►
From YouTube: Secure your codebase with Metasploit
Description
As developers, we often neglect security. We code, but we don’t secure our code due to a lack of education about security. That’s why this Open Source Friday, we’re highlighting Metasploit. Metasploit is the world’s most used penetration testing framework. It empowers and arms defenders to always stay one step (or two) ahead of the game. Join Spencer McIntyre and Rizel Scarlett on Friday at 1 pm ET for more!
A
A
Hey
everyone
Welcome
to
our
first
open
source
Friday
of
2023.
We
went
on
the
little
yeah
yay
we
went
on
a
little
like
Hiatus
and
I
was
missing
open
source
Friday,
so
I'm
really
glad
that
we
got
it
started
back
and
we're
joined
by
Nancy
and
Spencer
and
I
want
to
go
ahead
and
let
them
introduce
themselves
I
realized.
I
didn't
choose
an
order
before
we
hopped
in.
So
whoever
wants
to
go
first.
B
I'll
go
first
just
to
introduce
myself
and
the
security
lab
and
Nancy
Nancy,
gits
and
I'm
part
of
the
security
lab
I'm.
A
security
developer
advocate
for
the
lab
and,
as
you
know,
GitHub
is
part
of
the
open
source
Community,
but
we
also
find
that
it's
important
that
we
know
how
to
secure
open
source
environment.
B
So,
therefore
the
lab
is
there
to
help
maintainers
keep
their
their
projects
secure
and
find
do
also
a
lot
of
research
in
open
source
and
find
their
findings
share
it
with
the
community
and
with
my
team
with
the
developer
Advocates.
We
try
to
do
some
education
workshops
and
awareness
and
blog
posts,
and
anything
like
that.
So
that's.
C
C
Thank
you
very
much.
My
name
is
Spencer
McIntyre
I
am
one
of
the
maintainers
of
the
open
source
metasplay
framework
which
we'll
be
talking
about
today.
I
have
worked
in
security
since
I
got
out
of
college
and
I.
My
background
is
mostly
in
penetration
testing
and
research
and
development,
which
I
have
transitioned
to
more
more
recently
in
in
my
career,
where
I
focus
on
vulnerability,
research
and
exploit
development,
and
that
is
what
I
do
for
metal
blade
on
the
r
d
side.
A
C
It
was
a
computer
science
with
an
emphasis
on
information
security.
This
was
not
to
age
myself.
This
was
quite
a
while
ago
and
that
there's
a
lot
more
options
for
those
types
of
degrees.
Now
it's
become
a
lot
more
popular,
but
I
did
find
a
program
that
had
information
security
and
then
from
that
I
went
straight
into
penetration.
Testing
and
I
stayed
with
the
organization
for
a
while
growing
into
doing
more
research
and
development.
B
C
C
It
is
primarily
developed
in
Ruby
and,
of
course,
we
host
it
on
GitHub
as
a
part
of
the
rapid7
family
of
Open,
Source,
Products
and
so
I
work
exclusively
on
the
the
open
source
side
of
the
Metasploit,
which
is
all
released
under
the
BSD
license.
We
have
a
massive
community
of
a
bunch
of
great
contributors
that
help
us
do
everything
from
right,
documentation
and
fix
bugs
to
write,
really
really
cool
exploits.
C
In
fact,
the
one
I'd
like
to
show
today
is
building
on
a
foundation
that
some
contributors
worked
on
for
for
previous
vulnerabilities,
and
so
it's
really
great
to
see
is
a
tool
that
primarily
helps
penetration.
Testers,
run,
exploits
and
perform
the
operations
that
they
need
to
perform
a
security
assessment
of
a
Target
environment
by
identifying
vulnerabilities,
but,
more
importantly,
being
able
to
actually
exploit
and
demonstrate
those
vulnerabilities.
C
That's
primarily
where
metasplay
differs
from
like
a
lot
of
vulnerability,
scanning
tools
that
might
try
to
like
identify
the
vulnerability
via
different
different
techniques,
and
things
like
that.
Metaspberry
is
actually
going
to
exploit
the
vulnerability
improve
definitively
that
not
only
is
it
vulnerable,
but
here's
what
an
attacker
can
actually
do
with
it.
They
can.
They
can
prove
that
the
software
is
vulnerable.
C
There
are
no
other
controls
in
place
because
the
exploit
works
and
things
like
that,
but
being
a
framework,
it's
really
great,
because
it
ties
into
the
other
components
of
the
framework
like
our
ability
to
tag
and
log
information,
because
if
you've
ever
done,
penetration
testing
there's
a
lot
of
tracking
of
all
the
different
data
points
you
got
to
keep
track
of
all
the
different
hosts.
