►
From YouTube: The Metasploit Framework - GitHub Universe 2020
Description
Presented by Spencer McIntyre, Lead Researcher, Metasploit Framework
The Metasploit Framework is an open source tool for testing and demonstrating security vulnerabilities within software. In this session, we'll talk about how it can be used to perform an assessment—and describe the heart of the framework content, the exploit module. Finally, we'll go over how the open source community itself can contribute to the Metasploit Framework.
For more from GitHub Universe 2020, visit https://githubuniverse.com
As always, feel free to leave us a comment below and don't forget to subscribe: http://bit.ly/subgithub
Thanks!
Connect with us.
Facebook: http://fb.com/github
Twitter: http://twitter.com/github
LinkedIn: http://linkedin.com/company/github
About GitHub
GitHub is the best place to share code with friends, co-workers, classmates, and complete strangers. Millions of people use GitHub to build amazing things together. For more info, go to http://github.com
A
Hello:
everyone,
my
name,
is
spencer
mcatar.
I'm
really
happy
to
be
here.
I
hope
everyone's
having
a
great
github
universe.
So
far,
so
we're
here
to
talk
about
the
metabolic
framework
and
if
you're
not
familiar
with
it,
we're
gonna
go
over
a
little
bit
about
what
it
is
show
a
little
bit
about
how
it
can
be
used
and
finally
close
out
with
talking
about
how
to
go
ahead
and
contribute
to
it.
So
like
was
mentioned,
my
name
is
spencer
mcintyre.
A
I
am
the
research
lead
on
the
medically
project
at
rapid
seven.
I've
been
a
metasploit
contributor
for
about
ten
years
now
I've
been
contributing
content
to
the
muscle
framework
started
about
10
years
ago.
So
it's
been,
it's
been
a
great
and
wild
ride
and
I'm
here
to
share
a
little
bit
about
that
with
it.
A
So
those
plate
is
an
open
source
security
framework.
It
started
out
as
an
exploit
framework,
which
is
like
the
core
of
the
content,
and
it
has
since
evolved
into
that
to
be
a
framework
to
facilitate
security,
research
and,
most
notably,
security
testing,
which
is
what
we're
going
to
be
talking
about
quite
a
bit
and
when
I
say
security
testing
we're
thinking
about
like
penetration
testing.
We're
looking
for.
A
You
know,
authorized
users
that
are
looking
to
emulate
malicious
users
to
try
to
identify
security
flaws
and
vulnerabilities
and
prove
that
they
can
be
leveraged
in
order
to
achieve
something
potentially
dangerous
or
malicious.
So
that
might
be,
you
know,
crashing
a
system
most
often
times
stealing
data
and
things
along
those
lines.
So
they
do
that
by
leveraging
the
exploit
content
and
that's
all
part
of
the
the
open
source
project
that
we
provide.
And
so
this
is
a
slide
with
a
whole
bunch
of
the
users.
A
Just
some
of
the
many
many
users
that
have
contributed
to
the
messenger
framework
since
its
time
on
github,
which
has
been
on
github
for
quite
a
few
years
now
and
is
now
the
the
core
of
our
workflow,
where
we
accept
contributions
through
pull
requests.
Like
many
other
projects
out
there
so,
like
I
mentioned
we're,
gonna
talk
a
little
bit
about
what
metasploit
is
today.
A
So
that
way,
we
can
better
understand
how
metasploit
fits
in
and
the
various
steps
as
part
of
that
workflow
that
mentally
really
helps
out
and
to
facilitate,
and
then
we're
gonna
talk
about
contributing
to
medical
aid.
My
favorite
type
of
content,
which
is
going
to
be,
of
course,
the
the
exploit
content.
A
So
with
that,
let's
play
is
a
is
a
collection
of
operational
capabilities,
in
terms
of
you
know,
exploit
modules
that
are
going
to
leverage
a
vulnerability
to
achieve
some
kind
of
an
effect
that
is
most
often
times
not
going
to
be
the
intended
effect.
