
might start feeling around in chat rooms trying to see who's got the goods. And if you're lucky,
you get pointed to an FTP server to download some exploits. But it has no documentation. And who knows what this exploit does? It could be an
actual virus. And as a professional penetration tester, you really can't just download some
random exploit from the internet and launch it on your customer's network. No way. Who knows what
that thing does? It could infect the whole network with some nasty virus or create some backdoor that
other hackers can get into.
So back then, there just wasn't a place to get good exploits from.
And especially, there wasn't a place to get the latest and greatest ones.
As you start rolling into the 2000s,
what happened is all the folks who previously were sharing their exploits
with the researchers, with the community,
they all basically started either just getting real jobs and
stopped sharing their tools, or they thought there was ethical issues with that.
But basically, it all dried up.
It turned into some commercial firms like Core Impact was started around the same time
to commercialize exploit tooling.
Other folks just decided they weren't doing it anymore, or they got in trouble.
And so if you're a security firm trying to do pentests for your customers, it was really
difficult to get exploits back then, really difficult to know whether they're safe or not without rewriting every byte of
shellcode from scratch.
And so the challenge of just getting the right tools and exploits, you had to build a lot
of it in-house.
Well, this company that he was working for didn't really have the ability or expertise
or resources to develop their own exploit toolkit.
But HD, being someone who's fiercely driven and part of this
hacker culture, was acquiring quite a bit of exploits and learning how they worked and was
able to code some of his own. But these exploits were unorganized. They were scattered all over
his computer. The documentation wasn't there. It was hard to share it with some of his teammates.
And that's why HD Moore decided to make Metasploit.
Metasploit is an exploit toolkit,
which basically means it's a single application
that has loads of exploits built into it.
So once you load it up, you can pick which exploit to use,
input some parameters, and launch it on the target.
It was not so great.
But it was a basic collection of vulnerabilities that HD knew
and could trust that weren't filled with viruses.
This little tool he built was helping him do security assessments.
And now that he's made a framework,
he can continually add new vulnerabilities to make it better.
But there are new vulnerabilities being discovered all the time.
So it was an endless job
to keep adding stuff to Metasploit.
Yeah, I mean, it's a combination of
finding vulnerabilities myself,
sharing with friends, reporting some of them,
not reporting others at the time,
and then just me and my friends sharing exploits all day long.
And I wrote some that weren't very good,
but I'd write stuff all the time.
And then you get access to one of the really interesting ones
or really high-profile ones and play with it a little bit and see what you can do
with it. What ended up being the first version of Metasploit was very menu-based, very terminal-based
where you kind of pick the exploit, pick the Nop encoder, the exploit encoder and the payload and
put them all together and then send it. By the time we got to Metasploit 2, we threw all that
out the window and came up with the idea was that you can assemble an exploit like Legos.
So it wasn't, you know, prior to this, most exploits had maybe one payload, maybe two
payloads.
Yeah, a payload.
A payload is what you want your computer to do after a vulnerability gets exploited.
Imagine a needle and syringe.
The needle is the exploit.
It gets you past the defenses and into the system.
But an empty syringe does nothing.
The payload is whatever's in the syringe,
the thing that gets injected into the computer after it's penetrated.
So what is a typical payload?
Well, it could be to open the door and give you command line access.
Or it could be to upload a file and execute it on that computer you just got into. Or it could be to reboot the computer. The exploit is the way in, and the payload is the
action taken once you get in. And yeah, the exploits that you would get your hands on back
then, they had like built-in payloads. Changing the payload wasn't always even an option,
unless you had access to the source code of the exploit and could build your own
payload. And even if you did that, what happens the next time when you want to use that exploit
with a different payload? You'd have to recompile the whole thing with something new and then fiddle
with it to get it to actually work. And of course, you don't want to run some payload that someone
else made on one of your customer's computers unless you can examine the source code and see what it does.
HD saw this was a problem and modularized how you build an attack.
He made this easy with Metasploit,
giving you the option to pick the exploit,
pick the payload,
and then choose your target.
It made hacking a thousand times easier.
So instead of being stuck with one payload to one exploit,
you could take any payload, any exploit,
any encoder, any not generator
and stick them all together into a chain.
And it was great for a bunch of reasons.
A lot more flexibility during pen test.
You could experiment with really interesting types
of payloads that were non-standard.
And because everything was randomized all the time,
a lot of the network-based detection tools couldn't keep up.
Because everything was randomized?
This is actually a really clever thing he added to the tool.
So if you put yourself in a defender's shoes,
they obviously don't want exploits being run in the network.
And they want to identify them and not let those programs run, right?
And a defender might even make a rule in the antivirus program that says,
hey, if there's a program that is this size and has this many bytes
and is this long and is called this,
then it's a known virus.
Do not let this program run.
Well, what Metasploit did was randomize all these parts.
They'd give it a random name and a random size
and all kinds of random characters
simply so that antivirus tools would have a hard time detecting it.
And it makes sense for Metasploit to try to evade antivirus
because securing your
network should be multi-layered. The first layer would be to make sure the computers in your network
are up to date and on the latest patch. And then the next layer should be to have them configured
correctly. If both of those fail, then antivirus can inspect what's happening and try to stop an
attack in progress. But if antivirus is blocking it, it hasn't even tested whether that system is secure or not.
So it needs to go around antivirus tools
to actually test the server.
And a good pen tester will test multiple layers
to make sure each layer of defense is actually working.
So by definition, Metasploit was evasive by default.
Now, at the time, HD was using this tool to conduct penetration tests on people who wanted to see if their network was hackable. Metasploit was evasive by default. boss. And HD shows you this homebrew exploit toolkit, which is programmed to seek out and
exploit known vulnerabilities in computers and payloads built into it. Now, clearly in the right
hands, this is a weapon. It's an attacker's dream come true. Some of the vulnerabilities in it are
high quality and make them very dangerous, giving you access to pretty much anything at the time.
Him bringing in Metasploit to work was like bringing in a bucket of hypodermic syringes with their safety caps off. And some of these were picked up off shady underground places.
Some of them were DIY homemade. And with syringes, you typically see them in the hands of
highly skilled professionals like doctors or people who need beneficial medicine or drug addicts. So a bucket of syringes can be extremely dangerous or extremely
beneficial. There's no real middle ground. And it was the same with Metasploit. It was a bucket of
some pretty scary exploits that if you let loose in the office would be a pretty big problem.
So bringing in a toolkit like this to work, well, HD's employer was not supportive of this tool.
I guess more accurately, they were terrified of it.
They did not want to be associated with anything I was working on.
And at the same time, they were kind of stuck with me because I was running most of the test operations.
Why were they terrified of it?
There's a lot of fear of exploits and liability.
The worry was that if we released an exploit and someone bad used it to hack in somebody
else, somehow my company would become liable.
So they wanted to stay as far away from it as they possibly could.
It didn't help that our primary client base were credit unions, which were kind of naturally
conservative and probably still are.
They didn't want to know that the people that they hired for security assessments were also
releasing and open sourcing exploit tools on the internet.
This is an interesting dichotomy, isn't it? On one hand, if you're going to be testing if a company
is hackable, you need these attack tools, these weapons. But nobody ever asks a pen tester,
where are you going to get your weapons from? They just assume since you're a hacker, you know how to
do it. But it's not like you can just type a few commands to get around some security measures.
That's like reinventing the wheel every time you want to do an assessment.
You need tools for the job, a set of attacks that you know work well
and you can trust that won't put malware on your customer's network or cause harm.
But that's a lot of work to make sure of.