You
find,
most
importantly,
all
the
vulnerabilities
on
all
those
different
hosts,
the
services
the
list
goes
on
and
mostly
tries
to
really
facilitate
a
lot
of
that.
C
B
B
C
Now
the
real
value
of
penetration
testing
is
that
in
large
environments
you
have
a
lot
of
different
findings,
and
so
security
teams
really
need
help
prioritizing.
What
do
they
need
to
fix?
First,
because
security
is
an
ever-changing
landscape,
you
know,
there's
going
to
be.
New
vulnerabilities
are
coming
up
every
single
week.
Some
are
more
important
than
others,
so
penetration
tester's
job
is
to
help
make
those
informed.
Decisions
of
this
vulnerability
is
much
more
important
to
fix
now,
and
this
other
vulnerability
can
probably
wait
another
month
or
two
because
maybe
there's
no
exploit
for
it.
C
B
Wow
and
as
a
branch,
Christian
tester
a
follow-up
question
about
that:
when
do
you?
Do
you
start
to
help
during
the
software
development
life
cycle?
Do
you
start
with
the?
Are
you
part
of
the
team
of
the
development
team,
or
do
you
come
afterwards
and
find
those
vulnerabilities
and
ask
them
to
fix
it.
A
Stuff
awesome
I
wanted
to
quickly
highlight
some
like
positive
comments.
That
I
saw
someone
said,
thank
you
for
building
an
amazing
product
and
they
thought
that
metasploy
is
so
awesome.
So
I
just
wanted
to
highlight
those
if
you
didn't
get
to
see
them
and
then
I
actually
have
a
follow-up
question
to
like
the
pen
testing
question
for
me:
I
have
like
zero
security
background.
A
C
I
know
that
that's
another
great
question
we
get
that
we
get
that
quite
often,
so
a
vulnerability
differs
from
an
exploit
in
that
and
exploit
is
the
actual
piece
of
code
that
can
Leverage
The
vulnerability.
To
do
something,
that's
something
that
is
done
is
almost
always
contextually
dependent
on
what
the
vulnerability
is,
because
you
know
software
is
getting
more
and
more
complicated,
so
the
vulnerabilities
are
also
becoming
more
and
more
complicated.
Some
vulnerabilities
can
only
be
used
to
knock
a
system
offline,
in
which
case
that's
a
denial
of
service
vulnerability.
A
C
Remote
code
execution,
which
is
what
I'm
going
to
demonstrate
today
so
an
exploit,
would
be
the
software
that
demonstrates
the
vulnerability
and
then
proves
that
impact.
So
if
it's
now
service
it'll
take
that
system
offline,
if
it's
a
SQL
injection,
it
will
dump
that
data
for
you.
So
that
way,
when
you're
running
the
exploit,
you
can
see
that
it
truly
is
vulnerable,
and
this
is
all
the
information
that
an
attacker
could
potentially
get.
B
Great
explanation:
thanks,
that's
so
important
to
make
security.
Sometimes
that
have
some
credibility.
Sometimes
you,
you
know
we
always
not
always
but
often
say.
Oh,
this
thing
is
vulnerable,
but
it's
hard
to
prove
it,
and
an
export
is
really
a
great
way
to
prove
that
expl.
That
something
is
a
part
of
the
software
is
vulnerable
and
takes
security
seriously
and
take
the
time
to
fix
it.
So
yeah,
that's
what's
great
about
minus
voice.
C
All
right,
let's
go
ahead
and
take
a
look
so
for
today's
demonstration.
I
am
going
to
start
out
by
sharing
my
screen
and
all
right,
so
I'm
going
to
demonstrate
a
vulnerability
in
Metasploit
from
scratch
going
from
starting
up
the
framework
all
right
here
we
are
so
we
have
the
the
framework
started
up
here.
C
We're
going
to
walk
through
demonstrating
this
vulnerability
is
going
to
be
one
that
came
out
in
December
of
last
year
and
this
particular
vulnerability
is
an
authenticated
remote
code
execution
in
the
Microsoft
exchange
mail
server.
This
was
particularly
impactful
because
it
went
a
couple
of
months
without
being
patched.
Microsoft
ended
up,
hatching
it
I
believe
in
November,
and
we
got
the
exploit
patched
out
in
December
to
allow
users
to
be
able
to
test
for
this
particular
vulnerability.
C
So
when
we
start
up
Metasploit,
let's
take
a
step
back
here
we
will
have
our
Banner,
which
is
going
to
be
brought
up,
and
it's
going
to
first
of
all
inform
us
of
the
different
major
components
of
the
framework
which
are
our
modules.
So
we
have
seven
different
module
types,
the
one
that
we
have
the
most
of.
Of
course,
are
going
to
be
those
exploits
followed
by
our
auxiliary
modules,
which
we've
already
talked
about.
