The Changelog: Software Development, Open Source - Metasploit, InfoSec, Open Source (Interview)
Episode Date: September 22, 2015Trevor Rosen and James "Egypt" Lee joined the show to talk about Metasploit, a collaboration of the open source community and Rapid7 -- its penetration testing software that helps you verify vulnerabi...lities and manage security assessments.
Transcript
Discussion (0)
Welcome back everyone.
This is the change log and I'm your host Adams to Kovac.
This is episode one 74 talking Metasploit today with Trevor Rosen and James
Egypt Lee.
These are the guys behind Metasploit,
which is the world's most used penetration testing software.
Great show today.
We had four awesome sponsors,
CodeShip,
TopTile,
Harvest,
and Transloadit.
Our first sponsor is CodeShip.
CodeShip launched a brand new feature called Organizations a few months back.
Everyone's been loving it.
Now you can create teams. You can set permissions for your specific team members and you can improve
collaboration in your continuous delivery workflows you can maintain your centralized
control over your entire organization's projects and teams with this new feature it's super awesome
and you can save 20 off any premium plan you choose for three months by using our code
the changelog podcast again that code is the changelog podcast 20% off any plan you choose
for three months head to codeship.com slash the changelog to get started and one more thing I
want to tell you about Sean Devine is doing an API workshop called API First Training, and guess what? He's going to
use CodeShip as a demo tool. The URL to learn more about that API training is in our show notes,
so check those out. But now, on to the show.
Welcome back, everyone. Jared here.
Today I'm joined by two interesting guys.
This is Trevor Rosen and James Egypt Lee,
two of the people behind the Metasploit project,
which is the world's most used penetration testing software.
Trevor, Egypt, welcome to the show.
Thanks. Thanks for having us. So we're here to talk Metasploit. We're Egypt, welcome to the show. Thanks.
Thanks for having us.
So we're here to talk Metasploit. We're here to talk InfoSec. We're here to talk open source.
Lots of interesting topics out there. But first, let's let the audience get to know you guys a
little bit. And Trevor, I'll start with you because we met at GopherCon, which is a bit
of a theme lately. I feel like that conference was quite a boon to our podcast because we lined up a lot of new friends and a lot of guests for the show.
Yeah, I can imagine.
It was a great con.
It was one of my all-time favorite cons that I went to.
So my name is Trevor Rosen. I work at Rapid7 on Metasploit as the leader of the architecture team, which is a small team, kind of mostly software-oriented people who work all different areas of the Metasploit framework and the Metasploit commercial applications.
So Metasploit framework is this sort of famous thing in the information security world.
It's been around for a little over 10 years, and it exists basically to help you help penetration testers, which is like kind of good guy hackers, good person hackers, I should say, white hats, help determine what an organization's level of exposure is to security threats.
And so I get to work in all different areas of our stacks on all sorts of fun open source stuff, mostly Ruby software and quite
a bit of stuff in the Rails ecosystem.
And I'm not really a full-time security person in that I don't do security research really,
but I definitely have a lot of fun working on open source and I'm a big fan of what open
source can be for the security world.
I feel like it's really vital.
So did you, were you always in security side of things or did you start off as a programmer? What's kind of your background?
Yeah. Background is mostly software. I've done a bunch of different startups and things. I always
kind of had a soft spot for security though. I was, I was the guy on the team that was like,
you know, in mapping everything on our production boxes and finding open ports and, you know,
hiring ops guys about that or, or, you know hack my my dev environment yeah for sure yeah and then i mean back in the day as a kid um i may or may not have
built some hardware that wasn't 100 legal um but uh yeah i these days mostly sort of i would say
i fall onto the um the maker side of things and i mean by that not like make magazine but sort of
like um security the security software world kind of has people Make Magazine, but sort of like security, the security software world
kind of has people who are interested in sort of breaking stuff and hacking it and figuring
out how to make it do something crazy or weird.
And then people who are much more interested in sort of just making good software.
So that's really where I guess I would put myself as kind of more on the maker end of
the spectrum.
That's an interesting way to put it, because i came to a similar conclusion as i was telling you in the pre-call i do have a bit of a security background
studied information assurance as a concentration um in college and was doing penetration testing
and and mapping stuff like crazy which was like one of my favorite things to do um but i too kind
of i found myself after that deciding I'd rather create things than
tear them down.
I also wasn't that good at it.
I don't have that like mindset.
I'm sure you guys are well aware in Egypt, maybe you're one of these kinds of people
where like you can just find a way to break everything.
I was like, okay at it, but I didn't have like that, that intuition that some folks
have.
Um, and I do like creating, so I can kind of relate with you a
little bit there. Let's move on to James who I've been told not to call that I've been called his
name's Egypt. Uh, but James Egypt Lee, um, want to go ahead and introduce yourself to the crowd.
Yeah. Um, I'm Egypt pretty much everywhere. And I'm Egypt on Twitter, etc.
I'm the Metasploit community manager here at Rapid7.
And that means that I'm writing a lot more emails than code these days.
Oh, man.
At least for the last couple of months.
But I'm sort of involved in open source contributions
and getting people interested in the project, as well as fixing the old bugs in code that no one else has looked at in years.
So I started with the project in roughly 2006.
I started using it professionally as the thing I was writing my exploits in working as a security researcher.
And I found bugs and problems and things that just didn't work the way I wanted them to.
So I started submitting patches and around 2008, HD Moore, the founder of the project,
decided that it was easier to give me commit access than to keep taking all my patches all the time.
So in 2008, I got commit access to the then Subversion repository and broke master with my first commit.
Oh, you are a breaker then.
Yes.
So what happened there? Tell us about that.
Well, with everything I committed for the first couple of months,
I would miss some edge case,
and it would make the main interface not boot up
or something stupid like that.
Well, the framework was not overburdened with regression tests
back at that time either, so it's hard to give you too much blame.
The count of regression tests at that point was zero and remained so for quite a bit longer.
Regression testing has been an ongoing issue for us.
But, yeah, I spent a lot of time fixing bugs just to make it possible to do some of the evil things that I was trying to do at the time.
And that got me in the door with the project.
And then in 2009, when the acquisition came about, I was basically the first hire onto the newly minted Metasploit team. So I wrote most of the, or a lot of at least the back-end code for the original
Metasploit commercial product. I spent a lot of time there working on the commercial edition as
well as the open source stuff. And in the time that I've been working at Rapid7, something north of 80% of all my code has been open source. So that's super, super helpful. It really adds to the job satisfaction to see my code is going
out open source. And it also allows me to interact with a very diverse group of hackers putting
together exploit modules and, you know, kicking sandcastles and licking cupcakes
as we do in the Metasploit world.
Say that again?
Kicking sandcastles and licking cupcakes?
Yeah, because that's what you do
when you break into a network, right?
You're not in there saying
everything is sunshine and rainbows.
You're ruining someone's day,
and you have to do it nicely.
So it's all about...
Imagine a tray of cupcakes, and somebody runs over and licks all of them
before anyone gets to eat them.
That's what it is to lick cupcakes.
That is incredibly rude.
But nice for you, because you get to taste the cupcakes, I guess.
That's right.
It is kind of fun, right, when you find your way in.
Well, let's not uh bury the
lead here let's talk about this name egypt ah yes it originated as a um a nickname in college
based on my appearance so do you look egyptian i guess so no you don't uh pyramid pyramidical uh i guess yeah i'm not really sure i don't know i had a goatee
at the time so you look a little bit like an egyptian pharaoh or something i suppose so
friends started calling you egypt and it just stuck and it just stuck trevor where's your
awesome handle oh gosh yeah i don't. I don't really have one.
I don't have one either.
No, I'm Burley Scud on IRC with two Ds and always have been.