It's
going
to
be
explicit
vulnerability
to
achieve,
say,
code,
execution,
information,
disclosure,
privilege
escalation,
something
along
those
lines
so
who
might
want
to
use
this
well.
A
Metasploit
is
a
sort
of
toolbox
that
provides
libraries
for
exploitation
tasks
if
you're
watching
this
talk,
you're,
probably
a
developer
and
you're,
probably
very
familiar
with
with
the
concept
of
libraries.
Well,
writing
exploits
presents
some
interesting
problems
and,
like
many
other
coding
problems,
it
makes
a
lot
of
sense
to
have
reusable
code
in
the
form
of
libraries
or
to
be
able
to
go
ahead
and
facilitate
that,
and
that's
one
of
the
things
that
metasploit
provides
is
a
sort
of
baseline
functionality
with
a
lot
of
the
libraries
so
that
exploit
developers
and
vulnerability.
A
Researchers
can
get
off
the
ground
running
very
quickly
and
sort
of
prove
the
exploitability
of
the
vulnerability
that
they're
looking
at
and
that
kind
of
leads
right
into
the
the
second
set
of
common
users,
which
are
going
to
be
like
the
penetration
testers.
The
people
that
are
looking
for
these
vulnerabilities
that
have
content
in
metasploits
that
way
they
can
go
ahead
and
identify
and
prove
that
they
exist
and
we
say
prove
that
they
exist
we're
trying
to
ensure
that
there
are
no
false
positives,
because,
if
you're
familiar
with
security,
you've
probably
run
vulnerability
scans.
A
You
can
know
that
false
positives
can
be
an
issue.
They
can
be
a
problem
that
you
know
lead
to
wasting
time,
you're,
not
entirely
sure
if
the
vulnerability
exists
or
something
along
those
lines,
that's
kind
of
where
multiplayer
can
really
help
out
where,
when
it
has
an
exploit
module,
the
exploit
module
can
be
leveraged
to
deliver
another
kind
of
module
which
is
going
to
be
like
a
payload.
This
is
one
of
the
nice
parts
of
the
frameworks
that
you
can
select
this
other
type
of
module
of
the
payload.
A
To
be
what
you
want
to
happen.
When
the
exploit
occurs,
that
way,
you
can
show
definitively
that
no,
this,
this
vulnerability
that
you
know
we
may
have
thought
was
a
false.
Positive
is
a
real
thing.
It
can
be
leveraged
and
we
should
prioritize
fixing
it
accordingly.
Based
off
of
the
findings
of
what
we
had.
You
know
we
leaked
critical
information.
We
should
patch
this
today
or
there
wasn't
really
anything.
A
So
maybe
we
can
push
it
until
next
month,
something
along
those
lines,
and
so
I've
already
mentioned
a
couple
of
the
module
types
that
are
going
through
through
metallic,
which
is
like
the
very
the
the
core
of
the
framework
is
built
out
in
these
content
blocks.
That
are
the
modules,
so
we
have
the
explain
modules.
A
Everyone's
favorite
modules
is
the
one
that
we
have
the
most
of
and
the
exploit
modules
are
used
to
go
ahead
and
deliver
payload
modules,
which
is
like
I
had
mentioned
the
type
of
content
of
like
what
occurs
if
an
exploit
is
able
to
leverage
a
vulnerability
to
do
something:
malicious,
that's
something
malicious
is
the
the
payload
module,
and
so
when
working
through
those
those
are
two
of
our
modules.
We
also
have
encoder
modules,
which
handle
things
like
bad
characters
in
the
payload,
which
is
a
very
common
problem.
A
If
you're
an
exploit
developer,
you
have
applications
that
you
know
if
it's
a
stack
based
buffer
overflow.
Maybe
you
have
like
bad
null
characters,
because
that's
the
terminator
for
a
string,
so
you
need
to
encode
your
payload
in
order
to
get
around
this,
we
have
encoder
modules
for
that.
We
also
have
post
modules
that
can
interact
with
established
sessions
from
payload
modules
that
can
do
interesting
things
after
an
exploit
has
taken
place.