What
exploits
are
our
auxiliary
modules
are
more
general
purpose
modules
modules
that
don't
really
fall
into
another
category.
C
Our
post
modules,
which
we'll
be
able
to
demonstrate
after
the
exploit,
is
successful.
Allow
us
to
take
actions
after
we've
compromised
a
host
so
when
we've
leveraged
that
exploit,
we've
proven
that
it's
vulnerable
we're
going
to
deliver
a
payload
module
which
is
going
to
allow
us
to
control
the
remote
server,
and
then
our
post
modules
allow
us
to
use
that
payload
to
perform
repeatable
actions
like
gathering
information
or
doing
something
to
demonstrate
the
impact,
because
when
you're
pen
testing
a
lot
of
times,
you
might
say
like.
C
Oh,
this
system
is
vulnerable
and
and
we've
proven
it,
but
then
you
know
the
owner
of
the
system
might
be
like
well
like
what
what's
the
impact?
What
can
you
do
like
I'm,
just
looking
at
a
Shell
I,
don't
quite
fully
understand
and
that's
really
where
post
modules
come
in
to
like
really
help,
because
you
can
be
like
you
can
gather
credential
information,
usernames
and
passwords.
C
You
can
take
a
look
at
and
steal
files
off
the
file
system
and
like
find
those
files
more
easily
that
type
of
thing,
our
payload
modules,
another
really
important
module
category
that
we'll
be
using
so
the
exploits
are
separated
out
from
the
payloads
very
early
on
when
Metasploit
was
created.
This
is
one
of
the
primary
benefits
of
it
because
way.
C
Back
in
the
day
before
metasploy
came
out,
if
someone
wanted
to
utilize
and
exploit,
they
would
typically
get
like
one,
maybe
two
or
three
different
payloads,
and
that
is
what
is
actually
performed
after
the
vulnerability
is,
is
exploited.
So
the
payload
is
the
code
that
we're
actually
going
to
run
on
the
remote
system,
once
we've
leveraged
the
vulnerability
to
to
gain
that
illicit
access,
and
so
by
being
able
to
swap
out
the
payloads
we're
giving
our
penetration
testers
and
our
users.
C
What
at
the
time
was
an
unprecedented
degree
of
freedom
and
ability
to
be
able
to
swap
out
their
actions
to
be
able
to
have,
you
know,
say:
I
want
to
have
remote,
desktop
access
or
just
a
you
know,
the
typical
Windows
shell
or
our
favorite,
our
most
powerful
payload,
which
is
The
Interpreter
payload,
which
is
what
we'll
actually
be
able
to
go
ahead
and
use,
and
then
encoders
and
knobs
are
very
useful
for
exploit
development
purposes.
Users
that
aren't
looking
to
do.
C
A
C
Right
yeah,
let's
Crank,
that
up,
so
you
want
to
be
able
to
have
everyone
check
it
out.
Luckily,
we
haven't
actually
like
gotten
started
with
anything,
so
perfect
timing,
all
right.
So,
as
I
mentioned,
we're
gonna
go
ahead
and
leverage
a
vulnerability
in
Microsoft,
Exchange
Server.
So
the
context
here
is
like
spoiler
alert.
C
C
This
particular
vulnerability
was
called
proxy,
not
shell,
so
our
exploits
are
broken
out
by
typically
the
platform
and
then
the
service
that
offers
the
vulnerability
just
kind
of
a
lexical
way.
For
us
to
be
able
to
organize
it.
We
also
have
the
ability
to
search
for
the
functionality,
so
if
we
knew
we
were
looking
for
exchange
we'd
be
able
to
search
and
be
able
to
find
all
modules
that
mention
Exchange
Server.
Of
course
we
have
a
couple
of
ones
in
here
that
are
looking
for,
like
key
exchange
that
wouldn't
be
necessary.
C
But
if
we
had
another
service
say
like
like
Jenkins,
we
could
search
for
all
modules
that
mentioned
Jenkins
in
it.
So
if
you're
looking
to
assess
like
a
Jenkins
server
would
be
able
to
go
ahead
and
check
it
out
from
there.
So
we've
gone
ahead
and
we've
used
our
module,
and
so
we
saw
that
our
prompt
changed
up
here
and
what
we're
going
to
do
is
we're
going
to
check
out
our
options
from
here.
So
everything
in
medicine
is
all
done
through
our
msf
console
UI,
which
is
our
Tech
space
interface.
C
We
also
have
an
RPC
wrapper
for
advanced
users
that
might
want
to
embed
Metasploit
in
say
another
product.
So
if
you
wanted
to
do
it,
if
you
wanted
to
perform
checks
against
software
in
like
an
automated
fashion
or
something
like
that
and
msf
console
didn't
quite
cut,
the
automation
needs
that
you
had
a
few
good
features
in
here
for
Automation
and
speeding
those
things
up,
but
if
it
just
wasn't
quite
cutting
it
for
you,
we
have
a
whole
RPC
protocol
that
you
can
be
able
to
control
and
drive
metasploy
from
another
language.