Points to anybody out there in the audience who knows what that's a reference to.
Burley Scud.
Yeah, because I've had one person all the times ever figured out.
But it's not super hard.
It's just kind of obscure.
But, yeah, I don't have a super awesome handle um i spend i spend a lot of my time i spent a lot of my time since i've been
at rapid seven um kind of uh managing and wrangling cats and being involved in the in the sort of the
ongoing discussions about you know how we can do the next thing or whatever that kind of thing
i'm sort of stumbled backwards into like um software as politics almost, I guess you'd say.
So tell me a little bit about Rapid7 as far as the company, the culture, kind of what
it is that they do, and then maybe just intro the relationship to the Metasploit framework.
Sure.
So Rapid7 is a security company, a security software firm.
It's been around since about 2000, 2001.
So a pretty long time, actually an unusually long time for what was usually termed a startup
to go from its inception through to the IPO that we had this past summer.
But it's a firm that had been, prior to Metasploit, working in the vulnerability management space.
You can think of a vulnerability scanner, I guess, and sort of security people in the audience might jump on me for this,
but kind of roughly analogous to like a virus scanner for networks or something,
like in that a virus scanner kind of scans your machine for a bunch of known problems it has
or sort of patterns of activity that could be suspicious.
A vulnerability scanner is going to scan like a lot of network endpoints, a whole lot of machines on a network and try to determine what kind of exposure exists there.
So that product is called Nexpose and that's like a rapid seven sort of large, longtime product that we've had. And back whenever they decided, and it predated my time with the company,
to acquire the Metasplate project, it was sort of along the lines of,
okay, we understand a certain, you know, we have kind of half of the equation here
in that we're doing vulnerability management, we're doing vulnerability scanning.
And so that's defensive security, right?
That's figuring out what your
problems are from a kind of like scanning the equipment you have perspective and then trying
to patch it. But then on the other side of that is like, well, what could you do? What could an
attacker do? What could a sufficiently empowered attacker do? And so Metasploit has always existed to help empower people who are attacking because they're being paid to.
And it's paid by the company they're attacking, hopefully.
And so the idea was sort of we can make a commercial product around that essential notion, that offensive security sort of stance and concept.
And it will be complementary to the existing product that have.
And Metasploit is also a pretty big name.
If you go to, like, insecure.org
and you look at the SEC Tools 100,
you know, top 100 open source security tools,
Metasploit has, for as long as I've known about Metasploit,
which is a significant amount of time
before I started at Rapid7,
so probably since about 06 or 07,
Metasploit was in the top five or top ten.
Now I believe it's number two or three on the list,
right after Wireshark and InMap or something.
So it's regarded, the framework, the open source tool,
as a very essential piece of kit,
a very widely known, widely used thing.
So Rapid7's overall idea is that there's a lot of
insight to be gained from really approaching security as a matter of
finding the right data, finding the the right insights that you can into
what the actual threats are. Because quite a bit of security tools just
produce incredible quantities of data but not a whole lot of actionable information about what you should do with that data.
Right. So, you know, our leadership likes to say that, you know, for a long time,
quite a bit of the security space is predicated on this idea of essentially kind of monetizing fear.
It's like, hey, here's a bunch of things to be terrified of.
Okay, what do I do about them? Yeah, here's the big phone book sized pile, figure it out. Right. But we want to,
we want to go beyond that. That's, that's really the, the way that rapid seven wants to operate
is we go beyond that to provide sort of much more in like much more in-depth and immediately
actionable kind of insight. So, um, we have in addition to Nexpo's and to the Metasploit commercial editions, we also
have this really interesting product called User Insight.
And User Insight, you can think of almost as sort of like an intrusion detection system
for user behavior.
So instead of kind of saying like, hey, what types of data are traversing my firewall on
what ports, et cetera, et cetera, you can kind of, instead you can, you can turn on his head and ask the question like,
what are users doing right now? And is that okay?
And can you use heuristics to understand like, Hey,
today Jared accessed 12 servers that he's never touched before, you know,
is that strange? Right.
And a traditional intrusion detection system might not know about that because
it might just be focusing on the perimeter.
Like is someone authorized person getting in or some particular high-value data getting out?
So user insight, again, it's that idea of being able to sort of look at security from a slightly different perspective and say, can we change our perspective a little bit but dramatically increase the value of the insight that we're producing?
So I guess that's kind of Rapid7 in a nutshell.
I think you spawned a product idea, which I'll give you this one for free.
So tell your friends at Rapid7, like, no big deal.
They can thank me later.
It's a scanner, but it scans your office, scans every monitor to see if anybody has written their password down on a
yellow sticky note and then stuck it to their monitor.
What do you think about that? That's real. That's real user,
user interactions.
Do you mind if I go ahead and just like start the patent application right
now?
As long as you guys give me a shout out or, you know,
1% of your first billion, something like that.
So honestly, honestly, I would prefer people write their password down somewhere
and put it in their wallet rather than leave it in passwords.xls on their desktop.
Good point.
Or just use one password, not one password for the application,
but like literally a single password for, you know, everything that they do.
Nothing bad ever came of that.
Yeah, exactly.
On the other side of that coin,
you have companies enforcing ridiculously onerous password policies,
which require their users to subvert them on a regular basis
and come up with all sorts of things.
Right, and those ridiculous password policies
lead to the top four passwords in every single organization are summer followed by the year, winter followed by the year, spring followed by the year, fall followed by the year.
They are in the top ten on every organization.
So is there a future for us to just be rid of passwords altogether?
Is there a light at the end of that tunnel as an industry or not?
I don't see it.
I really want to, but I don't see it.
We've moved towards two-factor authentication
or multi-factor authentication,
but it's so spotty
and the support for it is so spread out
that most of the time as a pen tester, you know, you get around, you walk all over the network, you kick those sandcastles and lick those cupcakes.
And at the end of it, you go and give the report and they say, oh, well, what'd you do about our two-factor auth?
I didn't know you had it.
I'm sorry.
Right. So before we get into Metasploit, the details of history and all that, let's talk about penetration testing as a thing.
We mentioned it a few times here.
But maybe Egypt, could you give us kind of a general definition and maybe even like what a security audit looks like from a company?
If somebody hires a company like Rapid7, there's a lot of these firms out there that will do it for you.
What's the process?
What's it about?
And kind of what are the results?
Right.
So I don't have a lot of insight into the like sales side of it, like who you call and talk to.
But I can tell you from the penetration tester side, you know, a penetration tester is given someone to talk to as their point of contact, and they usually have a list of IP
addresses that are in scope and don't touch anything outside of those IP addresses. And
sometimes, though, the scope will be really restrictive and say, you know, you're only
allowed to look at this web app, and you're only allowed to look for cross-site scripting,
you're not allowed to look for SQL injection, and and that sort of thing and that gets really limiting and you end up with a report
that's not very useful but sometimes you get a broader scope you're allowed to look for more
things you're allowed to take more actions and hopefully those are on not necessarily
production networks but something that like if it falls over,
you don't lose every customer's data, et cetera, et cetera.
But a lot of times a penetration test is just a week or two weeks long, which means a very
compressed timescale for an attacker.
A real attacker is going to have months, right?
And a penetration tester is going to have a week or maybe two weeks. And of those days is going to be for reporting so they really only have four days
and you start out sometimes it's acceptable to scan beforehand and that saves a lot of time so
as a penetration tester because of this compressed time scale you need to find stuff as quickly as
possible and identify it as quickly as possible because you're looking at a lot of data. So if
you have a thousand IP addresses that you need to check out, you want to scan those as quickly as
possible. And it's going to be super noisy. And so, for example, if there's a firewall in the way
or an IPS in the way that says, oh, this is a port scan and then blocks your access. Now, suddenly that scan is basically invalid.