And if you make a hacking tool like this for
yourself and maybe put it out there for someone else to use, well, that does sound like it could
come back and bite you. If someone uses it to actually commit a crime with, how much are you
liable for that? So he had to make a decision on what to do with this Metasploit tool. If his work
wasn't going to help him with it, what should he do with it?
Well, it's one of those things where,
on one hand, they wouldn't support it.
On the other hand, we desperately needed this tool
to do our job.
And it became a night-to-weekend thing.
So I'd clock out of work,
and I'd go spend the rest of the night not sleeping,
working on exploits, working on shellcode,
and not particularly good exploits,
but I got better eventually.
And finally got to the point that we had something
that was worth using all on its own. It wasn't just a crappy script
or like a rewrite of a bunch of known exploits. It was actually something that had some legs to it.
And, you know, that led to, I think my first trip was to Hack the Box Malaysia to talk about it.
And it was a great experience to really get feedback about how different it was from what
other people were doing at the time. That really kind of helped kind of give me motivation to keep working on it.
It also helped me find people to work on it with.
So I met Spoon M shortly after.
I met Matt Miller, Escape, right after that.
They joined the team and we just kind of kept it going as this kind of side project for the next few years.
So in 2002 is when he first shared Metasplit with others,
which immediately got a few people so interested in it,
they wanted to help make it.
And with a few people helping him,
in 2003, he decided to release Metasploit publicly
for others to download and use.
After all, it was providing him a lot of value
to do his job better,
so it would probably make it easier
for other penetration testers to do their job too.
He also decided to give it away
free. And importantly, he made it open source so anyone could inspect the code to verify there's
nothing too bad going on in there. So Metasploit.com was created. And that was where we first started
posting some interesting variants of Windows shellcode that we came up with that were much
smaller than what was available otherwise. Then eventually that became where we shared the
Metasploit framework code. The downside, of course, is it gave everyone else a target to go after.
So as soon as we started posting versions of Metasploit framework to metasploit.com,
we started getting DDoS attacks, exploit attempts.
It got so bad that one guy actually couldn't hack our server.
So he hacked our ISP, ARP spoofed the gateway by hacking ISP's infrastructure
and then used that to redirect our webpage to his own web server. So he couldn't hack our web server to deface it, but he could
just redirect the entire ISP's traffic just to build a deface metasploit.com.
Wait, the Metasploit website was getting attacked? By who?
Well, in the early days, everyone hated Metasploit. My employer hated Metasploit. Our customers hated
Metasploit. They thought it was dangerous. All the black hats, all the folks who were
trading explo's underground,
they absolutely hated it
because we're taking
what they thought was theirs
and making it available
to everybody else.
So it's one of those things
where the professionals
in the space hated it
because they thought
it was a script-giddy tool.
The black hats hated it
because they thought
we're taking away
from what they had.
And all the professional folks
and employers and customers
thought it was sketchy
to start with.
So it took a long time
to get past that.
But in the meantime, we're getting DDoS attacks,
we're having people try to deface the website,
we're having folks spoof my identity
and spoof all kinds of terrible things on the internet under my name, you name it.
Someone decided to attack HD for publishing exploits.
They couldn't figure out a good attack on him,
so they spent time figuring out where he worked
and decided to
attack his employer. They scanned the websites that his employer had and found a demo site.
It wasn't the employer's main site. It was a tool to demonstrate how to crack passwords.
Well, this demo site was running the Samba service, but it was fully patched, so there
shouldn't be a way to hack into this through the Samba service. HD even tried attacking it with
Metasplit, but couldn't figure out a way in. But there was someone hack into this through the Samba service. HD even tried attacking it with Metasplit,
but couldn't figure out a way in.
But there was someone who did know of a Samba vulnerability.
They developed their own exploit and attacked HD's employer's website
and tried to get inside the system.
But their payload didn't work that well,
and it crashed the server.
So I got this alert saying the machine was basically shut down and crashed.
We're capturing all the traffic going in and out of the machine,
just for fun to start with.
But by doing that, we were able to carve out the initial exploit.
Wow, this is fascinating.
Because HD was capturing all traffic going into and out of that machine,
he was able to find the exact code that was used to exploit the Samba service,
which is incredible.
I mean, it's like finding a needle in a haystack. But then as he examined this code that was used to exploit the Samba service, which is incredible. I mean, it's like finding a needle in a haystack. But then as he examined this code that was used to exploit the system,
he realized this was a completely unknown vulnerability to everyone, which is called
a zero-day exploit. HD was able to analyze this and learn how to use it himself.
Did some analysis on it, contacted the Samba team saying, hey, there's a really awful remote
Oday in Samba. And so we wrote our own version of that exploit, put it on met the Samba team saying, hey, there's a really awful remote Oday in Samba.
And so we wrote our own version of that exploit, put it on Metasploit.com. And that was kind of
the beginning of a long, long war with, I don't even know which group it was, but they spent the
next two weeks DDoSing our website for leaking their exploit. And not only leaking it, but running
a better version. That's brilliant. Because someone didn't like the HD created Metasploit. They attacked his
employer, which made him discover their exploit. And he reported that exploit to the Samba team so
they could fix it. And then he added it into his tool, Metasploit. This made his attacker so much
more mad at him. And he continued to get attacked like this all the time. Folks like, you know,
my boss telling them to fire me, things like that.
Why are people wanting you to be fired?
They felt that publishing exploits was irresponsible
and I was a liability to the company
and they didn't want me to have a job
because of what I was doing in my spare time.
Did they have a point?
Did you feel it with them?
It was good motivation to try harder.
Okay.
So
the idea that somebody
is going to be upset
with a side project you're working on
on the weekends to the point
where they're going to say, I need to
get this guy HD. I'm going to ruin
him. I'm going to email his boss
and tell his boss to fire him.
That sounds like council culture
to me before they even had the term
council culture.
I guess it's not that different. I feel like
maybe it was the equivalent of a moral
ethical dilemma for them at the time. They thought
somehow I was doing something that was morally
wrong and therefore need to be punished.
There's definitely a lot of that.
There was pressure not just from
black hat researchers and from
customers who didn't like what I was doing, but also from
other security vendors saying, well, if you want
business with us, then you have to bury
this vulnerability. You can't talk about this one.
Whoa. So when
he would find a vulnerability in one of the
companies that were a business partner of his
employer, that company was absolutely
not happy
when HD published the exploit and added it into Metasploit. Because remember, Metasploit makes
hacking so much easier, which means if it's in the tool, it's now easy to exploit that company's
products. So they'd get mad at him and ask him to take down the blog posts that talk about this
vulnerability and remove it from the tool. And they would even threaten to take away the partner status that they had with his employer
if he didn't comply. Things were getting pretty ugly and his employer was growing increasingly
unhappy with HD. He was frequently finding himself in the crosshairs of many attacks.
But this is his territory.
Hacking, attacks, defending.
That's what he does during the day as his day job.
But it's also what he does at night for fun.
And he even dreams about this kind of stuff.
So if someone attacks HD more,
you know he's going to have fun with that.
What happened is some vulnerability we published was being actively exploited by some black
guys who were building a botnet and they were so mad about it they decided they were going
to use that botnet to DDoS Metasploit.com.
What they didn't realize though was like Metasploit wasn't a company.
Metasploit was just like a side project I was running in my spare time and I thought
the whole thing was hilarious that they were spending all this time DDoSing it.
But I didn't like the fact they were DDoSing an ISP that I liked working with.
So this botnet was flooding both of his DNS names, Metasploit.com and www.metasploit.com. It was sending so much traffic that this site was
unusable by anyone and was essentially down. HD investigated this botnet a bit and discovered
where the botnet was being controlled from. He found their command and control server or C2 server.
