2017 Roadmap Review

Metasploit's 2017 Roadmap Review

In 2017, we published our first open roadmap for Metasploit development. How did we do? For achievements:

• The Metasploit data model backend: we did a lot of design work on this, and got a couple of initial Proof-of-Concept project built. You can see a video of it here: https://www.youtube.com/watch?v=hvuy6A-ie1g. In the mean time, we started merging parts of the main development branch

• The first pass of external session handling landed with the metasploit-proxy project.

• Independent modules that run in isolation did land, along with a hand full of new modules demonstrating the advantages of the design, including multi-language support.

• The ruby_smb project made a lot of progress, with support incorporated into several existing modules. Full client-side support is also available for testing now.

• Native iOS and macOS support landed, along with many new IoT and router exploits.

• Meterpreter shrank almost 4x thanks to the new cryptTLV packet obfuscation support, and the removal of OpenSSL.

Things we didn't quite finish:

• Metasploit's RESTful interface was not complete in 2017, so we will continue it into 2018.

• Session handling as a separate process was implemented with the https://github.com/rapid7/metasploit-aggregator project, but more work needs to be done to improve scalability and usability.

• Asynchronous session support remains on the drawing board.

• SOCKS5 support did not land, but Metasploit did gain a lot more support for running modules externally as separate processes, and gained initial support for running modules in Python.

• Modernized payload generation with new tools continues to be researched.