So that happens pretty frequently.
And assuming that those roadblocks don't come up, you do your scan, you find out what's
available.
Usually there's a whole bunch of static HTML.
There's a whole bunch of web applications and not a whole lot else on the outside.
Occasionally, you'll find the golden FTP server with all of the company's financials on it open anonymously to the public.
But that doesn't happen terribly often.
I did find a domain controller on the public internet once, so that was fun.
Um, but fortunately that doesn't happen frequently anymore.
Um, so then you do your, you do your external scans, you find all of the things.
Um, if, if there are a bunch of web applications out there, you spend some time fuzzing input,
you look at a thing called burp suite, which allows you to muck around with HTTP headers and values. It makes it really easy
to fuzz some stuff and to examine responses. There are a number of other tools in that same vein,
but burp suite is kind of the de facto standard for screwing around with HTTP.
When you say fuzz some stuff, can you elaborate on that?
Yeah, basically just throwing values that might break an application.
So in the case of if you're looking at a C application, an application written in C,
you would be throwing large strings because they might overflow a buffer.
In the case of a web application, you might be throwing various kinds of quotes to escape something out of a SQL statement. So those sorts of things. Just trying inputs that are
probably bad, given the application, hoping for a crash or some aberrant behavior.
And so once you get through that step, occasionally you'll end up with external access via something like a SQL injection or a command injection on a web application.
And then you start the whole process over again and you scan the internal network.
A lot of external engagements require that once you get inside all everything stops until
you talk to your point of contact that's pretty common uh which sort of makes sense from the from
the customer's perspective because you as as the person running the network you want to know when
there's a big vulnerability that lets someone into the dmz or into the production environment
you want to know that as soon as possible And you also don't necessarily want a penetration tester running around rampant on your production
internal network.
So a lot of times everything stops, comes to a dead end right there, and you call up
your point of contact and tell them the bad news. There is also like social engineering campaigns where you send out a bunch of
emails and inevitably someone is going to run the executable.
And that gets you usually corporate network access.
And again,
the thing starts all over again.
Now as a penetration tester or as any attacker,
really you're looking to expand your influence.
So if I'm coming in from the outside, I'm looking to gain access to either data through SQL injection or possibly shell access through command injection or other sorts of things.
And if I'm sending in a phishing email, I'm looking to expand my influence instead of into the DMZ, into the corporate network.
Usually there's all sorts of information in there that's company sensitive that you really want to get a hold of.
The crown jewels are always on somebody's desktop, though, or some file share that's available to everyone in the company.
Most of the time, you're not dealing with exploits. When I'm talking to a web app on the external,
I'm creating my own exploits for the most part.
Most of those things are custom apps.
As I was going to ask,
if you are targeting specific endpoints on a network
that are public-facing, they're usually web apps,
and are you just fuzzing those or are you actually, you know,
inspecting the application and saying, Hmm, I, I think this might not,
this might not be checked or this could be injectable and like trying different
things by hand or if you're only using these, these tools.
Sure. Both of the, both of those for sure um i mean in some cases like you can
fuzz a few things and find a couple of interesting responses and say oh this is probably an injection
and then you'll dive deeper manually i see um with other things like it at least when i first
started doing penetration testing every login form was vulnerable to SQL injection.
So the first thing you do is put tick or 1 equals 1 into the login form,
and you get admin.
So fortunately, that's not nearly as common anymore.
Then what do you do?
You just go to lunch or something?
You're like, well, we're done for the day.
Email the point of contact, and you're done.
No, from that point, you go in looking of contact and and you're done no from from that point you go in
looking for credit cards and and social security numbers uh you want to lick all you want to lick
all the cupcakes huh exactly so i mean one thought that comes to mind and maybe it's just because
it's too expensive but if they're trying the point of this is to you to give us a reasonable idea of maybe not even how secure our network is, but how insecure it is.
I think you can guarantee an insecurity, whereas you can't guarantee a security, which is kind of the troublesome part of the business, I think.
But if they're trying to be as real world as possible, a black box, here's an outsider with a few IP addresses, which is how, you know, people start. Why do they limit you to four days? Just because it
costs too much to pay you to keep hacking them for four months or what? Yeah, that's generally
the thing. Cost is the deciding factor in a lot of those decisions. I guess that makes sense.
Well, one tool that you use, use I'm sure is Metasploit
we're going to take a quick break, hear from one of our
sponsors and then we're going to
dig into all the details of Metasploit
what it is, what it does
and why it's useful and why it's so stinking popular
we'll be right back
you've heard me talk about TopTal several times
on this podcast but today is different
I've got a special treat for you
I went out and spoke with a listener who a year ago had never heard of TopTile.
He listened to the show just like you're doing right here, right now, today,
and heard us talk about TopTile and what they're all about,
and he decided to get in touch.
And now he's living the dream as a freelance software developer with TopTile.
His name is Daniel Elzon, and I sat down and I talked with him.
I said, hey, what is it that you love most about TopTile?
Take a listen.
Well, for me, the thing about TopTile,
which I thought would be very hard for me personally
as I transitioned to a more consulting role,
was the way I would have access to new clients
and what quality those would be. So I found that I've have access to new clients and what quality those would be.
So I found that I've had access to awesome clients through TopTal.
And it hasn't been that hard to find because they have a lot of choice.
And even more than that, there's enough choice and I can actually be a little selective about what kinds of things I want to be working on. So I use that as a way to sort of hone my skills and,
you know, go towards the technology that I think are worth investing in for the future. So whether
it's, you know, including new front end frameworks or doing a little DevOps work on the side, I
usually am able to find clients who are, have the needs of the things I want to get better at.
So that's been, that's been truly useful.
All right, that was Daniel LaZon,
a listener of The Change Log and also a freelance software developer with TopTile.
If you want to follow in Daniel's footsteps,
go to toptile.com slash developers.
That's T-O-P-T-A-L dot com slash developers
to learn more about what TopTow is all about and tell them
the changelog sent you all right we are back and we are talking about a framework called
metasploit i'd like to get into the history because it's been around a while it's massively
popular and i even recall it from my youngster days at college um trevor you mentioned wireshark
and nmap those were definitely tools exposed to us i think wireshark was called something
different back then it was like ethereal thank you and i always thought that was a silly name
wiresharks are pretty cool name though um anyhow Metasploit was a thing that we used.
So that was back in 2005, 2006. So as much as you know, kind of give us a little bit
of a history of the project. I know we've talked a little bit about it, but let's recap
and when y'all got involved.
Yeah, so it started out as a game. H.D. Moore, our founder, created it as the game you can play on any network.
And it was originally an NCurse's GUI.
Really?
Yeah.
And it started out with one exploit.
It was the Apache Chunked Encoding Overflow.
I remember it well.
Yeah, you had the class C
network block
as individual pixels
and whenever you compromised
the machine, one of the pixels would turn red.
That's awesome. Yeah, it was super
cool, but not very useful
at the time.
Yeah.
It was originally in Perl.
It got rewritten in basically an entire rewrite when HD picked up a couple of contributors, Spoonim and Scape.
Scape later went on to Microsoft and created a whole bunch of mitigation technologies that made
exploitation a heck of a lot harder in terms of memory corruption. So the
project went on without him and went on without Spoon and around 2005-2006 I
started using it for for writing my own exploits, and it was about that time when Scape and Spoonim left, and that's when it started moving towards Ruby.
Where it had originally, in Perl, had a EULA-like license to prevent some of the blatant corporate misuse
that had been going on with it.
And when it moved to Ruby, it maintained that license for a little while.
Shortly after I got commit access, we changed the license to BSD.
So now it's real, full-fledged, open source,
and you can do anything you want with it.
But the great thing about that is that we get somewhere in the neighborhood
of 200 unique authors on commits every year for the last two to three years.