And they just happen to also have two
command and control servers. So, you know, Lightbulb
goes off and is like, well, let's point www.metasport.com
to one of their C2s and
the bare domain name to the other one, and just sit back
and wait a couple weeks, see what happens, right?
So what happened is, because those control servers
were the botnet, and the botnet was DDoSing
its control servers, they got
locked out of their botnet until we changed the DNS
settings. So we essentially hijacked their own botnet
to basically flood their own C2 indefinitely
until they finally emailed us a week later saying,
please can we have it back?
Wait, what? They emailed you?
Yeah, because they didn't know how else to get a hold of us.
So they basically lost their botnet.
And we said, okay, well, don't DDoS us again.
They went, okay, we won't.
And that was the end of that, and we never got DDoSed again.
We're going to take a quick ad break here,
but stay with us because HD is just getting started
with the stories that he has.
This episode is sponsored by Shopify.
The new year is a great time to ask yourself,
what if?
When I was thinking, what if I start a podcast?
My focus was on finding a catchy name,
some cool stories, and working out the best way to record. But oh, so much more if I start a podcast? My focus was on finding a catchy name, some cool stories,
and working out the best way to record. But oh, so much more goes into making a podcast than that.
If you're thinking, what if I start my own business? Don't be scared off, because with
Shopify, you can make it a reality. Shopify makes it simple to create your brand, open for business,
and get your first sale. Get your store online easily with thousands of customizable drag and
drop templates. And Shopify helps you manage your growing business. Get your store online easily with thousands of customizable drag-and-drop templates.
And Shopify helps you manage your growing business.
Shipping, taxes, and payments are all visible from one dashboard, allowing you to focus on the important stuff.
So what happens if you don't act now and someone beats you to the idea?
The best time to start your new business is now with Shopify.
Your first sale is closer than you think.
Established in 2025.
That has a nice ring to it, doesn't it?
Sign up for your $1 per month trial period at shopify.com slash darknet.
Go to shopify.com slash darknet and start selling with Shopify today.
Shopify.com slash darknet.
Who do you associate yourself with because i i'm feeling like you've got like three legs
and three different buckets here and one leg you're standing in the frack you know irc channel
which is black hat hackers typically at the time right and these are the people who may be either
just i don't know hacktivists or cybercriminals proper.
And then you've got your relationship with the DOD
and then you've got your professional relationship
where you're trying to show yourself like,
look, I've got some real chops here.
I can do this kind of penetration work for a fee.
I'm a professional, this kind of thing.
And I've got actually a tool that I'm developing
that can be used for professionals.
So where in this scenario do you feel like you're most at home?
Good question.
I definitely felt like an outsider in all those groups.
The Frack channel went through a big change right around 2000 or so
where it used to be some pretty well-respected hacker researcher types
and got taken over by a group of trolls that called themselves Frac High Council.
And those folks and I did not get along and that led to this multi-year
constant trolling and chaos and things like that.
Even professionally, though, I didn't really have anyone I could hang out with
besides my coworkers and had some good friends there.
But I almost kind of felt like an outsider in all three of those camps, I guess.
Yeah, because I know about this sort of infighting in kind of the hacker communities
when a hacker thinks they're hot stuff,
they post something, they make a website, whatever.
Other hackers will try to dox them
and attack their website.
And it's just constantly doing that.
Did you feel like that's kind of what this was,
was just hacker versus hacker?
Like, look, I'm a smarter hacker than you are?
Or did it feel like, no, you're not one of us.
Get the hell out of here kind of attack?
It definitely wasn't friendly.
Some friends and I would always go after each other's stuff
and it wasn't a big deal.
You say, hey, look, check your home directory.
There's a file there or whatever it is.
But these are folks who, they would steal your mail spool.
They'd publish it on the internet.
They would forge stuff on your name.
They'd try to get you fired.
They'd try to get you arrested.
They'd do everything.
This is prior to swatting, of course.
This was pretty much everything
they could do to ruin your life.
This was no holds barred.
We're ruining you.
And, you know, good luck fighting back.
So this is definitely not the fun kind.
Now, by this point,
HD and the team working on Metasploit have found lots of new
unknown vulnerabilities themselves
stuff that the software maker has no idea
is even a problem
and they do this by scanning the internet
attacking their own test servers
and trying to break their own computers
but what do you do when you find an unknown vulnerability
in some software
well the best avenue is to find a good way to report it to the vendor, right?
But HD has had a bit of a history with reporting bugs to vendors.
When I was in teenage years and still kind of in high school,
I was working on a bunch of the NT4 exploits for fun,
like the old HDR buffer overflow and things like that.
And while I was putting around one day,
I found a way to bypass their country
validation for downloading, I think it was like
NTE Service Pack for Microsoft. So instead
of looking at your IP address, doing
geolocation, it'd look at a parameter you put in the URL
instead. And you can basically download
the high encryption version of NTE
SP6 from Russia or wherever else,
which was not a good thing at the time
because of all the expert controls. So I contacted the
Microsoft security team, which was pretty nascent back then,
and said, hey, you can bypass all your expert controls.
This is probably not good.
And they're like, well, what do you want?
I'm like, I don't really want anything, but what do you got?
And they said, well, what are you looking for?
I'm like, can I have an MSDN license?
That'd be awesome.
And that was kind of the beginning of a long series
of just really weird interactions with the security team there.
I'm trying to remember what an MSDN license was.
MSDN was the license that gave you access
to all the operating system CDs and media
for everything Microsoft made.
So if you had an MSDN license,
you basically have a,
you can install any version of Windows you want,
any version of Exchange Server, all that stuff.
So as a hacker or someone doing security research,
it was a goldmine
because you have all the bulk installers
and data all in one place.
Got it. Okay.
So fast forward to my first startup and finding vulnerabilities in Microsoft products and doing a lot of work on ASP.NET and skin configurations
and other stuff we run into during pen testing.
And Microsoft did not like having vulnerabilities reported.
They'd do anything they can to shut you up.
They did not like having someone releasing exploits for vulnerabilities in their platform.
The first startup I worked at was a Microsoft partner. So we had a discount for MSDN and
things like that for internal licenses. And a gentleman at Microsoft kept calling our CEO
saying, hey, you need to stop letting this guy publish stuff. You need to fire this person or
we're going to take away your partnership license. And so they kept putting pressure on my coworkers, on my boss and the CEO
to get rid of me basically because of the work I was doing to publish vulnerabilities.
And that just made me angry, right?
Like I had got a chip on my shoulder pretty early on about that.
And by the time I got to the Hack in the Box contest in Malaysia to announce Metasploit,
they had a Windows 2000, was it Windows 2003 server?
I think it was being announced at that time.
And they had a CTF for it.
I was like, great, I'll do the CTF.
So CTF stands for capture the flag.
It's a challenge that a lot of these hacker conferences have
where they put a computer in the middle of the room
and see who can hack into it.
In this case, it was a fully patched Windows computer
and HD was curious if he could find a vulnerability to get into it.
So he created some tools to send it random commands and inputs, anything that he could
send to it to just try to cause it to malfunction. And sure enough, he did get a fully patched
Windows computer to malfunction. So he examined the data that he sent to this computer to cause
it to malfunction, and he was able to use that to create an exploit
which got him remote access to the system.
Now, since this was an unknown bug to Microsoft
and Microsoft was there at this hacker conference
sponsoring the thing,
he went up to them and told them about it.
They're like, great, report it to us.
I'm like, no, it's mine.
Like, am I going to get a reward for it?
What are you gonna do with it?
Like, I found this vulnerability. It's mine, do what I want to with it. And so I report it to us. I'm like, no, it's mine. Am I going to get a reward for it? What are you going to do with it?
I found this vulnerability.
It's mine.
Do what I want to with it.
