Last updated at Wed, 07 Apr 2021 18:36:39 GMT

This post is the seventh in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements and events in the Metasploit Framework over the course of 2014.

Since today happens to be the last day of the year, let's take a moment to reflect on another year of amazing Metasploit exploit development, and see what we've all been up to over the course of 2014. Of course, when I say "we," I really do mean all of us -- if you're reading this blog, more likely than not, you're part of the Metasploit open source community. Thanks so much for your continued commitment to the principles of openness and disclosure that makes Metasploit such a powerful force for Internet security today. It's a humbling and massively rewarding experience to be a part of this.

Loads of new modules

Judging by last year's screenshot, Metasploit Framework picked up 135 new exploits, 99 new auxiliary modules, 25 new post modules, and 32 new payloads, for a total of 291 new modules landed to the framework. If you haven't used Metasploit in a while, you might want to check in on your favorite software packages over at the Rapid7 Vulnerability Database to see if you're running anything that's at risk.

Loads of commits in general

We also saw 7,627 commits across the entire code base for the year, which is a stupendous show of effort for the two hundred or so contributors that landed at least one commit that made it into the Metasploit Framework master branch. In fact, the top 25 committers of 2014, by non-merge commit count were:

Name/Alias Commit Count
jvazquez-r7 1095
limhoff-r7 481
wchen-r7 374
Meatballs1 373
dmaloney-r7 343
todb-r7 297
joev-r7 272
jhart-r7 236
wvu-r7 223
jlee-r7 219
hmoore-r7 134
zeroSteiner 121
FireFart 100
OJ 78
brandonprry 73
m-1-k-3 57
kernelsmith 52
TomSellers 51
lsanchez-r7 45
Pedro Ribeiro 42
David Bloom 40
xistence 32
us3r777 29
trosen-r7 29
shuckins-r7 27

While it's fairly expected that the people who are paid by Rapid7 will tend to have quite a few commits, you'll notice that just about half of the top 25'ers here don't work at Rapid7 (Yes, OJ did work on Meterpreter full time for a little while in 2014, so let's count him for both.) Exceedingly few open source projects get the kind of support we enjoy, so please take a moment to thank (or blame) these people:

0a2940, agix, Ahmed Elhady Mohamed, Alton Johnson, Andrew Morris, AnwarMohamed, Arnaud SOULLIE, attackdebris, b00stfr3ak, bcoles, bcook-r7, bmerinofe, Borja Merino, brandonprry, Bruno Morisson, bturner-r7, bwall, byt3bl33d3r, cdoughty-r7, Cenk Kalpakoglu, Chris Hebert, Christopher Truncer, coma, cx, Daniel Miller, David Bloom, David Chan, David Maciejak, dheiland-r7, dmaloney-r7, DrDinosaur, dukeBarman, dummys, EgiX, Emilio Pinna, Ethan Robish, Etienne Stalmans, Fabian Br\xC3\xA4unlein, farias-r7, Fatih Ozavci, Fernando Munoz, FireFart, Florian Gaultier, floyd, Fr330wn4g3, g0tmi1k, Gabor Seljan, Gary Blosser, gigstorm, grimmlin, HackSys Team, hmoore-r7, ikkini, inkrypto, inokii, Iquaba, j0hnf, Jakob Lell, Jakub Nawalaniec, jakxx, Jay Smith, Jeff Jarmoc, jgor, jhart-r7, jiuweigui, jlee-r7, joe, joev-r7, John Sawyer, Jonas Vestberg, Jonathan Claudius, Jon Cave, JoseMi, Josh Abraham, Jovany Leandro G.C, Juan Escobar, julianvilas, Julian Vilas, Julio Auto, jvazquez-r7, kaospunk, Karmanovskii, Karn Ganeshen, kenkeiras, Ken Smith, kernelsmith, kicks4kittens, kn0, Kurt Grutzmacher, kyuzo, limhoff-r7, linuxchuck, lsanchez-r7, Lutz Wolf, m-1-k-3, Marc Wickenden, Mark Judice, Martin Vigo, Matias P. Brutti, Matt Andreko, Matteo Cantoni, Matthew Kienow, mbuck-r7, Meatballs1, Mekanismen, mercd, mfadzilr, midnitesnake, Miroslav Stampar, mschloesser-r7, mubix, mvdevnull, navs, Nicholas Nam, Niel Nielsen, Nikita, nnam, nodeofgithub, nstarke, nullbind, oj, parzamendi-r7, Pedro Laguna, Pedro Ribeiro, peregrino, Peregrino Gris, Peter Marszalik, Philip OKeefe, pyoor, RageLtMan, Ramon de C Valle, RangerCha, Rasta Mouse, ribeirux, Rich Lundeen, Rich Whitcroft, Rick Farina (Zero_Chaos), Roberto Soares Espreto, root, Royce Davis, rsmudge, Russell Sim, Sagi Shahar, Sam, Samuel, sappirate, Sascha Schirra, schierlm, scriptjunkie, Sean Verity, Sebastiano Di Paola, sgabe, shellster, sho-luv, shuckins-r7, silascutler, Silas Cutler, singe, spdfire, staaldraad, tate, TecR0c, Thanat0s, Thomas Ring, Tiago Sintra, Timothy Swartz, timwr, todb-r7, TomSellers, Tonimir Kisasondi, Trenton Ivey, trosen-r7, us3r777, Victor, Vincent Herbulot, wchen-r7, wez3, Wies\xC5\x82aw Kielas, wvu-r7, xard4s, xistence, Your Name, zeroSteiner, and Zinterax

Outstanding work, all!

Weekly Wrapup

Oh, and since this post doubles as the weekly wrap-up, here are the new modules landed to Framework since the last release (commit 067bda4). Metasploit community contributor Borja Merino is clearly up to no good with the combination of his freshly-landed Windows outbound firewall rules checking post module and his port-knocking enabling shellcode. Port knocking is one of those super fun things to do to be extra-stealthy with your listening shells so they don't get picked up by network scanners like Project Sonar. Thanks Borja!

Exploit modules

Auxiliary and post modules