So
once
we
have
compromised
the
system,
we
want
to
be
able
to
show
the
potential
impact
of
it.
A
So
in
terms
of
like
the
workflow,
you
might
start
out
with
like
using
an
auxiliary
module
to
go
ahead
and
look
for
a
vulnerability
that
we
know
is
high
profile.
Metabolite
has
an
exploit
module
for
something
along
those
lines,
so
we'll
fire
up
an
auxiliary
module
and
check
a
class
c
of
hosts
like
250
for
host
and
check
to
see
you
know.
Does
this
vulnerability
exist?
A
Does
the
service
present
and
then
from
there
we'll
identify
that
it
is
and
we'll
move
on
to
an
exploit
module
choose
a
payload
that
we'd
like
to
be
delivered
and
go
ahead
and
exploit
the
service
upon
successful
exploitation.
We'll
have
a
session
and
then
that's
when
the
post
modules
come
in.
The
post
modules
can
use
that
session
to,
for
example,
enumerate
out
sensitive
information
that
might
be
stored
in
the
browser
leak,
clear,
correct
text
credentials
out
of
memory,
something
along
those
lines
can
be
looking
for
that
sensitive
information.
A
So
that
way
the
tester,
whoever
is
operating
medically
can
go
back
to
the
owner
of
the
system
and
show
the
stakeholders
look.
We
were
able
to
find
you
know
this
information
using
this
vulnerability,
so
this
one
should
be
addressed
with
a
much
greater
sense
of
urgency
than
say
some
others
that
we
perhaps
you
know
weren't
able
to
exploit.
Maybe
it's
false
positive,
something
along
those
lines,
so
we
were
able
to
help
the
users
triage
and
prioritize
those
vulnerabilities,
because
we
all
know
our
time
is
not
infinite.
A
You
know
we
have
a
certain
amount
of
time,
so
we
want
to
be
able
to
use
it
most
effectively
and
that's
what
can
help
us
get
that
that
knowledge
in
order
to
go
ahead
and
do
that
so
breaking
down
the
workflow
a
little
bit
more
I've
already
kind
of
mentioned,
starting
out
with
like
reconnaissance
and
scanning.
These
are
where
the
auxiliary
modules
are
are
heavy
hitters.
Out
of
the
metaphor,
you
know
we're
looking
for
targets,
we're
identifying
services
that
we
might
be
interested
in,
say,
smb,
rdp
and,
of
course,
our
favorite
http.
A
We
want
to
be
able
to
identify
you
know
as
the
server
engine
x
or
their
popular
web
applications
on
it
like,
say,
maybe
wordpress
something
along
those
lines.
We
want
to
be
able
to
identify
our
targets.
This
is
very
often,
if
you
don't
know
or
you're,
not
looking
for
like
a
very
specific
target.
If
you're
looking
at
like,
for
example,
a
whole
network
worth
of
host
you'll
be
spending
a
lot
of
time
in
the
scan
and
the
recon
phases
from
there.
Once
you
have
your
targets.
A
Moving
on
into
the
attack
phase,
where
you
load
up
an
exploitation,
module
and
try
to
go
ahead
and
leverage
the
service
and
then
hopefully,
you're
successful
and
you've
compromised
that
system
now.
This
is
how
it's
often
taught
in
a
very
linear
fashion,
but
I
can
tell
you
from
experience
I,
it
doesn't
quite
work
out
like
this
in
the
real
world
a
lot
of
times
you
bounce
around
between
the
different
steps.
A
You
know
you
might
go
from
reconnaissance
and
for
whatever
reason
you
identify
as
service
that
you're
very
confident
is
vulnerable
and
you
move
on
into
the
attack
phase,
and
you
know
perhaps
the
attack
doesn't
work,
so
you
move
back
into
the
reconnaissance
phase
and
you're
looking
for
another
system
and
so
on
and
so
forth.
So
it
doesn't
quite
work
out
this
linearly
or
this
cleanly
in
in
the
real
world.