C
Like
python
I
know
there
I
know,
there's
the
public
binding
for
python,
we're
using
msf
console,
and
so
once
we've
gone
ahead
and
used
the
module.
We
need
to
go
ahead
and
be
able
to
set
some
of
our
options
so
I'm
running
the
show
options
to
be
able
to
show
all
of
the
different
options
that
we
have
and
we
can
see
which
ones
are
required
here
by
the
ones
that
are
marked
as
yes.
C
So
as
I
mentioned
for
this
vulnerability,
if
you
are
not
on
my
system,
the
password
our
host
and
username
would
all
be
blank.
Those
are
all
the
options
that
you
would
have
to
go
ahead
and
specify
and
know
yourself
so
in
this
case
we're
emulating
an
Insider
threat
because
we're
assuming
that
we
have
a
user
with
some
degree
of
access
on
The,
Exchange
Server.
If
you're
familiar
with
Microsoft
Exchange,
you
know
organizations
give
away
email
addresses
like
handy
like
pretty
much.
Everyone
has
one.
C
With
that,
the
last
and
most
important
thing
that
almost
every
exploit
needs
is,
we
need
to
be
able
to
have
the
the
target.
So
in
this
case
it's
gonna
be
the
IP
address
of
our
Exchange
Server.
So,
with
all
of
those
points
set,
we
can
go
ahead
and,
let's
check
for
the
vulnerability
we
want
to
be
able
to
see
you
know.
Do
we
think
that
the
target
is
vulnerable
or
not?
So
if
you
don't
want
to
actually
like
exploit
the
server
because,
like
it's
exchange,
you
know,
that's
that's
pretty
business
critical.
C
We
might
want
to
be
a
little
bit
more
careful
with
it.
We
can
go
ahead
and
run
our
check
in
Metasploit.
We
try
to
be
very
conservative
with
the
instances
in
which
we
flag
a
a
service
as
as
vulnerable
when
you
use
the
check
method
in
an
exploit.
If
it
says
that
the
target
is
vulnerable
to
meet
that
criteria
for
our
purposes,
we
are
leveraging
the
vulnerability
in
some
way
that
we
are
extremely
confident
that
it
is
vulnerable.
C
A
lot
of
exploits
might
just
say,
like
the
target
appears
to
be
vulnerable,
because
in
some
cases
the
vulnerability
can't
be
reliably
and
I
forgot
to
mention
this
safely
check
without
fully
exploiting
it,
because
the
whole
point
of
this
is
to
is
to
be
safe
and
not
actually
run
that
full
exploit.
So
we
have.
This
appears
telling
us
that
our
Target
is
vulnerable.
C
So
our
next
step
is
we're
going
to
go
ahead
and
actually
exploit
it
before
we
do
we'll
drop
back
down
into
the
options,
and
I'd
mentioned
those
payloads
that
we'd
be
able
to
swap
around.
So
we
are
going
to
use
my
favorite
payload
for
this
exploit
because
it's
going
to
be
really
fast.
It's
going
to
be.
We
are
going
to
use
Powershell
to
run
our
meterpreter
payload,
which
is
our
most
advanced,
most
featureful
payload,
and
we're
going
to
have
it
connect
back
to
us
over
TCP.
C
We
wanted
to
connect
back
to
us
because
that
allows
us
to
get
past
firewalls
more
easily,
because
a
lot
of
times
servers
are
allowed
to
make
outbound
connections
more
freely
than
they're
able
to
accept
inbound
connections.
So
that's
why
we
go
ahead
and
do
that
because
now
it's
our
firewall
that
is
actually
needing
to
allow
the
connection
and
we
we
control
that
one
so
now
that
we
know
that
Target
is
vulnerable,
we're
going
to
go
ahead
and
we're
going
to
exploit
this
vulnerability.
C
It's
going
to
take
a
couple
of
seconds,
so
we
know
that
the
target
is
vulnerable
and
it's
going
to
double
check
that
the
target
is
an
exchange
server
and
just
like
that.
It
sells
us
at
our
interpreter
session
open
and
our
prompt
changes
down
to
interpreter.
So
at
this
point,
what's
happening
behind
the
scenes,
is
we've
exploited
this
vulnerability
and
our
interpreter
payload
has
been
delivered
and
we
can
actually
run
commands
on
the
remote
system.
C
So
we
are
running
as
NT
Authority
system,
which
is
the
highest
privileges
that
you
can
have
in
user
mode
on
a
Windows
Server.
