Last updated at Wed, 07 Feb 2024 21:18:38 GMT

This is the seventh post in the series, "The 12 Days of HaXmas."

It's the last day of the year, which means that it's time to take a moment to reflect on the ongoing development of the Metasploit Framework, that de facto standard in penetration testing, and my favorite open source project around.

While the acquisition of Metasploit way back in 2009 was met with some healthy skepticism, I think this year, it's easy to say that Rapid7's involvement with Metasploit has been an enormously positive experience for the project, regardless if you happen to work on or use Rapid7 products. 2015 marks another year of our (and your!) commitment to both the principles of open source and the day-to-day care and feeding of this beast.

New Modules!

Checking out today's development branch banner and comparing to last year, it looks like Metasploit Framework saw the addition of 136 new exploits, 98 new auxiliary modules, 34 new post modules, and 81 new payloads, for a grand total of 349 new modules for the calendar year -- just a shade under one a day. Compared to last year, the new payload count is particularly impressive; that count represents the work being done around refreshing and updating Meterpreter and expanding what it means to get shells.

Commits and Authors

2015 saw 7099 commits, 5519 of which were non-merge commits. Once again, this is an incredible effort from a contributor pool of 176 distinct committers, the vast majority of whom weren't employed by Rapid7. Most open source projects are really only worked on by a handful of people, the thing that makes Metasploit one of the top ten Ruby projects hosted on GitHub (not to mention the second-most starred security project), is the support, effort, and criticism of our developer community. And speaking of our developer community, the top 25 most prolific committers (by non-merge count) for 2015 are:

Name/Alias Commit Count
jvazquez-r7 1112
wchen-r7 757
jhart-r7 336
hdm 256
wvu-r7 252
bcook-r7 235
oj 231
Meatballs1 199
todb-r7 145
jlee-r7 126
espreto 120
FireFart 96
dmaloney-r7 87
benpturner 84
JT 80
stufus 68
zeroSteiner 66
KronicDeth 64
void-in 59
joevennix 58
Matthew Hall 54
brandonprry 45
rastating 43
techpeace 36
Pedro Ribeiro 35

We have some new names on that list, which is great! I'm super excited to see what these newly prolific security dev's will be up to in 2016. And, as was the case last year, just about half (12 of 25) of these committers weren't financially connected to Metasploit products as employees or contractors; they're among the hard-working volunteers that are responsible for pushing security research forward.

Finally, here's the alphabetized list of everyone who committed at least one chunk of content to the Metasploit Framework in 2015:

0xFFFFFF, aakerblom, aczire, Adam Ziaja, agix, Alex Watt, Alexander Salmin, Anant Shrivastava, Andrew Smith, andygoblins, aos, aushack, Balazs Bucsay, Bazin Danil, BAZIN-HSC, bcoles, bcook-r7, Ben Lincoln, Ben Turner, benpturner, bigendian smalls, Bigendian Smalls, Borja Merino, Boumediene Kaddour, brandonprry, brent morris, bturner-r7, C-P, cdoughty-r7, Christian Sanders, claudijd, cldrn, crcatala, Daniel Jensen, Darius Freamon, Dave Hardy, David Barksdale, David Lanner, Denis Kolegov, dheiland-r7, Dillon Korman, dmaloney-r7, dmohanty-r7, dmooray, dnkolegov, Donny Maasland, Donny Maasland (Fox-IT), Elia Schito, EricGershman, erwanlr, espreto, Ewerson Guimaraes (Crash), eyalgr, Fabien, farias-r7, Fatih Ozavci, Felix Wehnert, Ferenc Spala, FireFart, fraf0, g0tmi1k, Gabor Seljan, gmikeska-r7, Guillaume Delacour, h00die, Hans-Martin Münch (h0ng10), hdm, headlesszeke, IMcPwn, jabra, Jack64, jaguasch, Jake Yamaki, Jakob Lell, jakxx, Jay Smith, jduck, jhart-r7, jlee-r7, joevennix, John Lightsey, John Sherwood, Jon Cave, jstnkndy, JT, juanvazquez, Julian Vilas, julianvilas, jvicente, jvoisin, jww519, kaospunk, karllll, kernelsmith, kn0, KronicDeth, lanjelot, Lluis Mora, lsanchez-r7, lsato-r7, Lutzy, m-1-k-3, m0t, m7x, Manuel Mancera, Marc-Andre Meloche, Mark Judice, Matthew Hall, Matthias Ganz, Meatballs1, Mike, Mo Sadek, mubix, Muhamad Fadzil Ramli, Nanomebia, Nate Power, Nicholas Starke, Nikita Oleksov, nixawk, nstarke, nullbind, oj, pdeardorff-r7, Pedro Ribeiro, peregrino, Peregrino Gris, PsychoMario, pyllyukko, radekk, RageLtMan, Ramon de C Valle, rastating, rcnunez, Ricardo Almeida, root, Rory McNamara, rwhitcroft, Sam H, Sam Handelman, Sam Roth, sammbertram, samvartaka, scriptjunkie, Sean Verity, sekritskwurl, sgabe, sgonzalez-r7, shuckins-r7, Sigurd Jervelund Hansen, somename11111, stufus, Sven Vetsch, Tab Assassin, techpeace, Th3R3p0, Thomas Ring, timwr, todb-r7, Tom Spencer, TomSellers, trevrosen, void-in, vulp1n3, wchen-r7, wez3, wvu-r7, xistence, Zach Grace, zeroSteiner

We really couldn't have made Metasploit without everyone listed there, so thanks again for sharing our commitment to open source security research and development. May your buffers always be overflowing.


Of course, the most beloved change to Metasploit in 2015 wasn't the Great Regemification, the souped up Android payloads (or any of the other amazing work on the Metasploit and Meterpreter payload systems in general), the integrated Omnibus installers, or any of those boring technical advancements that push the boundaries of penetration testing. It was the April Fool's Pony Banner Update, made possible by the ponysay project run by Erkin Batu Altunbaş. So, here you go:

Happy New Year, everyone!