Nice.
So that's really cool.
And a lot of them are only a single commit, which is great because it means that someone
new is coming in and saying, you know, here is some thing that I see missing or some functionality
that I want to have.
And so they write it up and they submit it to us as a pull request.
And then they go about their business and they continue using the tool and breaking
into networks with it.
But, you know, they've contributed something that 200,000 people use, which really, really
makes me happy that we can get that kind of contribution from, from so many unique people.
It is really cool to see, I got to say like,
and one thing that I'll add to that,
that is something I think drew has,
has drawn a lot of people who work on it full time to the project is that
Metasploit is now because it's been around and, and, you know,
when it first started, it was sort of controversial, like, Oh,
we're going to actually publish these exploits, right?
We're going to create this sort of library of malware.
Well, now it's that notion where it was sort of very scary and controversial when it first started is now pretty well understood and is pretty well accepted.
Even to the point where I think it was in an article in 2012, the New York Times referred to us as a sort of early warning system for malware.
And I've kind of always liked that notion
of what Metasploit can be.
It's sort of like, you know,
if you're vulnerable to something in Metasploit,
you're doing it wrong
because we're not generally going to be publishing things
that have no mitigation available.
I mean, there are going to be times when we do that, but it's specifically to help put pressure on vendors and create a good outcome for
all of the huge numbers of people who are going to be vulnerable to some given software flaw.
And when we do that, usually if we publish something that has no patch or has no
vendor response yet, it's because it's already being exploited in the wild.
Exactly.
Yeah.
One of my favorite examples is also, I believe from 2012, from late in 2012, I'll get the
dates and timing wrong, but there was a large vulnerability in pretty much every browser.
There was the way that the bridge from JavaScript to Java
that was available so that in 2005 you could go to Yahoo Games
and play Bejeweled online or whatever.
That kind of Java applet loading directly through JavaScript
kind of bridged things called Rhino.
And there was this major, major flaw that was being exploited in the wild
and that was giving, you know, remote code execution like the Holy Grail to whoever was
doing these attacks. And these attacks were being weaponized in this real sort of compact
kind of drive-by form, right? So you click the wrong web link and bam, you're owned.
So this is terrible. And it was estimated to affect over 750 million computers.
And we were in, you know,
we maintain a disclosure program at Rapid7.
One of our colleagues does.
And so that involves a lot of sort of like, you know,
closed door conversations with the security researchers
who have found a vulnerability
and want to do responsible disclosure of that vulnerability.
And these researchers had disclosed to the maintainers of Java, Oracle, already.
They had done it that spring, right?
So by the late summer or so, it had been a significant amount of time since they had
disclosed with Oracle.
And then they came to us because I guess we had a little bit more of a megaphone or whatever.
And we disclosed again with them.
And Oracle came back and said, you know, we needed like a really long time to patch this.
I can't remember the exact amount of time, but I believe it was something like a year or 18 months to affect this patch.
Yeah, at the time, Oracle's patch cycle was six months.
And they wouldn't guarantee a patch on anything fewer than two cycles out.
Right. So you're looking at potentially like a year and a half before you're going to see
anything on this. And Metasploit was in a position to basically say, we don't care. We don't believe
that that's an acceptable thing. You bought Sun. You've got Java, it's your thing now,
and your product is vulnerable in this enormous number of computers.
So we published the exploit.
And I believe that Oracle had a patch out,
if I recall correctly, it was like three days,
but it was certainly less than a week later they had a patch version of Java. And now Java, as you know, there's kind of this spate, or you might remember,
around this time of a whole bunch of bugs and sort of this general area of things,
a whole bunch of vulnerabilities.
And now I believe that on, I know that on OS X and on Windows,
I believe pretty much anywhere you can think of,
if you're going to install a browser, that browser is no longer going to have a hard dependency on Java.
And if you want to do some Java stuff, you're going to need to go ahead and, you know, install
it yourself in the case of like OS 10, or I'm not 100% certain how it works on Windows
right now.
But, you know, Java used to just be like a dependency and just kind of just there and
nobody really thought anything of it.
But, you know, that's one of my favorite examples of Metasploit putting very significant
pressure on a very large vendor and getting a really, really positive outcome out of it.
Man, that's interesting.
There's so many different avenues I could go off of that because we have the licensing aspect.
You have kind of the ScriptKitties idea.
You have the balancing act that you guys have to be participating in of what do we include in what is out so um whenever you wield a tool that's
powerful like metasploit it can be used for good it can be used for bad this is where we kind of
get the idea of white hat hackers black hat hackers um gray hats which that was a thing
back in 2006 i'm not sure do people still use that term yes just making sure um what's it mean i don't remember like you're
kind of doing both you're just you well the funny thing about white you put a little black in it and
then no matter how much more white you put on top it's always gonna also like you have a history
is that what it means i see so it's like black hat turn white maybe that's where the intrigue
comes in this work a white hat's the a white hat that's not
necessarily entirely got you got you okay so you got those people um and man there's just a lot of
actors there's a lot of interested parties and then we have this idea of a script kitty egypt
you want to kind of explain what that is perhaps and then maybe address um Metasploit's
history with with these type of people yeah that's an interesting term script kitty is that still a
term maybe I'm dating myself it is a term okay it definitely is it still exists and people do you
hate that term um but I I just don't think it has the meaning that it doesn't have the weight that
it used to because it used to mean that there was – a script kitty was someone who used other people's scripts and didn't have the skill to write their own, couldn't write their own exploits.
But the fact is today you don't have to write your own exploits because there are just so many things out there you know you don't need to know the intricate details of a particular heap
allocator on this operating system because most exploits most things that get you data that lets
you steal credit cards are going to be sql injection now i've seen 12 year olds bust out
sql injections and steal stuff like you you don't need to be super deep into all the details of how an operating system
works to steal data so i'm saying it's just getting even easier right and and that's not
because exploitation has gotten easier it's because the kind of bugs that are prevalent
these days are different um you know there's still a lot of memory corruption vulnerabilities, but they've gotten exponentially more difficult to exploit.
So I mentioned Scape's work with Microsoft with SEH medications.
SEH is the Structured Exception Handler, which was sort of a generic way to allow a buffer overflow on the stack to give you code execution.
And that basically killed an entire class of bugs because of that mitigation.
And it's no longer generically exploitable to overflow a buffer on a stack in a Windows
application.
So, you know, SEH protections in addition to stack cookies and other general exploit mitigations on memory corruption issues in Windows have made those sorts of bugs very difficult to exploit.
You know, in 1999, writing a buffer overflow required staring at a debugger and reading a lot of manuals and figuring out how it worked.
And when you were done, you had maybe 10 lines of exploit code.
And it took you a couple of days.
Now, if you want to exploit something in a modern browser, so say, for example, in Flash,
you have to understand how the ActionScript bytecode compiler works in Flash, and then you
have to understand the heap allocator, how that works, and then you have to understand all of the
pieces of every other little thing that is necessary to control memory in that application.
It's a huge thing, and there's a lot of stuff that gets in your way. And there are some techniques that make it a
little easier. But in general, memory corruption is going the way of the dodo. With 64-bit operating
systems becoming more and more prevalent, basically all your desktops are going to be 64-bit now. So many of those things are just going away.
But you have things like SQL injection,
and you have command injection,
and you have just passwords lying around
on passwords.xls on somebody's desktop.
So saying someone is a script kitty
for not writing their own exploits,
I just don't think has the weight that it used to.