And so I reported it to the Hackenbox.
I was like, hey, Microsoft's trying to pressure me to not disclose this thing that I found.
That's not the point, right?
The point is, yeah, I found a bug in your server
and I'm going to talk about it
and I'm going to share it with you,
but the idea is to go publish it afterwards.
And they shut the whole thing down.
So I heard secondhand that Microsoft threatened to pull sponsorship
of the Hack and Bucks conference if they let that vulnerability get published.
So the whole thing got swept under the rug.
See, at the time, Microsoft didn't take their security as seriously as they should.
They weren't publishing all the bugs that they were finding
or rewarding people for the bugs they found.
And as HD tells it, they were asking people to not publish bugs publicly.
They thought it was just better to hide some of these attacks so that nobody knows about it. But around this
time in 2002, Bill Gates sent a famous memo to everyone at Microsoft, which said security is now
a priority of the business. And they started a new initiative called the Trustworthy Computing Group.
Well, HD saw that this bug he found was causing problems with the conference, and he liked
the conference and didn't want them to lose their biggest sponsor.
So he agreed to just sit on this bug and do nothing with it.
Six months later, someone else found the same bug and reported it to Microsoft, and they
were able to fix it.
And it was only then that HD published his version of it.
So the short version is I'm more than happy to tell the vendors about it,
but I'd also want to make it public at some point.
These are vendors that at the time were sitting on vulnerabilities
for more than a year or two years, maybe never disclosing it.
They had no motivation to ever disclose a vulnerability reported to them,
and they would do anything they could to pressure you not to.
Microsoft was probably one of the biggest offenders at the time of pressuring researchers
to not disclose any vulnerabilities they found.
Do you know if there was even a vulnerability list
that they had published at that time?
I think Microsoft, I mean, there were CBEs at the time
and Microsoft had their security advisories.
But the security advisories were just the tip of the iceberg.
There was so much stuff being reported to them
that they would just shut down.
The challenge with keeping these secret, whether it's because
you're the vendor and don't want people to know about it and it's bad marketing, or whether
you're a black hat and trying to use it to break into systems, is that nobody else out
there can protect themselves. They can't test themselves. They don't know whether they're
actually vulnerable, whether the security product they bought to prevent exploitation
is actually working.
So one of the great things about having a publicly available exploit
for a recently disclosed vulnerability is you can make sure that all your
mitigations, all your controls, all your detection are actually working the way
they're supposed to. And everybody else did not want that.
At the time, Microsoft's browser was Internet Explorer.
And with the chip on his shoulder from dealing with Microsoft in the past,
HD decided to see how many vulnerabilities he could find in Internet Explorer.
Basically, myself and a couple of friends,
we put together some browser fuzzers.
We used the browser's own JavaScript engine
to just find hundreds and hundreds of vulnerabilities.
We tested every single active edge control across Windows
and just found bugs in all of them at once.
So we basically created this mass vulnerability generator,
and we're sitting on probably like 600, 700 vulnerabilities at the time,
and the vendors were just not moving on it.
He kept reporting bug after bug to Microsoft.
But from his perspective, nothing was getting done.
And so now, what do you do when you've told the vendor about a bunch of bugs,
and they didn't act on it and you have hundreds more?
And it got to the point that we just gave up.
We said, you know what, we're going to do an entire month.
We're going to drop no date every single day for a month straight
and we'll still have hundreds left over afterwards.
And it was that particular sequence and that particular event
that I think finally killed ActiveX and Internet Explorer.
Why? Why do you think that?
Well, after the 30th or 40th ActiveX vulnerability report of them,
we're like, hey guys, we have 200 or 300 more.
We can keep going all year at this point.
And it was a good indication that they realized
there was no safe way to implement ActiveX control load
and Internet Explorer.
Microsoft was realizing the security in their products
wasn't cutting it.
They needed to do better.
And they were working on that.
In fact, what they started doing was offering jobs to people
who were reporting bugs to them.
So if you were someone who was previously reporting a bunch of vulnerabilities to Microsoft,
all of a sudden you got a job offer instead.
I mean, there's an amazing security research group
called Last Ages Delivery Room out of Poland.
And three of the four folks that were part of this group
joined Microsoft during this time.
Well, did they contact you?
We're friends. I met them in
Malaysia and I'd see them at conferences and stuff like that.
I definitely got a few offers from Microsoft early on, but
I kind of pushed back with ridiculous terms like
no way in hell, essentially. Mostly because I felt like they didn't
really have the best interest of the community at heart. They would shut down anything I was working on.
And for the most part, it was true. Folks who took a job at Microsoft
after doing vulnerability research before, you never heard a peep out of them again.
Can you imagine if that happened if HD got hired by Microsoft?
They might have tried to close down Metasploit altogether.
What a loss that would have been.
Because Metasploit was starting to pick up some traction.
And while it was hated by many, it was being used by many more.
Pen testers all over were beginning to use it as one of their primary tools to test the security of a network.
It was shaping up to be a vital and amazing tool as a pen tester,
because it made their job so much easier than before.
As the need for pen testers rose, the need for better pen tester tools rose too.
And of course, the whole time Metasploit was free and open source,
so the community could just look at the source code and verify there wasn't anything malicious
getting installed on someone's computer once you hack into it.
The security community was slowly adopting it and liking it more and more every day.
Well, as time went on, Microsoft really did step up their game
on handling bugs found by researchers.
They were patching things much quicker
and were learning that they cannot control the bugs that outside researchers discover.
And that's kind of a hard thing even for companies
to understand today. If someone finds a bug in your product, you can't control what that person
does with that bug. You can try to offer a bug bounty reward to them, but that doesn't mean
researchers will take it. They might sell it to someone else or publish it publicly for everyone
to see. Software vendors cannot control what people do with the bugs they find.
And people like HD, who was just publishing vulnerabilities all the time,
were making that point crystal clear.
Microsoft has an internal conference that's just for Microsoft employees.
It's called Blue Hat.
And at some point, they started inviting security researchers
from outside Microsoft to come talk at it.
HD knew one of the researchers who was giving a talk and was invited to come co-present at Blue Hat.
So HD got to go to this exclusive Microsoft conference and present to their developers.
I just imagine your talk is just like, here are the 400 things wrong with Microsoft.
Yeah, there's a lot of that.
It was like, you know, one of the good examples,
back in, was it 2005 or so,
I was on the flight over to Blue Hat
and I was playing with a toolkit
that I was calling like Car Metasploit at the time
or Karma meets Metasploit.
Karma was a way to convince wireless clients
to join your fake access point
and then immediately start talking to you
and try to authenticate to you like you're a file share or a printer. So essentially, if you had
your Wi-Fi card enabled, let's say on an airplane, and someone was running this tool on a different
laptop on the same airplane, they would then join your fake access point, try to access
company resources automatically, give you their password most times, and then
provide a lot of exploitable scenarios where you can actually take over the machine.
So we thought it'd be fun to run this tool
on the actual airplane as we're flying to Blue Hat.
And lo and behold, we end up collecting
a bunch of password hashes from Microsoft employees
in the process.
You little stinker.
It was fun times.
Where are you on this whole responsible disclosure thing?
Do you want to get this stuff fixed ASAP?
Or are you more like,
what do you think you should do with vulnerability if you find it?
After going down that path a few hundred times,
the fastest way to get a vulnerability fixed
is to publish it on the internet that day.
Whether that's responsible or not, it's effective.
Well, he has a point.
It's true.
If you find a bug and want it fixed as fast as possible,
make it known to the
world in the biggest and loudest way, and it will get fixed fast. But even though that's the fastest
path to getting a bug fixed, it's not the responsible way to do it. Because doing that
exposes a lot of people who can't do anything to stop that attack. It means criminals can use it
before it's fixed. And this puts a lot of people at risk,
which means you're probably doing more damage than helping.