So
we
have
compromised
our
Exchange
Server
we're
going
to
pull
out
the
information
that
we
have
and
then,
if
we
wanted,
we
can
drop
down
into
a
shell.
So
we
have
a
Microsoft
system,
shell.
If
we
want
to
run
who
am
I,
we
can
see
promise
that
I
can
type
you're
wanting
as
a
NT
Authority.
C
And
we
are
in
the
inet
server
directory,
so
we
could
go
ahead
and
go
around
on
the
server
and
we
can.
We
can
look
for
files.
We
can
look
for
whatever
it
is
that
we
would
like
so.
We've
compromised
this
Exchange
Server
and
that
user
that
we
use
to
gain
our
initial
access
to.
It
was
just
any
user
that
had
a
mailbox
already
set
up
so
pretty
much.
Anyone
with
a
with
an
email
address,
wow.
B
That's
impressive,
but
you've
mentioned
a
few
things
Spencer's
saying
like:
oh,
it
could
be
a
critical
system,
I'm
thinking.
Maybe
we
should
warm
our
audience
who
can
use
my
test
plus
like?
Should
they
have
a
certain
permission
from
from
the
owner
of
the
software
or
the
the
infrastructure
before
using
Metasploit,
or
should
they
be
using
their
production
system
or
a
test
system
to
Ms
display
because
I
I
guess
you
wouldn't
want
to
start
trying
as
a
sport
in
your
company
environment
right
absolutely.
C
Yes,
no
like
what
I
have
done
is
this
Exchange
Server
is
a
virtual
machine
I
have
for
for
development
of
this
vulnerability,
but
you
would
absolutely
want
to
make
sure
that
you
have
authorization
from
the
the
owners
of
those
systems,
so
you
definitely
will
not
want
to
be
running
this
on
on
the
internet.
If
you're
a
penetration,
tester
you'd
either
have
a
contract
or
some
kind
of
a
written
agreement
from
the
owners
of
the
system
and
if
you're
internal,
you
probably
want
to
reach
out
to
The
Exchange
service
team.
C
C
If
you
want
to
know,
if
it's
you
know,
Hardware
or
whatnot
excuse
me,
okay,
so
we
switched
over
to
we're
using
this
post
module
now
and
we're
going
to
set
our
session
to
the
last
one
that
was
created,
which
is
negative.
One
just
gonna,
be
that
quick,
Alias
I
mean
go
ahead
and
run
that
it's
telling
us
that
it's
a
hyper-v
virtual
machine
that
that's,
that
is
the
Target
that
we
had
just
compromised
and
then
the
last
thing
that
I
wanted
to
show
is
so
we've
gone
through.
We've
we've
run
our
modules.
C
If
we
check
out
our
vulnerabilities,
we
can
see
that
I
actually
have
a
little
bit
of
information
here
from
from
before
the
call.
But
this
last
entry
down
here
is
telling
us
that,
while
we
have
been
using
medical,
we
identified
that
this
host
is
vulnerable
to
this
particular
exploit,
and
we
have
our
resources
down
here
to
be
able
to
go
ahead
and
track
that
so
as
a
penetration
tester,
you
can
just
really
focus
on
running
your
operations
and
then
at
the
very
end
of
this
metasploy
is
attempting
to
keep
all
those
notes
for
you.
C
B
A
C
We
have
been
experimenting
with
having
a
chat,
gbt
write
out,
some
of
the
or
actually
both
we
have
been
experimenting
with,
having
both
kind
of
help
us
do
some
developments,
so
we're
still
a
little
bit
early
on
in
in
analyzing.
Those
results
chat,
GPT
attempted
to
write
like
a
interpreter
extension,
which
was
pretty
interesting
and
using
copilot
we've
been
kind
of
piloting
using
that
and
experimenting
on
how
that
can
help
us,
as
we
are
developing
modules
from
Metasploit.
A
That's
pretty
cool,
we
had
another
one.
Theologic
us
said
their
ex
well.
These
are
some
comments:
they're
ex
security
and
devops
this
admin.
This
is
the
best
tool
they've
ever
seen,
but
they
were
also
wondering
I,
don't
know
if
we
have
I,
don't
think
we
have
time
for
installation
but
they're
just
curious
about
like
how
do
you
install
this.
C
C
B
Yes,
I
forget
the
name,
but
whoever
asks
a
question.
Who
is
the
next
devops
professional
I
was
actually
thinking
about
that
when
you
mentioned
that
it's
a
split
sometimes
is
using
Python
scripts
and
things
like
that.
Have
you
seen
it
used
in
the
by
in
a
devops
pipeline,
and
you
is
there
that
kind
of
use
case
is
is,
is
common,
would
you
say
I.
C
Don't
know
about
common,
but
I
have
seen
it
and
I
have
definitely
seen
people
ask
about
it.