There are a lot of ways of getting into a system there's a lot of ways of stealing data that don't involve writing your own memory corruption exploit um and i i think it it's
it's giving short shrift to the the attackers who are very clever but not necessarily savvy in the ways of
how an operating system works but can't we don't we just change the focus to web applications then
and you can still you know let's take for instance now the vector becomes uh ruby on rails just for
instance keeping the ruby camp of course jango whatever a web framework now and some
security researcher would say a black hat finds a flaw in ruby on rails um it took perhaps a large
amount of wisdom to do that maybe it was an easy one um isn't that the kind of exploit that would
end up inside of metasploit and then me having no knowledge of that whatsoever can just point it at a machine and run it.
Well, it has, but I mean, you would also have to find,
you would need the skill to find a machine
that was vulnerable to that, right?
You'd need to be able to dig that out of,
you know, the sort of enormous,
that needle out of the enormous like haystack
of kind of what the modern, you know,
modern large companies or even small companies,
like a tax service looks like. And then you would need to understand what to do once you've
delivered that exploit, right? So, I mean, you know, Egypt's point is really well taken here.
We talk a lot with, obviously, like a lot of big deal pen testers, guys who are on,
you know, red teams for like Fortune 50 companies and stuff like that, who get paid to do nothing but try to break into these enormous, enormous
companies that do really big deal things.
And these guys will tell you that they've literally used exploits like once or twice
in like a decade or a dozen years long career.
Just simply because it's just easier than that out there, you know, and, you know, to
Egypt's point from before, I mean, we take a look and we watch what's going on
in terms of what's exploited in the wild,
and then we make an effort to make sure
that we are able to kind of follow along with that
and have something in Metasploit
that exploits something in that same way.
But, you know, a lot of people are tempted to think of this,
and I think that this is really,
you can blame media for this right
a lot of people look at this stuff and they're like oh you're a hacker you have these magic
powers Metasploit is this collection of magic skeleton keys all I need to do is install it
and then suddenly you know I can I can just wave a wand and like you know break into people I mean
that's just false I mean most people probably don't think about it, but it's probably easier to hack the
average corporation, almost certainly, of any size than it is to hack an individual person,
just simply because there's so much out there, what they call the attack surface is so large.
Right, right. And you've got, you know, years and years of IT guys that have installed random
stuff on there or have put local admin on a particular Windows machine and da-da-da-da-da.
And, you know, there's attrition, people leave jobs, people forget what they installed, people,
you know, just kind of leave things around as business moves forward.
So, you know, even if somebody could, say, find, to just extend your example, find a
Rails application that's vulnerable to, like, the YAML injection remote code execution bug
from a couple years ago.
And they can use that exploit.
Well, Metasploit has provided a bit of code for that
and has provided a very useful mechanism for interactivity with a nice little shell
and for delivering a payload to be able to do something useful with that access.
But what then?
You know, I mean, the classic formulation of a script kitty is somebody who's just sort of like, you know, praying and spraying and just seeing what happens.
But then what then?
If that person actually knows how to, you know, move laterally through the network and steal a bunch of useful data, can you really call that person a script kitty anymore? I mean...
Like a script teenager.
Right, exactly. I mean, these people, you know, I think that the term itself, while it still gets
used, and even used at our expense indirectly on Mr. Robot, go look for the...
No spoilers, no spoilers. I i haven't right exactly sorry guys um but uh yeah i mean you know
it's it just it the the era i think of people being able to be like accidentally very damaging
um is kind of um i don't know how and i don't know how legitimate that is anymore i mean
um it's information security right so there's always like caveats and long tails of problems out there.
And, you know, there's all kinds of things that are horribly insecure that are made directly available to the Internet.
ATMs being a fantastic example.
But, you know.
Which are all running Windows XP.
Yeah, which doesn't get security updates anymore, so be afraid. Yeah, it's just not a... I don't know how useful it is as a
genuine critique of the people who are actually trying to use a particular thing.
Yeah, and I'm not necessarily critiquing. I'm trying to understand as somebody who's involved
with the project, is you have people using it
for good, and you have people using it for bad, and some of those concerns
have to to maybe not
weigh on you but things that you're actively thinking about when you decide if an exploit's
going to go in when it's going to go in in the case of your oracle example you know that was
something that you used it as leverage to get them to act um which ended up being a great win right
that's a success story but what if they would have just
been like well screw you guys we're going home now i mean effectively okay it's their fault not
yours but now you've given that vulnerability that exploit out to well but that attitude assumes that
like we had that and other people that's true and that we you know and that's it could get out there
in a different way what's already out there that's what you way. Well, it's already out there. That's what you need to always remember. It's already out there.
We put this in because we're able to do some monitoring of various forums and whatnot,
and we're able to see these types of things are getting exploited already out there.
Keep in mind that the crimeware kits that you would spend a bunch of money on right now,
like say you're some bad actor somewhere in the world and you you decide to to get on there's basically like a silk road of like malware on on
tour right you could get on there you could buy um a crimeware kit um which comes a thousand bucks
about a thousand bucks it's beautiful interface it'll come with some stuff that's um you know
it's not quite odate because it's in the crimeware, but, you know, it's not in Metasploit either necessarily, right?
I mean, like, we are not, like,
there's this temptation to believe that,
oh, the thing I know about is Metasploit,
and Metasploit's got this library of malware in it.
Therefore, Metasploit must be filled with awful stuff
that can be used to, like, own computers all over the place,
which is really only true if you're not, you know, if you're not patched.
Right. So the idea that we aren't like completely, um, you know,
that we, that we're like on the forefront and if we don't release something,
it just won't be out there. That's tempting, but it's totally not true.
The bad guys are going to have this stuff. Fair point. Fair point.
Yeah. And I'd like to point out that,
especially in that Rhino case,
it was already being exploited in the wild.
And that's true of a whole bunch of our exploits already being exploited
sometimes in targeted attacks against specific organizations.
And we make it available for everyone to know what the exploit is doing, which significantly lowers the value for a malware author.
Fair enough.
I'm stuck back where Trevor said you got a bad actor out there trying to hack something.
And I just pictured Ben Affleck sitting there at a computer.
I don't know.
Had to sneak that one in there.
All right.
Let's take another break. here from another one of our
sponsors we'll be back because we haven't talked about Metasploit the technology very much how it
works how you contribute how you use it those fun things we know it's built on Ruby but that's about
all that we know at this point so let's take a quick break and we'll be right back for those
out there working solo or on a team tracking time,
you thought you were wrapping up a project until the client or your boss asked for a new feature
at the last minute. And here you are stuck. You're not sure how much time you're spending
on every feature, how much time you're spending on bug fixes or tweaks. Well, Harvest is a time
tracking tool built for understanding where your time is going.
And for developers, it takes the pain out of time tracking.
Just install the Harvest Chrome extension and you can start tracking time right from issues in Jira or GitHub,
and you won't have to go searching for your time sheet.
Not only will you understand how much time you're spending on client work,
you'll also be able to turn your billable hours into an invoice
from Harvest in minutes. Harvest integrates with Stripe and PayPal to make sure you get paid fast
and on time. There's built-in reporting in Harvest that lets you see how much time your projects took
so you can use that information to make better estimates in the future. For a better way to
track time and invoice your clients and take the pain out of what you're doing when it comes to tracking time and invoicing, head to GetHarvest.com.
Create a 30-day free trial.
And after your trial is over, here's a goodie for all of our listeners.
Enter the code CHANGELOG to save 50% off your first month.
Once again, GetHarvest.com.
Create a free 30-day trial.
And after that trial is over, enter the code CHANGELOG for 50% off your first month. Enjoy.
All right, we are back, and I want to hear about Metasploit from a technological perspective.
The software, how it works. We know it's a Ruby app. We know it used to be Perl.
We know it used to be a game, an Encurs to be a game, a curses-based game, which
still sounds pretty rad if you ask me. But Egypt, can you give us a little bit about
the software stack, how you even use it, how you install it, and then maybe how you contribute
exploits? Okay, so there's the main thing, which is Ruby, with a client console interactive front end called MSF Console.