It's better to privately tell the software maker
and give them time to fix it.
But then when they aren't fixing it,
and you've given them plenty of time,
then they might need a little fire under them
to get them moving on it.
Sometimes to get a company motivated,
you've got to give them a little bad PR.
Definitely depends on the vulnerability.
These days I've been leaning towards
kind of a 98 disclosure policy
where you tell the vendor about it for 45 days,
then you tell somebody else about it as a dead man's switch.
And if the vendor sits on it and it leaks,
the other person's going to publish it no matter what.
I've been using that strategy
by working with US Cert for the last few years
where whenever I publish a vulnerability to a vendor, they
get 45 days of only them having access to it. And then 45 days later, it goes to US
Cert, or sorry, CertCC. And they're basically guaranteed to publish after 45 days.
So the great thing about that model is you're splitting the responsibility. You're making
sure that the vendor takes it seriously and gets the patch out in time. But you're also not having to publish it directly on the internet. So having a
third party like that really reduces the ability of the vendor to pressure any individual researcher
from not disclosing because it's already in the hands of another party at that point.
There are a few groups that have adopted this same model. Trend Micro has the Zero Day Initiative,
and Google has Project Zero.
Both of these groups look for vulnerabilities
and report them to the vendor
and then give the vendor 90 days to fix it
and then they're going to publish it publicly.
So the vendor knows if they get a bug report
from any of these groups,
they have to act quick and get it fixed
before it becomes public
because that would be a PR nightmare.
And it's wild to see major tech
firms like Google playing this sort of hardball game with software makers. But this has been
working pretty well. It's also interesting to note that HP bought Trend Micro and a few times
the Zero Day Initiative has found vulnerabilities in HP products, which didn't get fixed in that
90-day window. And so the zero-day initiative published HP vulnerabilities publicly.
It was wild and refreshing to see them even treat their parent company
the same way as everyone else.
Yeah, it was great. I mean, I think it's effective.
Sometimes you have to.
I mean, the folks I chatted with at HP about,
they're like, yep, that's the only way that team's going to get the resource
they need to fix the product is if we publish it as zero-day.
At some point, Metasploit got a new feature called Meterpreter.
Meterpreter was the brainchild of Matthew Miller, Scape,
and a lot of other folks worked on it,
but he was really the architect behind it.
Meterpreter is a payload.
Remember, the payload is the action you want to happen
after your exploit opens the door for you.
But the Meterpreter payload is kind of like the ultimate
payload. It lets you do so much on the target system that you just hacked into. You can look
at what processes are running. You can upload a file to that system or download a file. It helps
you elevate your privileges or grab the hash file where the passwords are stored. I mean, think about
that for a second. Let's say you use Metasploit to get into a computer and with one command, hash dump, it knows exactly where the password file is on that
computer and it just goes and grabs it and downloads it to your computer so you can just
start cracking passwords locally if you want. You don't need to know where the password files are
stored on that computer. Meterpreter knows that for you. You just need to know the one command,
hash dump, and you got them.
But Meterpreter does so much more than this.
It lets you turn the mic on and listen to anything the mic is picking up.
It lets you turn the webcam on and see what that computer can see.
It lets you take screenshots of what the user is doing right now.
It lets you install a key logger if you want to see what keys the user is pushing.
Meterpreter is incredible.
But with a payload like this, it makes
a Metasploit so much more
dangerous.
I mean, all these features can be
easily abused by the wrong
person and can cause
lots of damage.
On the vendor side, it was
scary for them because instead of exploits
being these really, you know,
simple payloads that they would drop, they could easily detect.
Now, exploits could drop anything.
They could drop TLS-encrypted connectbacks.
They could drop basically mini-malwares instead
that are able to automatically dump password hashes and communicate back
over any protocol you want. So we made the payload
side of the exploitation process incredibly more complicated
and way more powerful. This is kind of one of those points payload side of the exploitation process incredibly more complicated and way more powerful.
This is kind of one of those points
where some of the features of Metasploit,
especially around Meterpreter,
start getting really close to the malware world.
Right, and I think that's where I want to head.
But you're not just doing a proof of concept of,
okay, look, I can get into your machine
and here's who am I or something
and what process ID I'm running as.
You're building this tool.
An interpreter gives you full access to that computer
which allows you to screenshot,
do keyboard sniffing, whatever.
All these things that are a lot more
like thumb in your eye kind of thing.
And I don't know if that's taking it too far.
It's not just a proof of concept.
We can completely destroy this machine if we wanted.
Which I guess you have to kind of prove that
in order to show the veracity of this vulnerability
but it's almost going too far for me.
What do you think?
Well, one of my favorite things in the interpreter
is we had a way to load the VNC desktop sharing service
in memory as part of the payload itself
and we had it wired up in Metasploit
so you literally run the Metasploit exploit
and you immediately get a desktop on your screen
be able to move the mouse cursor be be able to type on the keyboard.
It was immediate remote GUI access to a machine over the exploit channel itself, which is
just mind blowing at the time for payloads because it didn't depend on RDP or anything
like that.
It didn't depend on the firewall being open because they do a connect back to you and
then proxies it.
It was just amazing delivery.
That specific payload blew so many minds that it was really easy for us to
show the impact of an exploit. If you're trying to show an executive after doing a pen test,
hey, we got into your server, here's a command prompt of us doing a directory listing. That's
one thing. But if you're showing that you literally take over their server and you're
moving the mouse on their desktop within two seconds of connecting the network, that is an
entirely different level of impact that you can show. It also let us build a lot of other really complex, really interesting use cases
where it really shows what the impact of the exploit is. It isn't just like,
oh, you've got a bug and you didn't patch it, and now I've got a command shell. It's like, no, no, I have all this
access to your system, whatever it happens to be.
Yeah, I guess that's kind of what drew me to Metasploit as well, is like, oh my gosh, it's not just the exploit,
it's what you do with the exploit
after you get in. But as you were saying,
the MetaTerpreter
started getting close to being
its own malware. Explain what you mean by that.
A lot of the
malware payloads, even today, are written in C.
And they've got these kind of advanced
communication channels and C2 contact
mechanisms and all this kind of
boilerplate stuff that they do, like providing the ability to chain load payloads, download more stuff, talk to backends,
balance between different backends. We got mature part of the point that actually had the same
capabilities as some of the more advanced malware that are out there. And that's when it started
getting a little swifty for me, because it's like, we don't want to be in the malware business.
We're here to show the impact of exploits and let people test our systems and to generally demonstrate the security impact
of a failed security control or missing patch.
But we're not here to persistently infect machines.
And MetaSplit got very, very close to that line.
The thing that really separated it from actual malware
is the fact that it was always memory-based only.
It was never on disk at all.
Hmm, this is a strange territory to be in.
Metasploit is a tool that's sole job is to hack
into computers. Whether you have permission to do that or not, that's the purpose of it.
But it seems to be the intent of the person using it that tells us whether Metasploit is malware
or a useful tool. So the Metasploit team had to be very careful
on how far they took this tool.
Now this is a multi-open source,
multi-developer project.
Did you have some sort of manifesto that said,
or a meeting that said,
okay guys, we're going to push this all the way it goes,
except no persistence.
Was there a manifesto of like,
like you just said,
you don't want to leave your customers weaker.
This is a professional tool.
It's like something written out there.
It was never like a written manifesto
because it wasn't like an ethical boundary.
It was just a practical boundary.
You're not going to use Metasploit for a pen test
if it leaves garbage all over your machine afterwards
or backdoors it in a way that's difficult to fix.