I
believe
when
they've
done
that
what
they
have
checked
for
is
there's
some
auxiliary
modules.
I
will
check
to
identify
vulnerabilities
that
are
common
in
the
sense
that
they
are
like
misconfigurations,
that
can
you
know
pop
in
and
out
of
a
product
less
like
cves
that
you
know
once
the
patch
is
applied.
You
can
pretty
much
forget
about
it,
but
they'll
have
those
types
in
there
to
be
able
to
identify.
C
You
know
when
the
targets
are
up.
The
one
caveat
with
that
is
that
it's
highly
effective,
mostly
when
the
systems
are
up
and
online,
so
it
would
need
to
be
part
of
some
kind
of
like
deployment
where
you
have
the
software's
fully
running
for
medicine
to
to
analyze,
as
opposed
to
like
a
static
analysis
fashion.
B
I'll
go
back
a
little
if
somebody
wants
to
get
started
and
use
metaspwood
to
test
their
project
to
see
if
it's
vulnerable,
how
would
you
suggest
you
mention
the
installation
process,
but
how
should
someone
brand
new
to
Memphis
board
has
an
open
source
projects
and
want
to
test
it
see
if
it's
vulnerable?
How
should
they
get
started?.
C
So
if
you
have
a
whole
bunch
of
different
servers
deployed,
you
know
you
might
have
a
lot
of
different
SSH
configurations
up.
We
have
some
modules
in
there
that
can
check
for
some
common
SSH
configuration
flaws,
known
vulnerabilities,
weak
key
ciphers
things
like
that.
Moving
up
from
there,
if
you
own
the
environment,
you
probably
have
a
pretty
good
idea
of
the
services
that
are
deployed,
such
as
Jenkins,
we
see
oftentimes.
We
have
some
modules
to
check
Jenkins
instances
for
vulnerability,
some
of
the
older
versions
of
Jenkins
I
Believe.
C
By
default,
they
offered
like
a
script
console
that
could
be
utilized
to
compromise
the
remote
host,
and
that
is
really
can
help.
You
identify
and
then
compromise
that,
but
it
kind
of
gets
into
the
basic
penetration
testing
workflow
of
using
the
auxiliary
modules
to
perform
the
enumeration
and
find
the
services
and
then
mapping
that
over
to
the
exploit
modules,
to
really
dig
in
deeper
with
those
to
be
able
to
identify
the
vulnerabilities
and
exploit
them
from
there.
B
Cool
and
correct
me
if
I'm
wrong,
but
during
you're,
definitely
pretty
much.
You
knew
you
had
an
exchange
server
and
then
you,
you
really
specified
which
exploit
to
use.
If
you
don't
know,
let's
say
you,
you
know
you're,
you
have
a
bit
of
Recon,
you
know
what
you're
using
you
know
the
services,
but
you
don't
know
which
export
you
want
to.
Try
can
message
what
help
to
identify
which
one
you
should
be
yeah
yeah.
C
That
was
a
little.
It
was
a
little
contrived,
but
the
example
would
be
like
you
know.
You
had
an
exchange
server
and
you
knew
this
was
like
the
latest
vulnerability.
But
you
know
if
you
haven't
been
keeping
up
to
date
with
the
security
vulnerabilities
I'm
like
it's
hard,
like
vulnerabilities,
are
coming
out.
Yeah
every
single
day
and,
like
I
mentioned
we're
releasing
new
modules
every
single
week.
C
A
Cool
okay,
my
question
to
you
is
more
about
you
than
Metasploit
I'm
curious
like
how
you
got
involved
in
metasploy.
Is
it
something
you
created
or
did
you
find
it
later
on
and
then
eventually
become
a
maintainer,
because
this
is
open
source
Friday
I
want
to
be
able
to
share
people's
open
source
Journeys
so
that,
like
listeners
or
viewers,
will
get
inspired
and
get
involved
in
open
source
as
well.
Absolutely.
C
C
Some
of
my
very
first
modules
were
some
Cisco
spoofing
modules
that
would
allow
you
to
test
proprietary
Cisco
protocols,
because
I
was
working
as
a
network
administrator
at
the
time,
and
it
was
some
things
that
I
needed
to
be
able
to
test
for
and
I
had
submitted
those
modules
and
those
were
accepted
and
I
stayed
involved
with
the
project,
starting
to
make
more
and
more
contributions.
Working.
My
way
up
into
to
a
lot
of
exploits
and
then
in
I
believe
it
was
2014.
C
I
came
on
board
with
the
project
as
a
open
source
committer,
so
I
was
able
to
help
out
as
a
community
member
help
out.
The
other
community
members
provide
code
review
testing
steps
because
because
a
lot
of
this
is
like
testing,
the
exploits
exploits
are
are
Infamous,
for
you
know,
works
on
my
system
but
like
not
on
another
one.