That's the Metasploit Framework Console.
There are also a number of other standalone tools.
MSF Venom is our payload generator.
We also have an assembler shell that allows you to to assemble x86 and x64 assembly into bytecode.
All of our payloads are in the payload technology that makes sense for that particular target.
So for Windows it's written in C and our flagship payload is called an interpreter, the meta interpreter.
It allows you to interact with a system like a normal command shell.
And in fact, you can drop directly to a CMD shell or a PowerShell shell to talk to a Windows box.
And all of that is written in C with a DLL as the actual payload that gets delivered.
But we also have these things called stagers, which as a result of the way exploits typically
work in memory corruption vulnerabilities, you have a small area where you can put your payload,
which is often called shellcode. And that's restricted in size,
and it's usually restricted in character set as well.
So for an example,
if your overflow is in like an FTP username,
well, the at symbol separates the username
from the host name.
So if your payload contains an at symbol,
then it's going to break the parsing
and you won't get a shell.
So we have encoders that get rid of those bad characters
and randomize things with an XOR key.
And you can create a small little piece of assembly
that gets executed on the victim machine.
And all it's for is to talk to the attacker machine
and grab more code to execute.
And that more code to execute is typically a DLL
that allows us to do arbitrarily whatever you want.
We should probably explain the payload versus exploit sort of dichotomy here
for people that don't understand it.
Right. Yeah, that's a good idea.
So in general, an exploit takes advantage of a vulnerability.
There is some bug on a target system that I can take advantage of,
so I use an exploit to do that.
That's the terminology.
The exploit will deliver a payload as part of the normal protocol that it speaks to the victim machine.
So like an HTTP example, if the server is listening on port 80, I connect up to it on
port 80, I send my malicious request, which contains a payload. That payload executes on
the victim machine, and then somehow it communicates back to me. Sometimes that's through TCP,
sometimes that's HTTP. But either way, the payload is running on the victim machine
and it talks to the attacker machine.
And that gives us the ability to control that machine,
to get it to create new sockets
so that we can talk to other machines
that it can see inside its own network.
So if I'm out on the internet
and there's a machine on a DMZ,
I compromise it and now I can see all of the other machines
on the inside of its network that I wouldn't be able to see from the internet.
So an exploit executes a payload.
The payload talks to a handler.
That's the thing on the Ruby side that allows you to interact with it
from a user perspective.
And from there, you can drop into an interactive shell as well
and run commands that will get executed on the target machine.
So that's the general workflow of an exploit.
You use an exploit.
You set all the options necessary to take advantage of that vulnerability.
It runs a payload on the target machine.
That target machine connects back to you and gives you a shell through the handler.
And then from there, you commence your post-exploitation activities. of modules that make post exploitation easier and then make it a little more robust
in terms of the kind of data you can get a hold of.
One of my favorite things is a tool called Mimikatz
that's been integrated into Metasploit.
I'm liking the sound of this.
Yeah, what that does is it roots around in the memory on a Windows machine and finds all of the authentication structures inside lsys.exe, which is the thing that does authentication in Windows.
It roots around in its memory using the Windows debugging API and pulls out the structures that are necessary to do authentication.
And in many cases, it can pull out plain text passwords for everyone who's logged in.
Wow.
So that's really, really super useful.
If you don't get plain text passwords from that, you can still often get NTLM hashes.
And if you're at all familiar with the way Windows authentication works,
an NTLM hash is essentially a password.
Oh, this is my favorite thing.
We've got to talk about this.
So when I first got into information security,
like working at Rapid7,
I kept hearing about pass the hash, pass the hash,
which sounded like a drug thing or something.
Right, exactly.
And it's kind of astonishing
if you've been working in web application development or something for a long time, because what it means is in Windows authentication, right, and probably quite a few of the people listening to this podcast, whether they actually ever touch Windows or not, they're very likely to be dealing with an Active Directory domain controller, right?
Like if you have Outlook or Microsoft Exchange as like your email solution, right, then a whole lot of things do like single sign-on, right? Like if you have Outlook as your, or Microsoft Exchange is like your email solution, right?
Then a whole lot of things do like single sign-on, right?
They make this happen.
So what happens in Pass the Hash is that the client is actually responsible for creating
the hash, as opposed to like in a web application where you take in a plain text password, you
run it through your hashing function, you compare that to what you've stored in the
database.
I mean, hopefully, you know, that's what you're doing, right?
That's not what happens.
The client itself is actually sending, doing the hashing and sending the hashed data over
to the authentication mechanism.
So what you have there is exactly what Egypt just said.
Effectively, if you can steal a hash, you can pass it and use it as a password.
So this is the basis for a lot of lateral movement through networks, right?
I mean, quite a bit of the time you'll find that for expediency, back in the day, some
IT guys set up five or six machines with local admin access, and that local admin is using
the same password that all the guys in the IT department knew, and now you can take that
same thing and you grab that hash and you can pass it around.
So the, you know, the, one of the many things that you can do with, with Metasploit after
you've compromised the machine, after you have a session on there is scrape all different
kinds of passwords out of all different kinds of files, right?
We have, we've got obviously ones to do the classic Windows stuff and grab all of those,
but then we've also got things like stealing a KeePass database
if you can find one on the machine,
scraping Skype hashes from wherever they're located
on whatever type of platform you've just victimized, right?
And bringing them all and handing them over
to offline cracking tools like John the Ripper
or something like that.
So, you know, you can go through
and just start running them through a cracker
and then hopefully, you know, hours or days later or whatever, you've got a whole bunch of nice passwords that you can start replay and just start running them through a cracker, and then hopefully hours or days later or whatever,
you've got a whole bunch of nice passwords
that you can start replaying in different places.
Yeah, and in some cases, you don't need to do any kind of cracking.
So Windows has this awesome thing called Crypt Secure Data
and Crypt Unsecure Data,
which is the API intended specifically for storing secret stuff in Windows.
But if I'm running as your user,
I can encrypt all of the stuff that you have encrypted as that user.
So you can just ask the operating system,
and it will give you all of those secrets for free.
If you have that user's privileges at the time, right?
Exactly.
So that's fine.
So if I'm running as you,
and you can do anything at all
without using your password then i have your password well that doesn't sound very awesome
for me so let's say that i'm a a budding network administrator or let's say that i'm a app
developer with a network that i'm interested in running some of these things against or or maybe I just want to play with it and see what it does.
How do you get started with Metasploit?
How do you use it as an end user?
Well, for an IT admin, I would suggest starting with the community edition,
which is the Rails GUI that's sort of the basis for our commercial editions
because it gives you a lot of the power of the console interface,
but it's point and click and it's got a less steep learning curve.
If you really want to dive into it,
the console does have a slightly higher learning curve,
but it does have faster access to some aspects of the framework.
So I'd say when you're first getting started,
community is absolutely the way to go.
Yeah, and I would say that's definitely true.
Unless you're just like, you love CLI,
you want to dive in on the command line,
it's very easy to grab the code.
There's also, we distribute with Kali Linux,
which is a big open source sort of penetration testing Linux distribution.
So the framework is available like right out of the box right there,
along with a bunch of other really fun tools,
pretty much everything that we mentioned for the most part on this call.
And I would say that also I personally,
when I was getting up to speed on the application
when I joined Rapid7,
I know that some of the content is a little bit out of date,
but the NoStarchPress book Metasploit Unleashed,
which was written by a bunch of sort of longtime contributors
and sort of friends of the family,
basically a bunch of penetration testing people,
is a really good
book just sort of for understanding like how to how to get started how to use this how to kind of
like um get your head around like what the framework does and why it's powerful might be a
good time to mention that there is as you guys said there's a divide between the open source
bsd license metasploit framework and i believe what's called the Metasploit project which is
well the commercial editions really is what we call them at Rapid7 so um right so we have like
like a lot of commercial open source things we have like a couple different like you know price
points with different features turned on or off right um the framework is the engine of all of
those things though so um yeah we what's outside of the framework?