Some exploits require temporarily creating a backdoor user account or otherwise creating something that would otherwise create more exposure.
And we're always really careful to document what the after exploit scenario looks like.
Okay, after you run this thing, you need to do this other thing.
So we created these post-cleanup modules that would remove the trace of whatever the thing was. But that was something that I always agonized over
because I really hated having to lower the security of the system
as part of the exploitation process.
I also felt like that was counterintuitive.
I was kind of going against what we're trying to do in the first place.
Yeah, I know.
And I'm not explaining it well,
but it just seems like you're putting your thumb right in the customer's eye, and then you're like, but we don't want to hurt you.
That's when you're trying to be a professional adversary. And so you have to
have the most possible brutal, malicious approach
to the problem in a sense that you're going to use the same technique someone else would. But then you need to
draw the line about where you leave the customer afterwards and what the actual impact of the attack is.
Okay, so we heard HD has many adversaries, right? Cybercriminals don't like him publishing their weapons and making them ineffective. Old school hackers don't like that he's making hacking
so easy that a script kitty can do some amazing stuff. And vendors don't like that he's publishing
their bugs. He's getting hit on all sides by these people. But there's one more group that's also not happy about
Metasploit. Law enforcement. There were crimes committed with Metasploit. Yeah, that's my first
experience writing Windows shellcode. The first Windows shellcode ever published by Metasploit
ended up in the blaster worm almost immediately afterwards. See what I mean? There was a massive
worm that was using the information that he published to do dirty work out there. And I just read an article today that said in 2020, there were over 1,000 malware campaigns
that used Metasploit. And so what happens in this situation when you're making tools that criminals
are using? Well, let's go back and look at a few other cases. I did an episode on the Mariposa
botnet. The people who launched this botnet all got arrested,
but they weren't the ones who developed the botnet.
The butterfly botnet was created by a guy named Eserdo.
But this Eserdo guy, all he did was develop the tool and put it out there.
He never used it to attack anyone.
But he was arrested and sentenced to jail just for developing the tool.
What the court proved was that he was knowingly giving it to criminals to commit crimes.
Or let's look at Marcus Hutchins. He developed malware, which became known as Kronos,
but he only developed it. He never launched it on anyone. But it was because he was giving it to someone who did use it to go and attack banks is why Marcus was arrested by the FBI.
In both of these cases, what it came down to was whether or not the
software maker was knowingly giving
these hacking tools to
someone who had intent on breaking
the law with it. But HD
claims he has no responsibility
with what people do with his tool.
I don't know. If you bake a bunch of cookies and put them on a sheet
in the street and say, free cookies, are you responsible
if a criminal eats a cookie? I don't know.
I feel like it's different.
It's open source. It's community-based.
It's an open domain. Everyone's on the same playing field.
I feel like it's one of those things where if you're only providing those exploits,
those weapons to someone in the criminal community
and charging for them, that's one thing.
But if you're creating a project
for the purpose of helping everyone else understand
how things work and to test their own systems
and a bad actor happens to pick it up and use it too,
that seems like something very different.
But I get worried for HD,
because he takes Metasploit to hacker conferences
and hacker meetups to demo it and teach it to other people there.
And everyone knows there are criminals who attend these things.
I mean, just sharing it with the hacker chat rooms that he was part of,
like Frack.
How could he have gone all this time
without once seeing that the person
that he just taught this to or gave it to
was a known criminal?
Did you have any lawyers helping you on this project?
No, once in a while I'd have to reach out for help,
but it usually wasn't from a lawyer that hired myself.
It's usually just people I knew that happened to be lawyers
who gave me advice on stuff.
But that's why I'm asking about a lawyer,
is whether or not you had some sort of fine line
on what the point of Metasploit was
and maybe some of the language involved with the terms of use.
Maybe there was something there that said,
you cannot use this for criminal behavior or something.
Where was this to keep you out of trouble?
What did you do to stay out of trouble in this sense?
I think early on, the solution was my spouse had to get out of jail fund,
had a lawyer fund sitting aside.
So if I got dragged off middle of the night,
she had cash that was not tied to my personal accounts
or our shared accounts to find a lawyer and give me bail money, basically.
So that was the case for about six, seven years
where I was pretty concerned about getting arrested for almost anything I was working at the time, because it was all pretty close to
the line, whether it's internet scanning, whether it's the Metasploit stuff. It really comes down
to whether you think a prosecutor is going to make a case, whether you think they think they
can make a case. Prosecutors don't want to lose a case. So they're not going to bring a charge
against you unless they're very certain that they're going to win.
That's why the conviction rates are so high.
So it's one of those things where intent matters, but what really matters is whether the prosecutor really wants to go after you or not.
And if you convince them that, hey, I'm not actually a bad actor and I'm not doing this stuff and I'm not driving this economic activity that's related to criminals, then that's helpful.
But that's one of the things I really don't like about U.S. law.
The CFA doesn't care about intent, for example.
There's nothing about our Computer Fraud and Abuse Act that cares whether you're doing it for good or not.
And a lot of our laws are problematic like that.
It isn't just the standard section that's quoted.
It's also section 1120.
There's a couple other parts of the U.S. criminal code
that are just really dangerous when they're taken out of context
or used to make a case for something that really shouldn't have been prosecuted in the first place.
So unfortunately, a lot of U.S. prosecutions really just come down to whether someone wants to go after you or not.
And all you can do is do your best to stay above the law when you can.
And when the law is really vague,
do your best to not be a tempting target.
Yeah, but I am surprised that when I load up some software,
even look at some how-tos and videos
on how to hack,
there is a disclaimer at the beginning.
Do not use this for illegitimate purposes.
Do not break the law with this information.
And when I load Metasploit,
it doesn't say for pen testing only,
only use on systems you have permission to.
And I'm wondering why would you keep that off there?
I don't think it ever occurred to us out of warning.
Honestly, we figured if you're downloading Metasploit,
you know what you're getting into.
You know you're downloading a security tool
to do security testing. And we're not there're downloading Metasploit, you know what you're getting into. You know you're downloading a security tool to do security testing.
And we're not there to tell you
you shouldn't, you know, jaywalk
or you shouldn't, you know,
firebomb your neighbor's house.
Like, we assume people have reasonable reasons
why they're using the software in the first place.
And we don't feel like we're enticing them
to commit a crime because we're providing them a tool.
Got it.
However, in the real world,
you might be pressured
because law enforcement says, look, man,
we keep finding criminals that are using your tool.
You need to do something more. You need to
put a terms of use up. A lawyer
might have, like, you might have had to get a lawyer
to say, hey, what do we need to do so that
we don't get in trouble? And I'm
surprised none of that just hit you in the face.
Like, the law, like, so black hats are mad at you, vendors are mad at you, but the law wasn't mad at. And I'm surprised none of that just hit you in the face.
So Blackhats are mad at you, vendors are mad at you, but the law wasn't mad at you? I'm surprised.
Stuff came up for sure, but mostly I was able to talk my way out of it one way or another.
I think a lot of it is just the way to win in that space and to not go to jail
was just to be as loud and as blatant and as above board as you possibly can.
So doing a Metasploit talk at every conference,
having tens of thousands of Metasploit users early on,
having 200 different developers involved with the project.
The bigger, the wider, the more noisy
you can make the project,
the less likely someone was going to say,
this is a tool for just criminals
and we're going to go after it.
You just have such a surprising,
like an adventurous life.
There's a big difference between your typical pen tester and H.D. Moore.
The typical pen tester today learns how to use Metasploit,
which is the tool that H.D. created.
And H.D. is the one learning how the exploits work,
writing the shellcode to make them work, and actively trying to find new exploits all the time.