One
of
the
things
we
really
care
about
in
Metasploit
is
that
the
targets?
C
Not
only
does
it
work
really
well
in
the
targets
it
says
it
works
on,
but
we
can
try
to
expand
out
the
target,
so
it
works
on.
You
know
different
versions
of
exchange
or
Windows
or
Linux
or
whatever
software
it
is.
So
there
is
a
lot
of
code
testing
in
addition
to
the
review.
So
I
was
helping
out
with
that
for
quite
a
while,
before
joining
rapid
7
full
time
in
late
2019.
B
C
Last
year
we
had
I
want
to
say
it
was
around
50
new
contributors
that
that
sent
us
all
kinds
of
different
things
and
a
lot
of
the
new
contributors
didn't
just
send
us
like
one
or
two
pieces
of
code.
It
was
really
fantastic
to
see
them
coming
back
and
getting
more
involved
with
the
project
and
sending
us
more
and
more
of
that
module
content
that
we
just
love
to
see,
because
that's
helping
us,
you
know,
demonstrate
those
vulnerabilities,
so
yeah.
B
C
B
C
C
So
it's
a
lot
of
instances
like
that
for
students.
Specifically,
though
we
do
have
a
couple
of
students-
and
we
have
been
involved
with
the
Google
summer
of
code
program
for
the
last
few
years,
where
students
have
proposed
projects
and
we
have
partnered
up
with
them
and
I
myself
have
been
a
mentor
on
some
of
those
projects
to
really
help
some
students
and
and
they've
come
back
and
sent
us
a
lot
of
great
content
after
their
projects
have
been
done.
A
C
I
mean
I
am
a
huge
open,
source
fan
and
rapid7
is
really
dedicated
to
open
source
and
Metasploit,
and
the
the
other
open
source
projects
are
really
how
they
they
execute.
On
that
that
goal
and
vision
of
identifying
that
security
is
a
global
Community
problem,
and
that
requires
Community
Solutions,
one
of
the
things
I'm
most
excited
about
that
I'd
be
remiss
if
I
didn't
mention
is
the
newest
project
to
join
the
open
source.
C
Family
is
a
velociraptor
which
is
a
great
dfir
tool
that
has
been
brought
on
as
well,
so
we've
been
able
to
work
with
the
Velociraptor
project
and
they've
been
able
to
provide
us
some
insights
to
make
metasploy
better
in
terms
of
you
know
like
what's
being
identified
as
as
vulnerabilities
on
on
difference.
Excuse
me
not
vulnerabilities,
being
caught
by
like
antivirus
or
like
evasion
purposes,
so
we've
been
able
to
grow
a
metasploy
by
working
with
these
other
open
source
projects.
C
Yeah
digital
forensics
and
incident
response,
so
while
we
are
all
about
the
attacking
here
at
Metasploit
and
demonstrating
the
attacking
dfir,
is
very
much
focused
on
like
the
Gathering.
The
information
and
responding
to
incidents
when,
like
an
attack,
has
been
successful.
That
may
not
have
been
by
an
authorized
user.
A
C
Yeah
I
definitely
think
there's
been
some
changes.
I
think
over
the
past
few
years
or
open
source
has
really
been
started
to
be
taken
much
more
seriously,
and
you
know
you
see,
larger
companies
are
investing
more
in
it
and
open
source
is.
We
are
talking
about
using
open
source
as
the
foundational
component
in
more
and
more
things,
whether
those
are
our
products
or
larger,
open
source
projects.
It's
the
collaboration
seems
to
be
to
be
booming
on
the
security
side.
C
It's
really
tough
to
say,
because
I
think
in
some
ways
it
has
gotten
better
and
in
some
ways
it
has
gotten
tougher.
It's
gotten
better
because
you
know
there
is
so
much
attention
paid
to
open
source
that
a
lot
of
you
know,
projects
and
tools
have
come
out
to
help
open
source.
Maintainers
identify
vulnerabilities
that
they're
shipping,
you
know
better
code
to
their
users
and
things,
but
because
open
source
is
also
growing
on
the
flip
side
of
things
it's
getting
tougher
because
it's
becoming
a
larger
attack
Target
by
malicious
actors.
C
So
you
know,
malicious
people
are
identifying
things
and
opportunities,
such
as
like
Watering,
Hole
attacks,
supply
chain
attacks
and
you're.
Hearing
about,
like
you
know,
libraries
getting
compromised
fairly
often,
so
it's
really
tough
to
say
if,
if
it's
better
or
worse,
because
in
some
ways
it
is
it's
both.