What's in the proprietary ones?
Metasploit Pro contains things
like a Jasper Reports-based reporting engine.
It has a whole really nice social engineering toolkit
that you can use.
I like to tell people it's sort of like
an evil online marketing system in a way
because you can use it to create a little website and then like create an email and generate links that are like, you know, that have tags like to, you know, you can upload like an Excel spreadsheet of like all the people in your org.
And then you can basically try to fish them and see like, okay, you know, Joe, you know, opened the email, but didn't click on it. Mary didn't even open the email.
But Frank opened the email, clicked on the link inside it,
and then filled out the form on the resulting web app and hit submit, and we stole his creds.
So, you know, Frank's got to go for security training or whatever, right?
So a bunch of, quite a few of our customers really enjoyed using that.
They can kind of like click, click, click.
They can clone an existing website if they want to
or whatever so you can deceive your own employees into right right but it's it is it is a little
weird but at the same time um most of the major breaches that anybody could name off the top of
their head for the last couple years have been what we refer to at rapid seven as deception based
attacks um so it's very germane like it really really it really, really is. And you'd be surprised how
many people can fall for this. Now, granted, if you're creating one of these things and you've
got internal knowledge of the company, you know, you're kind of tempted to sort of go a little bit
out of the bounds of where you would normally go just kind of naturally, but that's available.
Hold on there. Hold on there. I think that insider knowledge isn't always all that inside.
So as an example, the first phishing campaign that I ever did,
that I was ever involved with,
there were public rumors about a merger with this company
that we were targeting and another company.
And so we sent a phishing email with a PDF containing an exploit in it,
and the subject of the email was basically
the merger has gone through
and this PDF contains a list of everyone who's getting fired.
Yeah, fair point.
Like at that point, I don't know whether that's just preying on human nature.
Yeah, that's pretty compelling content, right?
Right, like who's not going to open that?
I would see that as one of the most suspicious things ever to come into my inbox, but maybe
that's just me after spending four years on Metasploit.
Yeah, I think you're probably pretty unique in that regard, I think.
But, I mean, there are a couple other, like, larger features that are available inside
Pro, and most of those are effectively to help people who are kind of in the security admin
space run a collection of Metasploit content and then do some things and report on what
it was able to do in a sort of, you know, in a nice kind of automated orchestrated fashion,
right?
Whereas the framework is all kind of nitty gritty,
hands-on, you can script it,
but that's a lot of work to really scale your way up, right?
Versus Pro is going to give you a nice GUI interface for dealing with, for instance,
maybe you've compromised hundreds of machines
at the same time and you want to run
the same two or three modules on all of those machines
and have that all be part of one big report or something like that. That's
that would be a pain in framework. And it's it's very simple and pro. So pro is all about
scalability, communication with other people, communicating up to your bosses or your
stakeholders, that kind of thing. Very cool. Well, guys, we got to take one more break.
I still want to talk about InfoSec and open source and the relationship between the two.
It seems like there can be a bit of a divide.
Obviously, Metasploit is a big success story where you have open source and InfoSec and maybe some ideas around how we can bridge those gaps.
And of course, on the other side of the break are awesome closing questions.
So stay tuned for that.
And we will be right back.
This week we have
a sponsored repo to mention
from our friends at Transloadit.
Transloadit is a versatile
file uploading and encoding service
and they've asked us to give a shout out to their
open source project, TUS.
It's a new open protocol for
resumable uploads built on
top of HTTP. It's simple, it protocol for resumable uploads built on top of HTTP.
It's simple, it's cheap, and it's available for any language on any platform on any network.
It supports TechSum's parallel uploading of chunks, no more lost cat videos.
It's MIT and open source.
Some smart minds have collaborated on it, like the author of HTTP 1.1,
employees at Google and Yahoo, Vimeo's director of engineering,
XeroMQ's creator, and there are implementations being pushed out for all major languages and frameworks. Also, Vimeo has already announced to use this open protocol for their new
video uploading services and the 1.0 of their protocol is nearing completion as we speak.
They are calling for a final round of feedback on their pull request, which we'll link up
in the show notes before releasing it.
So if you're at all interested, go to tus.io, that's T-U-S dot I-O, or head to the link
we mentioned in the show notes to check out that pull request for 1.0's feedback.
And now back to the show.
All right, we're back.
And I think, Trevor, I'll point this one at you
because we kind of talked about this briefly at GopherCon.
You have these two communities.
You have the open source developer community.
You have the InfoSec community.
Seems like there's some overlap.
And maybe the actual distinction is kind of the maker community and the breaker community to a certain degree. And it seems like we don't mesh very often.
Can you speak to that? Yeah. And it's something that I've found curious in my involvement with
Metasploit. And it's certainly something that I think Egypt and I share a desire to help change
that, right? So, you know, that's part of why we gave our talk at Lone Star RubyCon like a month ago, just sort of trying to get people understanding, like, here are the types of challenges that we tackle that don't necessarily have anything to do with security per se.
You know, building a good network client, you know, dealing with all the different types of abstractions that your business logic requires of you and things like that, right?
These are just programming tasks.
And I think that probably what we're really looking at
is a historical situation more than anything else.
So that gives me hope.
I don't think that there's anything inherent or intrinsic
that makes it difficult for people to spend any time on this.
Other than just historically,
I think a lot of people who are developers
maybe haven't spent a lot of time
thinking about how executables are structured
or thinking about how networks work
or things like that.
I think on the other side of it,
quite a few people who write a lot of code
in the security world,
they're writing code under the gun.
They're on that five or six day timeline
that Egypt mentioned before
where they actually have four days for real
because of their contractual
obligations otherwise.
People who are writing this stuff sometimes
are putting something together
that isn't really designed to live very long.
Maybe they finished something
and it was great and they got it to work
really well on their engagement, their pen test
engagement, and they say, you know what, I'm going to clean that up a little bit
and I'm going to send that over to Metasploit
as a pull request.
We get a widely varying level of quality in the code that people want to submit to the framework.
And I think in part that's just because a lot of people who have been spending a lot of time doing security have not necessarily been spending much time trying to make good software. So when we, when kind of Egypt and I have these kinds of conversations
about this kind of thing, we kind of ask ourselves, you know, what can we do to help
bridge that gap and help get some of these people who are sort of security inclined
thinking more in terms of good software practices. So we've got a pretty extensive set of things
that someone's going to need to do in order to do a pull request onto the framework. It'll be
different if it's purely just a Metasploit module, you know, a piece of content,
than if they're actually trying to hack on like the core of the framework itself.
There'll be different levels of sort of requirement.
We have a lot of like sort of you need to provide external verification steps, potentially
hopefully provide like a way to acquire a piece of software that may be vulnerable to
this or that you could use to verify it. You know, but especially in offensive security, you have the challenge of
like, you know, do I even have access to the thing that you're giving me an exploit for, right? Like,
is it some insanely expensive piece of like enterprise software that we're just not going
to be able to put into one of our labs, et cetera, et cetera. But I do think that as security,
information security becomes much more of a thing outside of a cloister, and it's much more prevalent in these big breaches that constantly happen, and the president getting up there talking about it, et cetera, it kind of comes to the fore a little bit more.