On top of that, he's fielding a nonstop barrage of attacks himself from creating the tool, so he's well-versed at defending and attacking systems.
The experience he has in this space is almost unparalleled.
But it was because of how much passion he has about
security that got him to this point. And I just want to say to any up and coming pen testers out
there, getting your hands on working exploits and contributing to open source projects is a
fantastic way to become fluent in this field. There are a ton of open source hacker tools out
there on GitHub, and it's a great experience to download the source code
and see how they work and try to improve upon them.
And even if you're just a beginner,
there's probably something you can do to help,
whether it's writing better documentation
or improving the help menu.
Being part of a project like that can launch your career.
And HD even helped many of his contributors get jobs.
Learning to find and develop exploits would really pay off for HD.
But it was a tough ride for him to hold on to.
Yeah, I think it took about three or four years before we really turned the point from
that's stupid and that's crappy to that's a script-giddy tool to
that's a piece of crap and I don't like it to, okay, fine, I'll use it to,
you know, hey, now everyone's using it.
Metasploit grew up to be one of the de facto tools used by security professionals all over.
Eventually, schools started teaching students how to use it.
And I mean, can you imagine a hacking tool
becoming part of the course curriculum in school?
But even more than that, it became necessary to know
how to use Metasploit to pass certain exams
and get certified in security.
Despite the hard start and hate it received, Metasploit grew to become an invaluable tool for the pen test community to use.
And it became mass adopted by security teams everywhere.
By 2008, both Scape and SpoonM had moved on to other things.
Scape's company got acquired by Microsoft, and he went and worked there.
And that was one of his contributions to Metasploit.
Spoonam went to school and kind of disappeared doing his thing for a while.
And so it was kind of just me running the project again by 2008.
And I'd been working with a guy named Egypt for a long time,
contributing exploits to the project and chatting about stuff.
And I invited him to kind of be one of the core members.
He joined the team, and we started working towards the 3.0 release,
I believe at the time.
And during all that stuff, you know, as it got closer to 2009,
I was working at another startup, not particularly happy with life.
You know, I was pretty broke.
I mean, the startup wasn't paying me that much.
I had a bunch of credit card debt, you know,
had a pretty hefty mortgage on the house,
was, you know, doing Metasploit training at the conferences
to kind of pay the bills and keep things going.
But I was also working all day for a startup
and all night on Metasploit.
And every weekend, every night for years straight at that point.
Super stressed out, had a baby on the way.
And when I was basically gone for paternal leave,
I got an offer to acquire Metasploit by Rapid7.
Whoa, an offer to acquire Metasploit by the company Rapid7? That's amazing. At the time,
Rapid7's product was a vulnerability scanner. And the typical pen test scenario is to start
by running a vulnerability scanner, then use Metasploit to try to get into the vulnerable
systems you found. It's a beautiful combination of tools. So it made sense for why Rapid7 would
want to acquire the tool. But Metasploit was open source and not a product that made any money.
So HD was a bit skeptical to give his tool to a corporation. But they asked him at the right time
because he was all stressed out, low on cash and about to have his first kid, he sort of needed a big break.
So, you know, when the offer came in to do something different,
it was definitely tempting and spent quite a lot of time
chatting with Rap17, getting a sense for what it looked like,
and eventually said, okay, let's give it a try.
Yeah, did you give him a heads up?
Like, hold on a second.
If you take the responsibility for this,
you're going to be taking some bullets.
Just so you know,
this is kind of the heat I'm getting here.
And somebody might call up
to try to get you fired.
Yeah, put it this way.
They brought me on to run the Metasploit team
and to build the product line,
but they also brought me on
as their head of security at the same time.
So I got to take most of those bullets
in the first few years.
Metasploit had a pretty strong following,
but only about 33,000 active users at the time
or something like that based on our download logs.
So it was a really good opportunity to, you know,
commercialize an open source tool,
but keep it open source.
And then all the commercialization really happened
by building a pro version of the tool
and selling that instead.
So our team was able to, you know,
basically built a new office here in Austin,
hired the team, got the first commercial product out the door in about six or seven months.
And I think our team was paying our own bills in 12 months by selling our pro version of the product.
So it ended up working out pretty well.
We, you know, even now there's a whole team at Rapid7 working on Metasploit full time.
And it wasn't just the development side.
They also were an amazing corporate shield for all the drama I was dealing with,
all the law enforcement inquiries,
all the random threats, all the other stuff.
They stood up and took it.
They hired lawyers on my behalf.
They hired lobbyists on my behalf.
They did everything they could to make sure that
Metasploit and Exploit Development
and Vulnerability Research could stay
a thing that you could count on,
that you could rely on.
And they did their best to protect the legal front.
So, you know, outside of all the, you know,
commercial terms and product stuff
and all that, I give them a lot of credit for
helping
vulnerability research and exploit disclosure
and exploit sharing be what it is today.
Yeah, so you said
lobbyists. Why would they hire
lobbyists? Well, a lot of
making sure that vulnerability research
and disclosure and all that stuff stays legal is
educating people. It's like saying, hey, this is like a
real legitimate reason why people need access
to information. This is why you don't want to regulate
vulnerability disclosure. This is why you don't want to create
a law making disclosure
illegal. I mean, on the face
of it, if someone says, hey, we're going to prevent people
from sharing tools that
allow people to attack each other, it's like,
yeah, that sounds like a good thing. You don't want people
sharing evil tools with each other, right?
Make that illegal.
It isn't until you dig in a little bit deeper
and realize that you really don't want to criminalize that
because that's how your defenders are learning.
That's how your actual defenders are testing their own systems.
And if you don't have those tools available internally,
you have no idea how effective any of your defenses are.
And it was just one of those things where,
at a very surface level level it was hard to defend
but once you started educating people about what the benefits were
and once you got more people
to be aware of what you
take away by criminalizing this type of work
then you start to build that support
so lobbyist efforts at RAP7
were instrumental in not only
excluding Metasploit framework from the
last NAR agreement, at least the way the US
interpreted it,
but protecting vulnerability research in general.
Yeah, can you explain the Wastenaar Agreement?
Oh, sure thing.
I don't, it's been a while,
so I'm probably gonna get details wrong.
But the Wastenaar Agreement
was an international arms treaty
by a bunch of countries saying,
here's the things that we will or will not export
to other countries without having approvals and things like that. And amendment, I think either an amendment to it or an
interpretation of the agreement started to classify cybersecurity tools as weapons at one point.
And the goal there is to prevent kind of NSO group style attacks, right? Where you're shipping a
toolkit, a software toolkit or a hardware toolkit that's designed to break other people's machines.
And it's really designed
for the most nefarious, either surveillance
use case or for actual
cyber war type use cases.
However,
the language caught up a lot of other
unrelated tools. All the tools that are used
for professional security testing
would, if you squint at them right,
would also be classified as weapons
or munitions by the last NAR agreement.
And the company Rapid7 spent a lot of time working with lobbyists
trying to help folks understand the difference between an open source tool like Metasploit
and something that's more targeted and malicious and weaponized.
The thing that I don't understand about the Rapid7 acquisition
is how do you buy a free open source tool? Like, why didn't
they just fork it and rename it? Well, someone tried that, actually. It didn't go very well.
Actually, a few people did. Prior to Metasploit 3 coming out, when we rewrote the whole thing in
Ruby, Metasploit was written in Perl. And there was a company called Saint that released a product
called Saint Exploit, which was also written in Perl. And we're a company called Saint that released a product called Saint Exploit, which was also
written in Perl. And we're like, ah, that's suspicious.
At some point, someone shared
a copy of Saint Exploit with us. We're like, you know what?
Half this shellcode is ours.
