It’s official, the Metasploit project convinced by HD Moore has been acquired by Rapid7 an Information Security company (better known for it’s vulnerability assessment product NeXpose).

What does this mean for the future of this great open source project that many have learned to love (and I suppose hate) over the years? Well, according to it’s creator it can only make it better. Having Metasploit go commercial means a budget, an actual QA departement, a full time dev-team and more quality exploits.

Here are a few things that Rapid7 had to say:
“As a result of our union, we will be able to bring superior data on exploitability to our customers, helping them to prioritize and remediate key security issues. The exploit data will be directly embedded in our vulnerability management solution NeXpose, providing a whole new level of risk analysis capabilities to our clients, while ensuring that NeXpose, which will continue as a separate product, delivers the safest, most proactive and actionable vulnerability scanning capabilities in the industry.

That sounds pretty good, but something does bother me. “
The exploit data will be directly embedded in our vulnerability management solution NeXpose” As far as I’m concerned, this means NeXpose will be feeding off Metasploit’s better parts. Guess it’s normal, they just acquired it and can probably do what ever they please. Making NeXpose an even better product in the end. What will happen when Metasploit has nothing left to feed it? What will happen then?
Finally, the combination of NeXpose and Metasploit will enable Rapid7 to continue to grow its relationship with partners and consultants…

Does this mean, eventually Metasploit will depend on NeXpose? Should we expect sometime in the future a message saying something like “…this feature requires you install NeXpose…” ?

Another little bit that has brought me some concern comes from Moore’s statement on his blog:
From a user’s perspective Metasploit will still be free. All of the important bits are going to remain open-source…

Which important bits? Let’s face it, the whole framework is pretty important and down right incredible. Will the exploit be Open Source? Will it be the framework’s inner workings? I guess only time will tell…

Don’t get me wrong, I am extremely happy for Mr.Moore and the rest of the Metasploit team. They created an Open Source application to help the community. If they can make money and continue working on something they started off as a hobby… Well Congratulations! I don’t think anyone would object to that. Let’s face it, having a piece of code (big or small) being picked up by a commercial enterprise must be rewarding as hell.

My concern is, what will happen to Metasploit down the road… after a few years. History has a tendency to repeat itself. In the past Open Source projects acquired by commercial entities have been known to slowly, but surely, transform the Open Source product into a closed one. Of course this is not always the case.

Another thing, what will happen to Offensive Security’s MSF certification? Will they have as much support and cooperation now to keep the study material up-to-date? Will they be limited by the bits of the project that will not be Open Source? Then again, it may not be affected at all.
As mentioned by muts (Mati Aharoni lead developer of Back|Track and CEO of Offensive Security), I guess MSFU won’t suffer from Metasploit’s acquisition. Sorry muts for not seeing (or reading) that detail.
Offensive Security Official MSF training partner

So to end this, again congratulations are in order to the whole Metasploit team. I’m extremely happy for you all. Transforming a hobby into career is not always easy.
Good luck, have fun

Metasploit/Rapid7 FAQ


Recovering Firefox Passwords

A few weeks ago, Larry from Pauldotcom had a tech-segment about recovering Firefox passwords.
Seeing that this segment is well written, and it’s a subject that always fascinates me. I see no point in trying to write up another, when I could just link to it.

Pauldotcom, episode 166

Hope you enjoy it as much as I did.


We don’t mean to be insecure

Don’t want to sound preachy, but system administrators and network administrators are not always to blame for insecure systems. Sometimes (often) the blame falls on the heads of management.

Keeping a system up to date, fully patched and properly configured after words will usually keep any system relatively secure… until the next exploit comes out and is made public.

Doing this takes time. One needs to make sure applied patches won’t affect running services (i.e Framework 3.5 SP1 on Citrix Presentation Server -this one seems solved now). Lots of reading and testing should be done before deploying major changes. For us, the tech-guys, this is normal and the sensible thing to do. It’s our job to keep things running smoothly… For management, time equals money… and they seem to always have the mentality “..if it ain’t broke don’t fix it...” Of course, when a system gets compromised or crashes it’s our fault for not applying the proper updates and patches.

Recently I had the pleasure of showing my current employer how easy it would be to compromise a customer’s system. Without raising any alarms or triggering an malware/anti-virus application I got a reserve shell on my home computer. Must admit, he was surprised how easy it was. Unfortunately nothing came out of that demonstration. I even spoke about a customer’s FTP server, and how we should updated it seeing the amount of DoS exploits and local privilege escalation exploits currently in the wild… Again nothing.

So, from where I’m sitting we are not at fault. Pretty sure it’s the same for others…
< /rant>