You'll start to see developers thinking a little bit more holistically and thinking a little bit more in terms of those those types of projects and then naturally i think the proclivity of developers the things they want
to spend their time on outside of work you know the sort of classic direction that people move
into to try to say what am i going to spend my open source contribution time doing um we really
hope to kind of position ourselves to benefit from that that sort of trend over time you know
i do think there's some convergence there but maybe i'm just a closet optimist yeah speaking of that last point um you know something that's been long a tradition of
info security folks is the capture the flags um i'm assuming that still goes on i used to do that
back in college it was lots of fun and um it seems like recently there's been kind of like official
ones put on like by stripe and perhaps a few other where a company will host a ctf and whether those
are you know legit vulnerabilities or you know hard or easy or whatever they do spur interest
and they kind of bring ideas around uh secure practices to a larger group of people
than the ones who are already doing it. What are your thoughts on those type of activities?
I think you're completely right about that. I mean, I don't really do CTF, but my understanding
is that the average CTF is significantly harder than the average pen test engagement in terms of
just sort of being an intellectual challenge.
That makes sense, actually, yeah.
Somebody actually thought about designing a way in
as opposed to just your typical open FTP server, right?
Right, exactly.
And the thing that you're supposed to do is significantly more difficult.
That's more like a puzzle.
Right.
Or like in the case of DEF CON,
it's kind of the World Series or Super Bowl or whatever your sports metaphor is of CTF, and actually what you end up doing is reversing binary software live.
So it's not – I think that you're absolutely right, though, that that will probably just as sort of a fun intellectual challenge could provide kind of a way in.
You know what I mean?
I think that the challenge to security practitioners, to information security people now, is to
kind of realize where their jargon is and where their kind of collected sort of hidden
knowledge is and the knowledge that they assume amongst people they talk to and realize
that they might be talking to a software person who's an extraordinarily adept creator of software
and really doesn't know the security landscape, but given the right kind of particular pieces
of knowledge, could really be somebody who's a benefit to the information security world.
I think that's kind of the attitude that Egypt and I both approach it with is that there's
just a lot of latent capability out there. So yeah, I think we've, you know, we've kicked around
ideas for years about how can kind of how could we get more people who are more software oriented,
you know, thinking in terms of security, and really, frankly, people who are security people
thinking a little bit more in terms of good software practices. I think there's definitely
an opportunity for people to kind of meet in the middle on that.
Well, hopefully here at the ChangeLog, we can help facilitate such things.
I think even just having a conversation around it brings up people thinking about such topics.
So hopefully we'll have more, gosh, can I say synergies and get away with it?
Sometimes you can.
I think I just did.
I think I just did.
Sometimes it's the word you need.
All right. Well, I think it's time for I just did. Sometimes it's the word you need. All right.
Well, I think it's time for our closing questions.
So y'all know the drill.
I'm going to start with Egypt and ask you, who is your programming hero?
I think my hero, my programming hero is a former co-worker named Michael Milvich,
who was just amazing in his breadth of knowledge.
He knew a little bit about everything,
from how compilers work at the base fundamental levels
to the Python VM to everything, basically.
And what really made him special to me as a colleague, um, was
that his depth was at least as impressive as his breadth. So he knew a lot about everything.
And that was really inspiring to me and it got me, um, it got me looking into a lot more things
and, and, and really challenging myself to be a better programmer.
Awesome. Trevor, how about yourself?
Yeah, I've been spending so much time in Go in the last year, and I've been watching kind of all
this sort of constant controversy of people being like, oh, it doesn't have my favorite thing in it
or whatever. And I've been pretty severely impressed with Rob Pike, you know, who's kind
of a legend in the programming world.
But this whole idea that there could be a much better language, we could go back to some of our basic principles and say, look at these old principles from C and from some
early Unix programming and say, there's some really great ideas here.
There are some fundamentals.
And if we keep our language very small and if we really um sort of chart a
particular course and and not waver from that course and not kind of like bring in every idea
that everyone's ever had um we'll be making something kind of interesting i'm always a big
fan of the idea of creativity within constraints and it's it's been interesting to watch um this
guy who's you know i doubt he ever really considered himself somebody who was going to become like this, you know, person who is sort of kind of the high priest of a programming language in the same way that he has.
But it's been nice to watch the way that sort of the Go authors have been very, I would say, very generous with their time and very interested in the reactions that people have to the things that they've built.
But they also kind of maintain that, you know, they've got a vision for what this thing can be.
And they kind of stick to that.
And it's been cool to watch.
I'm also like kind of in awe of Yehuda Katz.
And I know a lot of people probably mentioned him on this program.
But the guy like just makes things that need to exist.
And as a sort-minded person,
I really, really appreciate that.
I remember Rails dependency management before Bundler.
I really appreciated a couple times
I needed to write a CLI tool in Ruby.
I really appreciated the existence of Thor.
Amen to that, yeah.
Yeah, I love that somebody sits down,
he's going to write something in Rust,
and he's like, well, I need Bundler for Rust,
so I guess I'll just make it.
And that kind of attitude, as somebody who spends a lot of guess I'll just make it. And that kind of attitude,
as somebody who spends a lot of time
dealing with open source stuff,
that kind of attitude is just huge.
That's like the ultimate yak shave, right?
Like, I want to write something in Rust,
I need a dependency manager,
and months later, here comes the cargo.
Here we are all benefiting from it, right?
Very cool.
Hats off.
Okay, last one.
We're running low on time here.
What would you be doing if you weren't working on Metasploit?
And Egypt, we'll start with you.
I would probably be penetration testing networks, breaking into stuff, stealing things.
Security has always been my passion, and programming has been the means to that. And if not penetration testing of networks, I would be reverse engineering binaries,
staring at debuggers and disassemblers all day long.
In fact, that's what I was doing before I came to the Metasploit team.
So elite. You did it so elite. Love it.
How about you, Trevor?
I've always liked early-stage startups.
I like chaos and the interesting
opportunities that come out of it. So I would probably be off doing something on my own,
probably in like agricultural tech. I'm really fascinated by the intersection of like
maker technologies and the whole sort of like, I don't even know if you can call it the food
movement, but I guess kind of the food movement. So something in that area. Just speaking to that briefly, I actually listened to a great
podcast this morning on EconTalk. Have you ever heard of EconTalk? It's an economics podcast out
of Stanford, I believe. I'm a bit of an economy nerd from time to time. All about ag tech and
kind of the return of nature that's been happening.
I'll link that up in the show notes.
It's pretty interesting to see the results of some of the advancements that we've made recently in ag tech.
Very cool.
Well, guys, man, this was such a fun time.
I could probably talk to you all for hours about these things, mostly because I'm so rusty that I'll just sit here and say,
is this still a thing?
Is that still a thing? As you can tell by now.
Well, come down to Austin and hang out.
It might have to happen. It might have to happen. Where can we find you? So,
of Metasploit. freenode and i'm
in there all the time enter yeah same for me i'm uh trev rosen on uh twitter and github both um
i uh i mock uh politicians frequently on my twitter account so it's not really my professional thing, but there it is.
I also talk about code.
So if you're pretty politically aligned,
you may not want to follow Trevor on Twitter
because he may make you angry.
He could be, yeah.
Or even if it's not politics,
it might make you angry.
Yeah, it just might happen.
Very cool.
Well, thank you guys again for joining me today.
I also want to thank our awesome sponsors for this episode. That is CodeShip, TopTowl, Harvest, and Transloadit. We appreciate your support. And if you love the changelog, quite yet, we have the hybrid group coming on to talk about Cylon JS,
GoBot, and the Internet of Things.
We have RethinkDB,
a follow-up with the earlier interview we had with the CTO there,
as well as Saran Yabaruk with Code Newbie upcoming.
All sorts of fun stuff.
Make sure you subscribe.
And with that, until next time, let's say goodbye.
Goodbye.
Goodbye. We'll see you next time. you you you you you you you you you you you you you you you you you you you you you you you you you you you you you you you you you you you