And half these exploits really look
like the code that we wrote.
And there were a lot of similarities between the
Saint Exploit product and Metasploit framework too.
So we got a little bit mad about it.
We're like, this is kind of bullshit.
We feel like if you're going to use our code, that's great.
But collaborate. Don't pretend it's yours.
Don't say, hey, I made this.
No, no, this is open source. Contribute to it. Share it.
So we changed it. We literally changed
the license of Metasploit to be
a commercial-only license briefly for about
a year or so. Between the
2.0 Perl rewrite
into 3.0, the brand new
3.0 code was under a
non-open source license briefly, just because
of how we felt about Saint
and Saint exploit.
Finally, when
Egypt joined the project
and we're looking prior to the
Rep7 commercialization or Rep7 acquisition,
we ended up changing the license back to
BSD because we felt like that was the right thing to do
to really grow the project.
But there definitely was like a knee-jerk reaction
to close the license after that.
So Metasploit continued to be open source
and free under RAPID 7,
with HD and a guy named Egypt coming on board
and working hard on making it even better.
But one thing that was a never-ending job
was getting more exploits into the tool.
When I was working on Rapid7,
every time a patch Tuesday came out,
our very first thing was,
how do we get exploits out as fast as possible
for everything that was covered?
And how do we figure out what they are?
It's a lot of work, though.
Taking a binary patch and trying to figure out the bug
can take a week or two just on its own.
And that just gets you the bug.
That doesn't get you the exploit.
Getting the exploit to work,
getting it triggered, getting it reliable,
figuring out how to manage the memory correctly,
figuring out the payload,
threading problems with payloads.
I mean, there's a ton of work that goes into it.
I think one of the reasons why
I probably don't work on exploits as much anymore
is they've gotten a lot more complicated.
You need a much deeper set of skills
to be able to work on fiddly heap exploits.
You need to basically have this huge background or knowledge just to be able to get the heap in the right state to be able to work on fiddly heap exploits. You need to basically have this huge background or knowledge
just to be able to get the heap in the right state
to be able to exploit in the first place.
And I'm not really that great of a programmer.
I'm not really that great of an exploit developer.
I just spend a lot of time on stuff.
So I feel like that was well beyond my ability to keep up at that point.
So I really love logic flaws.
I really love the old school stack overflows and SEH overflows and things like that. But I feel like modern
exploits, especially on hardened platforms like mobile, holy cow, there's a lot of effort
that has to go into it just to get one working exploit.
I'm scared that you say that because a second ago I was calling you the patron saint of
exploit development and penetration testing and now you're like,
it's too complicated for me at this point.
Good luck, whoever's doing it now.
Who can do it now if it's beyond your skill?
I mean, it's got to be super specialized.
I mean, if you look at some of the Project Zero posts,
I don't want to miss particular names,
fear of getting them wrong,
but there's some amazing folks out there.
And where you see really good exploits being written
is when someone has spent months and maybe years
looking into the software stack around that
before the exploits worked on.
When you're looking into how iOS parses messages
or how the heap of this particular OS
or Linux kernel is being groomed in a particular way,
you need to build up this super deep,
super specialized knowledge
to be able to even start working on exploits
in that particular space.
It's not like before where once you know how to exploit
one platform, one OS, the rest is all pretty straightforward.
It used to be like, okay, I know how to exploit Spark.
I can exploit most other MIPS, a little bit of work here and there.
Now, every OS is so different, so deep, and so complicated these days
that you really have to specialize.
Yeah, but I feel like you really enjoy playing in the dark. And I mean, like,
you want to be outside the known world of knowledge.
Okay, so there's a circle that this is the stuff we know in the world.
I'm going outside that circle.
And I'm going to discover things that the world does not know
and bring it into the world of known.
And that is a very difficult place to be in.
That's a scary place.
You don't know where to go, which direction to go,
where to point your finger.
You're hitting your face on the wall over and over and over.
And that's the difficulty of finding vulnerabilities
and zero days and this kind of thing.
Even if you know that there's a vulnerability right there,
it still can be hard to find that.
That's why, especially with patch reversing,
you're so frustrated because you know it's there.
You know it's patched.
You know it's in front of you.
You know it's probably one line away from where you're looking.
You can't see it.
So these days I spend my time on network protocols and fingerprinting techniques and that type of research where you're going really deep down the protocol stack looking for behavioral differences and how a device responds to the network.
And it's a similar challenge. You have to go find these really fiddly, really hard to find things and then extrapolate all this value from it saying,
okay, now that I know the response this way and this response that way, it must be an iOS device
with this particular kernel version or this particular update applied to it. So I love doing
that type of work because it is working in the dark, like you mentioned, but it's nowhere near
as complicated as doing modern heap exploits. I find this particular skill to be one of the
most important skills when dealing with technology, which is being comfortable doing things
in the dark, in areas that you have no knowledge of or visibility into. Because when working in IT,
you are constantly faced with new challenges or problems that you have no idea how to solve.
The problem might even be so weird that you don't even know what to Google. And so being able to venture out into
unknown territories, even if it's just unknown to you, you've got to learn to be comfortable in
these dark areas. It's scary and frustrating to try things that you know you're going to fail at
and even look stupid doing. But the more comfortable you get in that space of working
with a world of unknowns, the better you'll be
next time you face the darkness, which is like all the time.
Are you still at Rapid7?
Oh, no, no. I started my own company about three and a half years ago
doing network discovery stuff.
So Rumble, we help companies find every single thing possibly connected to their network environment
or their cloud.
Yeah, explain more.
Get a good pitch for it.
Sure thing.
So I spent like 27 years now doing pen testing
and security work and building products.
And the very first thing you do,
whether it's a pen test,
you're trying to break into someone's network
or you're building a product
that does something on the network like a bone scanner or a pen test tool, is you got to figure out what's out there.
You got to scan the network.
You got to find targets, assets, IP addresses, things.
So we came up with a really cool scan engine that can tell you amazing stuff about everything on the network really quickly.
And at this point, the product Rumble Network Discovery can now find all your networks.
So starting with zero knowledge about your environment, it'll do a sampling sweep across every possible
routable private IP in your organization.
It'll find every populated subnet,
every single device, classify every device,
tell you what hardware it's running on,
and identify things like multi-home systems
that are bridging different networks.
And it does it all unauthenticated quickly
with really no interaction and no real network impact.
What I find fascinating about HD
is the struggle that he went through to make Metasploit.
I mean, the sheer skill it takes just to write exploits
and payloads is already impressive,
and he had to continually write new exploits
as new stuff came out.
But the resolve and determination
to face a constant barrage of attacks
for publishing exploits
and to continue publishing more is incredible.
I think I would have given in and gave up working on it
if vendors are calling my boss asking them to fire me
or if law enforcement keeps bugging me.
But not HD.
He persisted through it all because he had a vision and a belief
that what he was doing was right and the whole world was wrong.
And I think it turned out in his favor.
I think he was right and the world was wrong
because we saw the world slowly change and eventually agree with HD.
Microsoft drastically changed how they handle bugs now
and their security is much better than it was before.
Google puts a similar
kind of pressure on companies that HD does, saying, you better fix this vulnerability we found,
or we're going to tell the world. And when stuff doesn't get fixed, they do publish it.
And for governments changing the way they view open source tools. What a wild ride it's been
to get some decent hacker tools out there for everyone to use.
A big thank you to H.D. Moore, a true legend in this security space.
You can learn more about what he's working on now by visiting rumble.run.
This show is made by me, the nop-sledding Jack Reisider, and editing help this episode by the Zero Trust Damien. Thank you. When you're reviewing someone's code, can you tell me what bad code looks like? No comment.
This is Darknet Diaries.