A
A
Metabolite
helps
take
those
modules
that
would
otherwise
be
isolated
tools
that
users
might
perhaps
run
and
turn
them
into
a
sort
of
workflow.
So
in
terms
of
the
scanning
and
the
reconnaissance
phase,
I've
already
mentioned
when
we
utilize
our
auxiliary
modules
to
go
ahead
and
look
for
a
service.
The
metabolic
database,
in
the
background,
is
going
to
be
gathering
information.
That's
reported
by
these
modules,
including
what
systems
are
online.
What
services
are
identified
and
then
key
pieces
of
information
that
are
important
from
an
exploitation
perspective,
such
as
what
vulnerabilities
might
have
been
identified?
A
What
versions
of
software
are
affected?
So
if
you
find
an
old
version
of
wordpress,
this
can
be
noted
in
the
database
and
we
can
sort
of
feed
that
module
or
excuse
me
that
information
into
the
next
step
of
our
workflow,
where
we
might
be
looking
for
attacks
that
can
leverage
that
old
version
of
wordpress
or
something
along
those
lines.
So
the
database
is
sort
of
the
core
of
the
glue
that
ties
this
workflow
together,
and
so
with
that.
I'd
like
to
show
a
quick
demo
of
how
this
might
look
in
this
particular
example.
A
We're
going
to
go
ahead
and
we're
going
to
show
using
an
auxiliary
module
to
go
ahead
and
identify
systems
that
are
vulnerable
to
a
high-profile
vulnerability.
Ms-1710
that
came
out
quite
a
while
ago.
We'd
be
surprised.
We
do
still
find
systems
with
this
vulnerability
present
occasionally,
but
it's
very
easy
to
exploit.
So
as
a
a
tester.
A
If
I'm
looking
at
a
network,
I
would
definitely
want
to
identify
this
vulnerability
might
be
one
of
the
very
early
steps
that
I'm
using,
while
I'm
doing
my
scanning
and
my
reconnaissance,
so
I'm
going
to
use
metasploit
to
go
ahead
and
run
this
module
and
it's
going
to
go
ahead
and
it's
going
to
identify
a
system.
That's
vulnerable!
It's
going
to
store
that
information
for
me
in
the
database,
so
it's
kind
of
like
keeping
those
notes
for
me
automatically,
of
course,
as
a
pentester,
I'm
probably
going
to
be
keeping
a
notebook
and
keeping
this
separately.
A
A
It's
a
very
small
example,
if
you're
looking
at
say,
like
a
thousand
two
thousand
five
thousand
systems,
this
would
become
very,
very
important,
very
valuable
as
it's
filling
all
this
information
out
for
us
and
what
we're
doing
is
we're
gonna,
go
ahead
and
take
this
knowledge
that
we
had
and
we're
going
to
move
into
the
next
phase,
where
we're
actually
gonna
go
ahead
and
exploit
this
vulnerability.
So
we
load
up
the
explain
module
and
we
set
the
information
that
we
had
just
gathered.
A
This
expo
usually
takes
just
a
few
seconds
to
run
before
it
is
successful,
and
you
can
see
that
the
the
prompt
changed
into
the
interpreter
prompt
so
we're
in
kind
of
a
different
workspace
at
this
point,
where
we're
interacting
with
an
agent
that
was
provided
by
the
payload,
that
we
selected
that
we
utilized
to
compromise
this
system
and,
of
course,
in
in
this
particular
example,
leveraging
this
vulnerability.
We
were
able
to
obtain
full
administrative
access
on
the
system
have
fully
compromised
it.
A
So
we
move
on
to
say
the
explanatory,
the
exfiltration
phase,
where
we'd
be
looking
around
at
the
file
system
on
the
system,
trying
to
identify
anything
interesting
that
we
might
want
to
take
out
to
use
as
proof
of
what
an
attacker
could
do
and
if
they
had
leveraged
this
vulnerability,
so
that's
sort
of
the
demonstration
there.
So
then,
with
those
steps
afterwards,
we
might
wanted
to
have
looked
at
say
the
lateral
movement
and
and
post
exploitation,
so
we
kind
of
saw
when
utilizing
interpreter.