B
B
C
C
I
myself
follow
the
GitHub
security
research
organization
is
one
such,
but
if
you
can
find
those
and
then
keep
track
of
like
what's
coming
out,
it
can
be
really
helpful
to
stay
ahead
of
the
types
of
vulnerabilities
that
may
down
the
road
start
to
affect
you.
So
there's
a
lot
of
you
know,
keeping
up
with
the
industry.
From
that
perspective
as
well
as
you
know,
news
articles
and
things
like
that,
and
then
you
know
taking
proactive
steps
to
utilize.
A
That
thing
up
to
date,
that's
good
advice
for
someone
like
me.
That's
true,
I
should
just
be
like
scrolling
or,
like
you
know
in
the
morning,
just
seeing
like,
what's
going
on
in
that
World
for
people
that
are
listening
in
and
if
they're
like
super
interested
in
contributing
to
this
project,
do
you
have
any
advice
for
them?
Yeah.
C
Absolutely
I
mean
Metasploit
is,
is
really
cool
from
a
contribution
perspective,
because
we
have
you
know,
tasks
that
are
super
small
and
accessible
up
to
massive
undertakings
that
are
probably
more
suited
for
someone.
That's
been
involved
with
the
project.
For
years
we
have
been
trying
over
the
past
few
months
to
flag
issues
as
ones
that
are
easier
and
and
good
and
accessible
for
brand
new
contributors.
You
know
a
lot
of
like
module.
C
We've
been
working
on
improving
our
documentation
for
setting
up
the
environment
and
getting
started
with
your
very
first
contribution
from
cloning
down
the
framework
running
through
the
git
workflow
to
finally
making
a
meta
split
contribution,
and
then
the
last
thing
is
that
again,
if
you
have
any
questions,
we
have
a
really
large
slack
workspace
in
community.
That's
fantastic
to
ask
any
kinds
of
questions
there.
C
B
A
A
Don't
I
don't
think
so
a
lot
of
people
seem
to
be
enjoying
it,
though,
or
agreeing
with
you
as
well.
Yeah
I
was
just
gonna
say,
like
one
I
I
put
the
the
link
in
the
below
I,
don't
know
like
a
YouTuber
yeah.
If
you
wanted
to
check
it
out,
go
to
github.com
rapid7
Metasploit
framework
I
liked
all
the
advice
you
gave
about
like
either
opening
an
issue
or
just
going
ahead
and
asking
in
slack.
A
If
you
have
a
question
and
looking
for
those
easy
label
tags
I
always
say
ask
in
the
discussion,
because
I
felt
like
that's
what
helped
me
get
into
open
source
before
I
would
like
to
see
issues
and
be
like
I,
don't
know
what's
going
on,
but
love
that
advice
and
I
guess
we
can
transition
into
some
of
the
the
non-technical
questions
that
I
like
to
ask
and
Nancy
I'll.
Let
you
I'll,
let
you
ask
the
first
one.
Oh.
A
C
So
you
know
if
you
have
a
web
application,
that's
on
top
of
an
nginx
server
with
a
mySQL
database.
In
the
background,
your
application,
that's
running
in
nginx,
may
not
be
the
best
Target
for
metasploy.
The
Metasploit
will
be
able
to
do
a
good
job
of
looking
at
the
Linux
server,
that's
hosting
nginx,
looking
at
the
MySQL
server
and
all
the
other
components,
because
we.
A
A
C
C
B
I
was
just
gonna
wrap
up
by
saying.
Thank
you.
Thank
you
for
the
work
that
you
do
for
the
project.
I
know
that
Mrs
as
being
someone
in
security
I
know
that
Memphis
foot
is
an
essential
part
of
of
the
environment
and
how
to
secure
the
environment
I
in
another
life
I
was
a
member
of
I
was
organizing
the
hack,
the
Box
hack,
the
Box
Meetup
locally.
So,
basically,
that's
an
environment
where
people
test
and
and
to
become
penetration.
Tester
get
familiar
with
penetration,
testing
and
metalsport
was
definitely
the.
B
A
Awesome
I've
seen
one
last
question
that
I
can
answer
they
said.
Can
you
share
the
slot?
Channel
I
just
checked,
and
if
you
go
to
metasploit.com
and
on,
like
the
left
hand
panel,
there
is
like
join
us
on
slack
GitHub
Twitter,
so
you
can
click
there.
Thank
you
so
much
Nancy
and
thank
you
so
much
Spencer
for
joining
to
me
today
on
open
source.
A
Friday
I
agree
with
this
comment
that
this
was
like
a
really
great
start
to
like
the
first
open
source
Friday
of
the
year,
thanks
for
all
you're
doing
in
security,
and
thank
you
for
being
a
great
co-host,
Nancy,
oh,
and
also
thanks
to
to
the
audience
for
tuning
in
really
appreciate
your
engagement,
y'all
all
right,
bye
thanks
everyone.
Thank
you.