A
We
moved
right
on
into
the
file
system,
but
we
could
also
automate
that
with
a
lot
of
the
post
modules,
I
can
go
ahead
and
look
for
that.
Finally,
once
we
had
wrapped
up
and
done
what
we
needed
to
do,
we
would
go
ahead
and
clean
up
after
ourselves
and
take
part
in
what's
the
most
important
part
of
the
assessment
and
that's
the
reporting
and
that's
again
where
the
database
that
stored
all
that
information
is
really
going
to
help
us
out
as
an
assessor.
A
So
that
way
we
can
get
the
important
facts
and
relay
that
to
the
the
hosts
that
are
responsible
for
the
systems
that
we
were
testing
so
that
way
they
can
address
the
findings
that
were
there.
It's
a
quick
note
on
cleanup
a
lot
of
the
stuff
that
metaplay
does
is
memory
resonance,
so
rebooting
is
going
to
fix
it.
We
don't
write
too
much
out
to
disk
unless,
of
course,
you
know
the
user
specifies
a
module
to
do
that.
So
we
try
to
keep
things
in
memory
as
much
as
we
possibly
can.
A
The
vulnerability
that
we
looked
at
is
a
very,
very
high
profile,
vulnerability,
it's
very
common,
but
we
have
a
lot
of
ones
that
are
quite
a
bit
lesser
known,
and
so
there's
been
a
big
push
over
the
past
couple
of
years
to
document
a
lot
more
of
the
content
in
metasploit
the
form
of
module
specific
documentation
to
help
the
user
understand.
You
know
what
the
vulnerability
is,
what
the
module
does,
how
it
can
be
leveraged
and
those
types
of
things.
So
it's
a
very
common
common
contribution
that
we
get
that's
very,
very
valuable.
A
It
helps
people
understand
and
digest
the
content
that
metasploit
providers
can
oftentimes
be
very
dense
and
by
the
very
nature
of
it,
very,
very
technical.
The
most
common
contribution
type
that
we
get,
though,
is
new
module
content.
So
we're
going
to
talk
a
little
bit
about
that
from
the
perspective
of
exploit,
specifically,
which
is
our
most
popular
module
content
type.
A
These
often
come
from
one
of
two
resources:
either
it's
brand
new
research
that
the
vulnerability
research
who
identified
the
vulnerability
might
go
directly
into
metasploit
and
create
the
module
directly
immediately
leveraging
the
capabilities
and
the
payloads.
The
encoders
and
everything
that
are
provided
by
metasploit,
so
they'll
make
the
module
and
they'll
go
ahead
and
release
it
as
part
of
the
vulnerability
disclosure
to
show
to
demonstrate
the
vulnerability
to
prove
that
it
exists.
That
type
of
thing.
A
A
second
comment
is
we
get
a
lot
of
ports
of
public
exploits
so
for
one
reason
or
another:
a
researcher
may
not
write
it
from
that
display.
It
may
be
a
little
bit
difficult
to
write
for
multiple
way,
for
whatever
reason,
perhaps
they're
not
as
familiar
with
the
framework.
But
you
know
we
there's
a
lot
of
public
exploits
out
there,
they're,
not
all
for
medical
and
so
we'll.
A
So
what
are
some
of
the
benefits
of
using
a
module
for
medical
you've
kind
of
talked
about?
You
know
people
either
directly
ready
for
medical
or
or
they
don't,
of
course,
I'm
biased
as
one
of
the
top
contributors,
I'm
a
huge
motherboard
fan.
I
bet
you
wouldn't
have
guessed
that,
but
there's
a
lot
of
benefits
to
writing
content
for
metasploit.
One
of
the
great
things
is
that
when
you're
writing
an
exploit
a
lot
of
times,
you
don't
really
need
to
worry
about
the
payload.
A
It's
not
necessarily
relevant
to
the
module
or
the
vulnerability
that
you're
trying
to
leverage
so
multiplayer
provides
that
for
you
and
you
don't
have
to
worry
about
it.
Another
capability
is
that
database
that
I've
been
talking
about
is
all
of
the
reporting
capabilities.
If
you
write
a
one-off
tool,
you
you're
probably
ending
up.
You
know:
printing
output
to
the
console
and
expecting
the
user
to
go
ahead
and
like
take
their
notes
manually,
which
isn't
the
best
user
experience.
But
if
you're
doing
it
medically,
you
can
blog.
A
You
know
version
information,
service,
information,
credentials
that
you
have
gathered,
and
things
like
that.
Finally,
is
a
transparent
proxy
support.
So
when
you
compromise
a
host,
you
can
actually
leverage
that
and
have
vulnerabilities
be
leverageable
through
that
in
terms
of
being
able
to
pivot,
which
is
a
very
powerful
capability
for
users
that
are
looking
to
expand
into
networks,
they're
able
to
compromise
the
system
and
leverage
that
to
then
attack
other
ones.
A
So
if
you,
you
know
see
a
lot
of
value
in
those
and
you
want
to
contribute
a
multiplayer
exploit
module.
The
exploit
modules
themselves
are
broken
down
into
kind
of
three
main
components
which
we'll
go
ahead
and
take
a
look
at
the
first
of
which
is
going
to
be
the
metadata
and
the
particular
options
that
are
provided
to
the
users
that
way
they
can
go
ahead
and
check
those
out.
A
The
next
is
the
check
method,
not
all
exploits
have
this
capability,
but
we
try
to
provide
check
methods
for
all
the
exploits
that
we
can
it's
very
specific
to
the
vulnerability,
but
the
idea
is
to
provide
a
safe
way
to
be
able
to
see
if
we
think
an
exploit
is
going
to
work
without
actually
exploiting
the
system,
which
can,
unfortunately
be
inherently
dangerous.
Sometimes
you
know
there's
a
chance
that
you
may
crash
the
service
and
that
may
be
maybe
undesirable.
A
Of
course,
we
understand
this.
We
provide
check
methods
that
are
intended
to
be
very,
very
safe
and
then,
of
course,
the
core
of
the
logic
is
to
go
ahead
and
to
the
exploit
method
which
actually
going
to
leverage
the
vulnerability
to
go
ahead
and
and
do
the
thing
and
deliver
a
payload
and
demonstrate
the
vulnerability
itself.
A
So
this
is
a
quick
example
of
the
the
module
metadata.
It's
basically
just
definitions,
there's
there's
no
real
logic
in
here.
We're
showing
you
know
references.
You
know
I
was
the
author
of
this
particular
module.
We
have
our
target
definitions
down
there.
This
also
includes
metadata
that
we
can
go
ahead
and
relay
to
the
user
in
terms
of
what
might
happen
when
this
module
runs.
You
know
if,
if
it
does
go
wrong
and
things
you
know
fail,
is
the
system
going
to
restart
like
the
like
the
underlying
operating
system?
A
A
All
of
these
vulnerabilities
are
unique,
so
we
want
to
be
able
to
relay
this
information
to
the
user,
so
that
way
they
can
make
an
educated
decision
based
on
the
information
that
we've
provided
to
them
on
whether
or
not
it's
an
appropriate
action
to
go
ahead
and
exploit
this
module
and
go
ahead
and
attempt
this.
We
just
want
to
make
sure
that
they
have
the
tools
available
to
them
to
make
an
informed
decision
about.
What's
you
know
best
for
their
environment,
and
that
leads
right
into
our
check
method.
A
You
know
if
you
don't
want
to
take
the
risk
of
going
ahead
and
running
the
actual
exploit.
A
lot
of
our
newer
modules
have
check
methods
which
are
going
to
go
ahead
and
provide
a
little
bit
of
logic
to
make
a
best
effort
guest
to
see
you
know
do
we
are
we
confident
we're
going
to
be
able
to
exploit
this?
Does
it
appear
to
be
patched,
you
know,
can
we
even
determine
that
the
service
is
running
something
along
those
lines?